Overview

overview

10

Static

static

10

SysNoti.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SysNoti.exe

  • Size

    39KB

  • Sample

    240816-h7zkfasclh

  • MD5

    6201104487f50867afc28079c841680f

  • SHA1

    2337f298ffbda6d628482f8fa42634b3db3ee552

  • SHA256

    b3c0c874e28b32b4b35ec578e4e3c59988b8c0c584a2301ea7ae34d8febc6ddd

  • SHA512

    de1346c59004ef076bda4e54cca8a8e72b88e997af2a59cc99de997356beef9c0ca3db5d5d39cd14c658822bdebf1dac31ac26361581613eda4440fa05bcdb12

  • SSDEEP

    768:bql27+7rmUmv/NGSxd8wlkBwoscPNCxF5Pq9j/CeF67OMhn33g:2lfrGlGb0/BwAFc9zCeF67OMdQ

Score
10/10
stormkittyxwormpaypalcredential_accessdiscoveryevasionexecutionpersistencephishingprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

take-vocational.gl.at.ply.gg:5524

Mutex

tT1LzH7uphaZavtD

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      SysNoti.exe

    • Size

      39KB

    • MD5

      6201104487f50867afc28079c841680f

    • SHA1

      2337f298ffbda6d628482f8fa42634b3db3ee552

    • SHA256

      b3c0c874e28b32b4b35ec578e4e3c59988b8c0c584a2301ea7ae34d8febc6ddd

    • SHA512

      de1346c59004ef076bda4e54cca8a8e72b88e997af2a59cc99de997356beef9c0ca3db5d5d39cd14c658822bdebf1dac31ac26361581613eda4440fa05bcdb12

    • SSDEEP

      768:bql27+7rmUmv/NGSxd8wlkBwoscPNCxF5Pq9j/CeF67OMhn33g:2lfrGlGb0/BwAFc9zCeF67OMdQ

    Score
    10/10
    stormkittyxwormpaypalcredential_accessdiscoveryevasionexecutionpersistencephishingprivilege_escalationratspywarestealertrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • UAC bypass

      evasiontrojan

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • Server Software Component: Terminal Services DLL

      persistence

    • Allows Network login with blank passwords

      Allows local user accounts with blank passwords to access device from the network.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

      persistence

    • Detected potential entity reuse from brand paypal.

      phishingpaypal

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

2
T1562.001

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Remote Services

1
T1021

Remote Desktop Protocol

1
T1021.001

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks