Analysis
-
max time kernel
146s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
07-08-2024 21:46
Behavioral task
behavioral1
Sample
Cleaner.exe
Resource
win7-20240708-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
Cleaner.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
Cleaner.exe
-
Size
172KB
-
MD5
9229077d00bad648e91aaf30bd096567
-
SHA1
83eba361175f6c5dd71f740d527ab853a504d15b
-
SHA256
1eca23db92c0319d414040c2ff9a240d57f806290e1f0238d696fea761c5d948
-
SHA512
a8d6ac08eb8a2d74791238bfd73cda0062ac4a706bba6a61472efd4a062e2e611661a931d0d14a7edd52a833be830c254dbc14b184ae30a013687d547bc105a7
-
SSDEEP
3072:IuAN13vRxKBL+b0kb1zehFjO/G16Bz65/M6If+3Js+3JFkKeTnZ:KRYib0y1ihf16xBt25
Score
10/10
Malware Config
Extracted
Family
xworm
C2
127.0.0.1:1990
Attributes
-
Install_directory
%AppData%
-
install_file
cleaner.exe
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral1/memory/2480-1-0x0000000000110000-0x0000000000142000-memory.dmp family_xworm behavioral1/files/0x000a000000012286-47.dat family_xworm behavioral1/memory/2952-49-0x0000000000250000-0x0000000000282000-memory.dmp family_xworm behavioral1/memory/1660-54-0x0000000000EB0000-0x0000000000EE2000-memory.dmp family_xworm -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cleaner.lnk Cleaner.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cleaner.lnk Cleaner.exe -
Executes dropped EXE 2 IoCs
pid Process 2952 cleaner.exe 1660 cleaner.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\cleaner = "C:\\Users\\Admin\\AppData\\Roaming\\cleaner.exe" Cleaner.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\tmp_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\tmp_auto_file\shell\edit\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.tmp\ = "tmp_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\tmp_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\tmp_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\tmp_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.tmp rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\tmp_auto_file\shell\edit rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\tmp_auto_file\shell\open rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\tmp_auto_file\shell\open\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\tmp_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 1304 NOTEPAD.EXE 2880 NOTEPAD.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2796 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe 2480 Cleaner.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2028 rundll32.exe 1092 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2480 Cleaner.exe Token: SeDebugPrivilege 2480 Cleaner.exe Token: SeDebugPrivilege 2916 Cleaner.exe Token: SeDebugPrivilege 2952 cleaner.exe Token: SeDebugPrivilege 1092 taskmgr.exe Token: SeDebugPrivilege 2988 Cleaner.exe Token: SeDebugPrivilege 1660 cleaner.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe -
Suspicious use of SendNotifyMessage 35 IoCs
pid Process 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2480 Cleaner.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2480 wrote to memory of 2796 2480 Cleaner.exe 30 PID 2480 wrote to memory of 2796 2480 Cleaner.exe 30 PID 2480 wrote to memory of 2796 2480 Cleaner.exe 30 PID 2012 wrote to memory of 2952 2012 taskeng.exe 40 PID 2012 wrote to memory of 2952 2012 taskeng.exe 40 PID 2012 wrote to memory of 2952 2012 taskeng.exe 40 PID 2028 wrote to memory of 1304 2028 rundll32.exe 41 PID 2028 wrote to memory of 1304 2028 rundll32.exe 41 PID 2028 wrote to memory of 1304 2028 rundll32.exe 41 PID 2012 wrote to memory of 1660 2012 taskeng.exe 46 PID 2012 wrote to memory of 1660 2012 taskeng.exe 46 PID 2012 wrote to memory of 1660 2012 taskeng.exe 46 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cleaner.exe"C:\Users\Admin\AppData\Local\Temp\Cleaner.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cleaner" /tr "C:\Users\Admin\AppData\Roaming\cleaner.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2796
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2840
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Log.tmp1⤵
- Modifies registry class
PID:628
-
C:\Users\Admin\AppData\Local\Temp\Cleaner.exe"C:\Users\Admin\AppData\Local\Temp\Cleaner.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Log.tmp1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Log.tmp2⤵
- Opens file in notepad (likely ransom note)
PID:1304
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {4524951B-01DF-4343-9DC0-AB084FC236BB} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Roaming\cleaner.exeC:\Users\Admin\AppData\Roaming\cleaner.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Users\Admin\AppData\Roaming\cleaner.exeC:\Users\Admin\AppData\Roaming\cleaner.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1092
-
C:\Users\Admin\AppData\Local\Temp\Cleaner.exe"C:\Users\Admin\AppData\Local\Temp\Cleaner.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Log.tmp1⤵
- Opens file in notepad (likely ransom note)
PID:2880
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
121B
MD5e2eb1a6cb00b9cc2c5f962153b3e4625
SHA1d818f7544f3570dd2789a1e82ddafb9138895646
SHA2568b00d464aca6fcb30306fe599ced03ab96b3b3b100c51a5caa613ba4c24a6ca1
SHA5124a802184057b0d19a81c63aba7a64f0621778ef50cb48e004f13d94d3397a2acc6aaabee7524a34da777bdbb64dcce134b201ece9c6779b8f03c51c0f29422bb
-
Filesize
172KB
MD59229077d00bad648e91aaf30bd096567
SHA183eba361175f6c5dd71f740d527ab853a504d15b
SHA2561eca23db92c0319d414040c2ff9a240d57f806290e1f0238d696fea761c5d948
SHA512a8d6ac08eb8a2d74791238bfd73cda0062ac4a706bba6a61472efd4a062e2e611661a931d0d14a7edd52a833be830c254dbc14b184ae30a013687d547bc105a7