Analysis
-
max time kernel
14s -
max time network
15s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-08-2024 02:45
Static task
static1
Behavioral task
behavioral1
Sample
Extreme_Injector_v3 (2).exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Extreme_Injector_v3 (2).exe
Resource
win10v2004-20240802-en
General
-
Target
Extreme_Injector_v3 (2).exe
-
Size
1.9MB
-
MD5
b0c8e9d2acca95a8b5bea83730ea57ef
-
SHA1
6397ca2befa45eb5554d119db79c894f593f9989
-
SHA256
cf7cfe8d3a2b3237eb9515ded19da6c7ef5bc039446275a1b3cc21d1051d250b
-
SHA512
bc9574c10a4eaa0a93719d0e2600d0236255e7b6e4419fcc7230b822a5f10f48503ffaabdbf43aca9284ecb516e0cb61a736bf7ff6e4206d6c9b765a4964cd40
-
SSDEEP
49152:52Zs4je5X9d3RTOQO67S118yYH9n5NtdpVFddPZv8I/WbR5K8RlBUnS:526FX9d3RTHLaYnNtd1ddPZEI/Q5rRl6
Malware Config
Extracted
xworm
5.0
late-unfortunately.gl.at.ply.gg:38601
eW3meCUfK2MhlV9s
-
Install_directory
%Userprofile%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x0008000000023443-6.dat family_xworm behavioral2/memory/3176-21-0x00000000001C0000-0x00000000001D0000-memory.dmp family_xworm -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation Extreme_Injector_v3 (2).exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk pixel.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk pixel.exe -
Executes dropped EXE 2 IoCs
pid Process 3176 pixel.exe 1980 Extreme Injector v3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\XClient.exe" pixel.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 7 raw.githubusercontent.com 8 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3176 pixel.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 3176 pixel.exe Token: SeDebugPrivilege 1980 Extreme Injector v3.exe Token: 33 1980 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 1980 Extreme Injector v3.exe Token: SeDebugPrivilege 1980 Extreme Injector v3.exe Token: 33 1980 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 1980 Extreme Injector v3.exe Token: 33 1980 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 1980 Extreme Injector v3.exe Token: 33 1980 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 1980 Extreme Injector v3.exe Token: SeDebugPrivilege 3176 pixel.exe Token: 33 1980 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 1980 Extreme Injector v3.exe Token: 33 1980 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 1980 Extreme Injector v3.exe Token: 33 1980 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 1980 Extreme Injector v3.exe Token: 33 1980 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 1980 Extreme Injector v3.exe Token: 33 1980 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 1980 Extreme Injector v3.exe Token: 33 1980 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 1980 Extreme Injector v3.exe Token: 33 1980 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 1980 Extreme Injector v3.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1980 Extreme Injector v3.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3176 pixel.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4144 wrote to memory of 3176 4144 Extreme_Injector_v3 (2).exe 83 PID 4144 wrote to memory of 3176 4144 Extreme_Injector_v3 (2).exe 83 PID 4144 wrote to memory of 1980 4144 Extreme_Injector_v3 (2).exe 84 PID 4144 wrote to memory of 1980 4144 Extreme_Injector_v3 (2).exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\Extreme_Injector_v3 (2).exe"C:\Users\Admin\AppData\Local\Temp\Extreme_Injector_v3 (2).exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Users\Admin\AppData\Roaming\pixel.exe"C:\Users\Admin\AppData\Roaming\pixel.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3176
-
-
C:\Users\Admin\AppData\Roaming\Extreme Injector v3.exe"C:\Users\Admin\AppData\Roaming\Extreme Injector v3.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1980
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5ec801a7d4b72a288ec6c207bb9ff0131
SHA132eec2ae1f9e201516fa7fcdc16c4928f7997561
SHA256b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
SHA512a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
-
Filesize
40KB
MD55c3686aec36190ba110aac90a3eb6c4b
SHA183c9f6d0e64157953a69d553245960fb4241f4a6
SHA256b17807e731d803c6e0eef24876dd45b3cfd9000fe0f974db0c19e2a948c12db7
SHA512133212c2847a5888ba9daf5fe76338fde3f6032048cdc59f7e953de7dbd1a8f5a2aac17c464ed9bfddbcefe3deffdfe03937aeb264696fc1bb9709c43415f666