Analysis
-
max time kernel
42s -
max time network
59s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
29-08-2024 18:58
Static task
static1
General
-
Target
XOVLAUNCHER.rar
-
Size
1.5MB
-
MD5
756829ec0d4d18d94f16c4a96a085a93
-
SHA1
9f969e7e7f8af031a3436f4f017010488177bc71
-
SHA256
c6ac37ecc79400cf18c368318d7d06acaa01da055400867b85849b3622d2381c
-
SHA512
b04836e28158336c4e8482ef3e03d2e7dbaba61d8c97d4280dc1c13bd23c2fadc2090673f6a3bcb851dba918e892596dcfef408ced0c2b966ba4c280491f787e
-
SSDEEP
24576:Ccm8v+tBIz8VazDOL6cUQXYp7jfgaMHsgLJbzEjqq+N9wFkOm2ONLV+cT55qFuWb:CtI/DOLpXYyaMZ5moHwINB+cV5qRqMx1
Malware Config
Extracted
aurora
146.19.24.118:8081
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
XOVLAUNCHER.exepid process 2724 XOVLAUNCHER.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 1456 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
7zFM.exedescription pid process Token: SeRestorePrivilege 1456 7zFM.exe Token: 35 1456 7zFM.exe Token: SeSecurityPrivilege 1456 7zFM.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zFM.exepid process 1456 7zFM.exe 1456 7zFM.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
OpenWith.exepid process 5004 OpenWith.exe 5004 OpenWith.exe 5004 OpenWith.exe 5004 OpenWith.exe 5004 OpenWith.exe 5004 OpenWith.exe 5004 OpenWith.exe 5004 OpenWith.exe 5004 OpenWith.exe 5004 OpenWith.exe 5004 OpenWith.exe 5004 OpenWith.exe 5004 OpenWith.exe 5004 OpenWith.exe 5004 OpenWith.exe 5004 OpenWith.exe 5004 OpenWith.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\XOVLAUNCHER.rar1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XOVLAUNCHER.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\XOVLAUNCHER.exe"C:\Users\Admin\Desktop\XOVLAUNCHER.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\XOVLAUNCHER.exeFilesize
4.4MB
MD5bebf44172a15aae24667e4ae86b5b467
SHA1c6197bdb47a1df44c06eebb9e67179fd0ba1c12f
SHA256db440efc6d026b48a8ebc3784ad9f9cd6c6ee17941720b7b6b4d3c20e8d06d52
SHA51272ade5b9e5e5d63ed8b65c989bbe0da9a18cccde6d264b482968a0e4253f4959cbaa42509f0d4f58fe6e7ccafd6dae4958a54d106e68bb364013d4a657a3a8c8