Analysis
-
max time kernel
897s -
max time network
909s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
21-08-2024 10:38
Errors
General
-
Target
adw.exe
-
Size
110KB
-
MD5
873d23b0d914da099007377274719e4e
-
SHA1
e821620eecd5231f8e529fd2496fee2ab07e34ff
-
SHA256
9615a875deff7d17a7ca2d968bf3b65360d1f6f58babb85db3f158ffbe50fa3b
-
SHA512
591d3de2e2c474d8bedbd9ebbc7d262aadec3a995f5437bd5adf8de8210f45b671622938629aa73d6fca39718df4c2833a42ff557e8818fe4cc65a29e73c006c
-
SSDEEP
1536:feOqrr19/Rt4mfKCAZKm+WVrB392RN6QWSOgqJEwKXONRl75X2iOb23lMgq59MF:WDvZiotm+Wxh4mQWSASIl75lOELFF
Malware Config
Extracted
xworm
dead-he.gl.at.ply.gg:57200
-
Install_directory
%Public%
-
install_file
svchost.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload 2 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops file in Drivers directory 1 IoCs
-
Possible privilege escalation attempt 3 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 16 IoCs
-
Modifies file permissions 1 TTPs 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Kills process with taskkill 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
-
Suspicious use of FindShellTrayWindow 9 IoCs
-
Suspicious use of SendNotifyMessage 9 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\adw.exe"C:\Users\Admin\AppData\Local\Temp\adw.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\svchost.exe"C:\Users\Admin\AppData\Local\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tphpqgex\tphpqgex.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB910.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D2242B2174E4E6999F64E721FBAFB3.TMP"4⤵
-
-
-
C:\Windows\SYSTEM32\CMD.EXE"CMD.EXE"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad ISEEYOU!.txt4⤵
-
-
C:\Windows\system32\notepad.exenotepad ISEEYOU!.txt4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im notepad.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\CMD.EXE"CMD.EXE"3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System324⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\icacls.exeicacls /grant Admin:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant Admin:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SYSTEM32\CMD.EXE"CMD.EXE"3⤵
-
-
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
1Scripting
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
1KB
MD5e7ad56e0ce179f0dc3ea4efcad812897
SHA17b3cedcd434b9f5b67f3e047e782c8b8abbd736f
SHA2567a86deeb1d8df78aad588827652cadb7f0101f03e2980735b3340b11efc42733
SHA5122bced71efde8101b5a56cd7e29e72693ae62d03b40911e0ba1e3fa701e332de3ec66a4011d44366a69cf6580db2a05d8e8d92e917a3d3d5f05222493a3d3b0c4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
392B
MD545eca2df14237e5c950c802cfde11aaf
SHA1a0f28115fbd8641d21d2520c046a6043db92681c
SHA2569d536a412032ad2a3a09d56d8a769d5efe6f1d1d8939b1c40d3cfad6c7a94598
SHA5127b429e85865cfcc9692b06447289c25b38d153fb557c34931c1c995f5fc19b119eda0e387c62292f1f24cecc9cf6c5d81ea9e40efb7e41aa805050e65c7f3c6c
-
Filesize
313B
MD5b7e215b1ed2ecae8d5b613d0d03707f9
SHA16bb8a7cf252fb79bf4ce912ccfa3e0849f3e34af
SHA256d11fff319555946c7eec5fbc677ba796b8816592a52f8f3a67a284c9a7efc5c8
SHA51288fb38df612f2bf12f3d7ec6a31baa56e3939667be92f92650a5479bb29bdfea5ed00c60f6d3ea9dffe8e343ab976027d1065abae9c3f6674d2f4849eda163c8
-
Filesize
6KB
MD5fabc547f31c44c55cffaded5be94c8c4
SHA1babcadd7650d2a769c837142a320b36a28dffaba
SHA2568148478faa92154b5895fd9cfc5bb9947a334d7bc17119095c87a9d4acf9ba85
SHA51218eefce78004589241acf70130cd3751005b3cb34207fe18bb42dddd39d1b320722cc7643324a3edeec4fd739e71c6a714cc24f6c9d6539b1c2925275024e0c8
-
Filesize
1KB
MD518e25637c536d026923bb26d664aca54
SHA15f84d16bab940b7b735c7471875915e8c29f3e7a
SHA25678927921686b59efa3066668ebf457b5741685acd4da5a8382b56fbbc1c5e72e
SHA512e6f9b88c2239899d519ae08e0efb7f1c46d4d0277419a63b09b7c75807d8fb7f928339ff102daa058d20ee6686c1ebbc52da1c226300813edf950e58402b3ff9
-
Filesize
93KB
MD58d04dd1724cebcf83c6444a89f3cc284
SHA1f3c70909956bbfb7807bfc816d198e8aa2d4928c
SHA256c693a093fac8ddbfe9e2ba991df7fd70e685bad91ade6e9193802dabe8b64162
SHA512f4582b3f8d98516cdbf77efb9acfd27b9cf687cdf75291b3f3bcb474a91f04947fbe6845c699e6abe9935c5a6089fde2ef256ee98fa512f8a3ce6c81d5f57e1c
-
Filesize
21B
MD5e037958494f34df0ca377f83b3bb4198
SHA1de502550a60da4925a82ba596e7f1bba24b8f28d
SHA25618d60db1d85a47779296abb3a2e4121ccb4942b3f87b190be09d4eed3bcc3aa4
SHA512b860146c3784a1164bd5769cc208c45c05bd2c5bb1ff12f9bbf52271f10f024e18be65b9290a4169448a134b7d76244aa84833ae2df50a00fa2404d36b11d298
-
Filesize
19B
MD57072efed0f9baa6babdf51280b579d75
SHA1a63fd3866ee00d865b76c1d578fc219d31a1e210
SHA2567f6eaf2daf71011798d879cfa9b7945cf97e39ae04887130e83e16b36ad5dd65
SHA5125add0bf2af996425d63375ba0a0a2a140a59588b05221929c4e971e9e2bea6faf56d9ef01b5cee23e4b21603345a2008fca9354d89fd95856dbdd3e00143c63c
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
216KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
1.1MB
-
Filesize
48KB
-
Filesize
5.2MB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
120KB
-
Filesize
136KB
-
Filesize
3.3MB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
136KB
-
Filesize
8KB