Analysis
-
max time kernel
131s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-09-2024 12:17
Static task
static1
Behavioral task
behavioral1
Sample
XBinderOutput.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
XBinderOutput.exe
Resource
win10v2004-20240802-en
General
-
Target
XBinderOutput.exe
-
Size
334KB
-
MD5
bd5a99d1a915d183796d52364729242f
-
SHA1
d0b0913ac86154d9eb6ab8f22b1b6d0e3682aa51
-
SHA256
5dc9341df08796ab376579f34442247fa6942463974bad85e6d2709a114fe037
-
SHA512
1b076341992c63268b4ba400fb0ca9b65b49af09c5fb01553cee1e80da2dc18cd53f920bfa9987bd13b9c2f3b42cad54fc573f3a2ca7a1b9d50b98c32671fb91
-
SSDEEP
6144:v98Spzgs21x/GJqkntASwQvJzp8kRJoKXqwUHrsTB2zs+FAWKiXG/P16fCt3OY:GKgs2X/gDiVBQTB2zI6TO3O
Malware Config
Extracted
xworm
3.0
silver-bowl.gl.at.ply.gg:684
silver-bowl.gl.at.ply.gg:0684
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x000c000000014afa-11.dat family_xworm behavioral1/memory/3056-14-0x0000000000B00000-0x0000000000B1A000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2972 powershell.exe 476 powershell.exe 2028 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bootstrapper v4c.lnk Bootstrapper v4c.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bootstrapper v4c.lnk Bootstrapper v4c.exe -
Executes dropped EXE 2 IoCs
pid Process 2964 Bootstrapper v4.exe 3056 Bootstrapper v4c.exe -
Loads dropped DLL 7 IoCs
pid Process 1884 XBinderOutput.exe 1668 Process not Found 2704 WerFault.exe 2704 WerFault.exe 2704 WerFault.exe 2704 WerFault.exe 2704 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bootstrapper v4 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bootstrapper v4.exe" XBinderOutput.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bootstrapper v4c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bootstrapper v4c.exe" XBinderOutput.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2972 powershell.exe 476 powershell.exe 2028 powershell.exe 3056 Bootstrapper v4c.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3056 Bootstrapper v4c.exe Token: SeDebugPrivilege 2964 Bootstrapper v4.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 476 powershell.exe Token: SeDebugPrivilege 2028 powershell.exe Token: SeDebugPrivilege 3056 Bootstrapper v4c.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3056 Bootstrapper v4c.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1884 wrote to memory of 2964 1884 XBinderOutput.exe 28 PID 1884 wrote to memory of 2964 1884 XBinderOutput.exe 28 PID 1884 wrote to memory of 2964 1884 XBinderOutput.exe 28 PID 1884 wrote to memory of 3056 1884 XBinderOutput.exe 30 PID 1884 wrote to memory of 3056 1884 XBinderOutput.exe 30 PID 1884 wrote to memory of 3056 1884 XBinderOutput.exe 30 PID 2964 wrote to memory of 2704 2964 Bootstrapper v4.exe 31 PID 2964 wrote to memory of 2704 2964 Bootstrapper v4.exe 31 PID 2964 wrote to memory of 2704 2964 Bootstrapper v4.exe 31 PID 3056 wrote to memory of 2972 3056 Bootstrapper v4c.exe 33 PID 3056 wrote to memory of 2972 3056 Bootstrapper v4c.exe 33 PID 3056 wrote to memory of 2972 3056 Bootstrapper v4c.exe 33 PID 3056 wrote to memory of 476 3056 Bootstrapper v4c.exe 35 PID 3056 wrote to memory of 476 3056 Bootstrapper v4c.exe 35 PID 3056 wrote to memory of 476 3056 Bootstrapper v4c.exe 35 PID 3056 wrote to memory of 2028 3056 Bootstrapper v4c.exe 37 PID 3056 wrote to memory of 2028 3056 Bootstrapper v4c.exe 37 PID 3056 wrote to memory of 2028 3056 Bootstrapper v4c.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\Bootstrapper v4.exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper v4.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2964 -s 9723⤵
- Loads dropped DLL
PID:2704
-
-
-
C:\Users\Admin\AppData\Local\Temp\Bootstrapper v4c.exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper v4c.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper v4c.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Bootstrapper v4c.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Bootstrapper v4c.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD564553acae30df85c70a7e8c1750a21fa
SHA1a106939b1fdb775c33cfe1ad4007579c0dc8c369
SHA25603c0c0a803543d40715b14afb48eeb2ad5cffb95d78c99f7eb544610e9099cf5
SHA512149867abeba71221b2951dd51c15d6aa27cfec9854a5ff721700bab69b86a60d76eab3918872d8a8079fcaf2314fc5434fd0b5c20749c43f9277e55fe165823b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD531603f6134dfd0751457b62739a0351a
SHA1676b0d462b7a2825dd90e45bde626a9d967b4a02
SHA2569a551363e5067dbfba66311fe033af2ed9c00ea9e3815afd774473e044b0c083
SHA512037dc5c472acec194b1c9dfbe87d376113832f53b4e2847fa4d2d45e460e5cf72793067285f797076a3959024245b29c6441036ad9d1432a8f790cc882bf4b9d
-
Filesize
796KB
MD54b94b989b0fe7bec6311153b309dfe81
SHA1bb50a4bb8a66f0105c5b74f32cd114c672010b22
SHA2567c4283f5e620b2506bcb273f947def4435d95e143ae3067a783fd3adc873a659
SHA512fbbe60cf3e5d028d906e7d444b648f7dff8791c333834db8119e0a950532a75fda2e9bd5948f0b210904667923eb7b2c0176140babc497955d227e7d80fb109d