Overview

overview

10

Static

static

3

1c742cf055...72.exe

windows7-x64

10

1c742cf055...72.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-08-2024 16:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1c742cf055297ced1f29fa5779cfa2c9c53fc64d945d6edd7330beb5f0d88a72.exe

  • Size

    296KB

  • MD5

    7c43de969f5117062f9e2aff9c32b5c8

  • SHA1

    5887cd36102f856abf27e885c3c10e78ca8032a4

  • SHA256

    1c742cf055297ced1f29fa5779cfa2c9c53fc64d945d6edd7330beb5f0d88a72

  • SHA512

    30004800e2b002e4b1f1c6bbdc4fc8a00d5f56ddb859b1047fcce63dd14ca51cc3ef9d7599b440b9795e3587b6af333728d75bd37ae5004ef3189f530ef6eebd

  • SSDEEP

    6144:clGtyUXasfHznB3XjdOwkL1xOh9XLpf6TUIa1bq/KMw:cJUXBB3zEjLPUf6J

Score
10/10
phemedronexwormcredential_accessexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:19121

goods-flex.gl.at.ply.gg:19121
Attributes
  • Install_directory

    %Public%

  • install_file

    calc.exe

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot6766891578:AAE47sIyviQ0_skRFQtvxeYcndg1C8RFyo4/sendDocument

Signatures

  • Detect Xworm Payload 2 IoCs
  • Phemedrone

    An information and wallet stealer written in C#.

    stealerphemedrone
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c742cf055297ced1f29fa5779cfa2c9c53fc64d945d6edd7330beb5f0d88a72.exe
    "C:\Users\Admin\AppData\Local\Temp\1c742cf055297ced1f29fa5779cfa2c9c53fc64d945d6edd7330beb5f0d88a72.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4260
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1312
    • C:\Users\Admin\AppData\Local\Temp\launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4500
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c pause
        3⤵
          PID:1164
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4272
      • C:\Users\Admin\AppData\Local\Temp\calcc.exe
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        2⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4640
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:720
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'calcc.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4624
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\calc.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5060
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'calc.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2364
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "calc" /tr "C:\Users\Public\calc.exe"
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:5108
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:856
      • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3688
    • C:\Users\Public\calc.exe
      C:\Users\Public\calc.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3556
    • C:\Users\Public\calc.exe
      C:\Users\Public\calc.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3380

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    3
    T1552

    Credentials In Files

    3
    T1552.001

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\calc.exe.log
      Filesize

      654B

      MD5

      2ff39f6c7249774be85fd60a8f9a245e

      SHA1

      684ff36b31aedc1e587c8496c02722c6698c1c4e

      SHA256

      e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

      SHA512

      1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      b4b6d4cc52b5a3a71149b1f33d94d5de

      SHA1

      97d3dbdd24919eab70e3b14c68797cefc07e90dd

      SHA256

      da8c02ce00d5b1e6d4c3667465c7bbc14d7cd5227eb634f3d9690afd488267fe

      SHA512

      fc894f03709b83df7d2fca2779e1e60549078b67bcdbff0b61c8e5a802982210ae971309c1f92577573299288963ab5c95c6b38cbaedf53dc6062812c57a97af

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      77d622bb1a5b250869a3238b9bc1402b

      SHA1

      d47f4003c2554b9dfc4c16f22460b331886b191b

      SHA256

      f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

      SHA512

      d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      36ce492590dae6a99dc720c4b441342d

      SHA1

      f33cf61dad0c21b77afa23e8288152dd51effeb3

      SHA256

      e049e9723cef24d71a65551cfbe9463e3ab6de1c9ac059511ae5f461a3becde5

      SHA512

      f291a68555f9970fe51f7dae052dfd5e2c01ff4ebb275d8a348bb7fcb6eb744fb3ce55006a850a9571ae8d0c5763f87ff1ce0f0f67e83794f4cc0056aa27935d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      98baf5117c4fcec1692067d200c58ab3

      SHA1

      5b33a57b72141e7508b615e17fb621612cb8e390

      SHA256

      30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

      SHA512

      344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      ee9f1be5d4d351a5c376b370adcf0eea

      SHA1

      1779cecfb13c6a2f0f2813ae65d0d91ebdcf5583

      SHA256

      70600f0f93bca5f0548bfe5503513caadda31cbcd14dc007824b0925a8626e4b

      SHA512

      fda7345f64a6352e99bb3f5d94e58751a71d45a27147f60da32d12ff0307dbe416f482f1b9950e52ce63cbb5f0e5c1647f72dbb7a05c5419ccd8b7980ea86754

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
      Filesize

      121KB

      MD5

      7b6c19c2c8fc4ff9cc5b136f22cf490d

      SHA1

      e557a697a268c54a73aaffd02d25e54c4f601719

      SHA256

      cf6c9880812d48fe7ba3a1d1a1692a881745a7fb8cf6534f94555dd7dd1c3353

      SHA512

      afe23d16011e1eb71ce3be9f8796cf0398cc9e01415c93cd4e8403f1ee84f48e23396ab7709b60d5a9e5b3e5daee9e8f90bae99e6a85ece6475fa8bdd82f953b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kvtmhxld.afc.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\calcc.exe
      Filesize

      71KB

      MD5

      36686a659c023c60d85630ef9080ee34

      SHA1

      c26facc03073d700fc65af33eb2d8a6215f065b6

      SHA256

      eadd6fd65960900c14dd8e18a16348ec4c6f766e6316428f8cf659d02b43fb49

      SHA512

      236eab23ae8a565532ffd063a7e31ecc9aa835c63ca243c15ddba652f639dc5249589340812299e523156ac8695571877d1af78c2a481f0b2527d90aa00c3587

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\launcher.exe
      Filesize

      251KB

      MD5

      f71fc206efa0533dc5a9bdce59fd342e

      SHA1

      077e3d50d9db91cb943c6dcdfb8913b6b4e8bfda

      SHA256

      98d7a0cf5249443da87cc97998d885ed9811bd0790d49c8ee45577e54296acc6

      SHA512

      2913315fdc26efced8114173761a20c52705778d8fe65a84fc6ca99e8218bf85eabec67a4693dfa9e57596d9e85597aca0d7fafc18b649a2c7b0fa71062daa8e

      Download Submit

    • memory/1312-6-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1312-20-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1312-17-0x000001B8E8CB0000-0x000001B8E8CD2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1312-7-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1312-5-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3688-76-0x0000000000E30000-0x0000000000E54000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4260-0-0x00007FFEFDC73000-0x00007FFEFDC75000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4260-77-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4260-4-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4260-3-0x00007FFEFDC73000-0x00007FFEFDC75000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4260-2-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4260-1-0x0000000000AE0000-0x0000000000B30000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4640-52-0x0000000000D70000-0x0000000000D88000-memory.dmp

      Filesize

      96KB

      Download