Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-09-2024 09:38
Static task
static1
Behavioral task
behavioral1
Sample
XBinderOutput.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
XBinderOutput.exe
Resource
win10v2004-20240802-en
General
-
Target
XBinderOutput.exe
-
Size
269KB
-
MD5
8b45e5989e41d1512ab5aeb7e79a0646
-
SHA1
bb5eac66225b3fda93ad83a1eb5d98ace5b9c6d4
-
SHA256
3c74b4676f493cabec4327fc8f9f95a4e1755d3f7d1e156dc076b5915495682b
-
SHA512
c753483cd538e856e894e0b4d5d9211b07e17b02209bc463d6afc5e645e627b2385ee46b8a8c7825eda617e20fd6b318750d878e3fc7a9f3d1ff0a83b44064af
-
SSDEEP
6144:gDixhyqtRZ2XdRB3XjdOwkL1xOnD+Y96xf6TUIa1bq/KMw:gmxhHtRZqdRB3zEjLPPf6J
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7375773294:AAFZUnpXCxGuVizu2hOj5WMYl9ULnbeqZ6c/sendDocument
Extracted
xworm
5.0
89.31.122.114:1488
8hQA9bqDdqRhTokn
-
Install_directory
%LocalAppData%
-
install_file
Microsoft Teams.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000012119-31.dat family_xworm behavioral1/memory/2732-33-0x0000000000A40000-0x0000000000A50000-memory.dmp family_xworm -
Phemedrone
An information and wallet stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2280 powershell.exe 2492 powershell.exe 1320 powershell.exe 1776 powershell.exe 2856 powershell.exe 2956 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Teams.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Teams.lnk svchost.exe -
Executes dropped EXE 3 IoCs
pid Process 2900 Parynah.exe 2332 launcher.exe 2732 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 1680 XBinderOutput.exe 2880 Process not Found -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe" XBinderOutput.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Teams = "C:\\Users\\Admin\\AppData\\Local\\Microsoft Teams.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parynah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Parynah.exe" XBinderOutput.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 548 timeout.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1776 powershell.exe 2856 powershell.exe 2956 powershell.exe 2280 powershell.exe 2492 powershell.exe 1320 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 1776 powershell.exe Token: SeDebugPrivilege 2856 powershell.exe Token: SeDebugPrivilege 2732 svchost.exe Token: SeDebugPrivilege 2900 Parynah.exe Token: SeDebugPrivilege 2956 powershell.exe Token: SeDebugPrivilege 2280 powershell.exe Token: SeDebugPrivilege 2492 powershell.exe Token: SeDebugPrivilege 1320 powershell.exe Token: SeDebugPrivilege 2732 svchost.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1680 wrote to memory of 1776 1680 XBinderOutput.exe 30 PID 1680 wrote to memory of 1776 1680 XBinderOutput.exe 30 PID 1680 wrote to memory of 1776 1680 XBinderOutput.exe 30 PID 1680 wrote to memory of 2900 1680 XBinderOutput.exe 32 PID 1680 wrote to memory of 2900 1680 XBinderOutput.exe 32 PID 1680 wrote to memory of 2900 1680 XBinderOutput.exe 32 PID 1680 wrote to memory of 2332 1680 XBinderOutput.exe 33 PID 1680 wrote to memory of 2332 1680 XBinderOutput.exe 33 PID 1680 wrote to memory of 2332 1680 XBinderOutput.exe 33 PID 1680 wrote to memory of 2856 1680 XBinderOutput.exe 34 PID 1680 wrote to memory of 2856 1680 XBinderOutput.exe 34 PID 1680 wrote to memory of 2856 1680 XBinderOutput.exe 34 PID 2332 wrote to memory of 2984 2332 launcher.exe 37 PID 2332 wrote to memory of 2984 2332 launcher.exe 37 PID 2332 wrote to memory of 2984 2332 launcher.exe 37 PID 1680 wrote to memory of 2732 1680 XBinderOutput.exe 38 PID 1680 wrote to memory of 2732 1680 XBinderOutput.exe 38 PID 1680 wrote to memory of 2732 1680 XBinderOutput.exe 38 PID 2900 wrote to memory of 2920 2900 Parynah.exe 41 PID 2900 wrote to memory of 2920 2900 Parynah.exe 41 PID 2900 wrote to memory of 2920 2900 Parynah.exe 41 PID 2732 wrote to memory of 2956 2732 svchost.exe 42 PID 2732 wrote to memory of 2956 2732 svchost.exe 42 PID 2732 wrote to memory of 2956 2732 svchost.exe 42 PID 2732 wrote to memory of 2280 2732 svchost.exe 44 PID 2732 wrote to memory of 2280 2732 svchost.exe 44 PID 2732 wrote to memory of 2280 2732 svchost.exe 44 PID 2732 wrote to memory of 2492 2732 svchost.exe 46 PID 2732 wrote to memory of 2492 2732 svchost.exe 46 PID 2732 wrote to memory of 2492 2732 svchost.exe 46 PID 2732 wrote to memory of 1320 2732 svchost.exe 48 PID 2732 wrote to memory of 1320 2732 svchost.exe 48 PID 2732 wrote to memory of 1320 2732 svchost.exe 48 PID 2732 wrote to memory of 908 2732 svchost.exe 50 PID 2732 wrote to memory of 908 2732 svchost.exe 50 PID 2732 wrote to memory of 908 2732 svchost.exe 50 PID 908 wrote to memory of 548 908 cmd.exe 52 PID 908 wrote to memory of 548 908 cmd.exe 52 PID 908 wrote to memory of 548 908 cmd.exe 52
Processes
-
C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Parynah.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
C:\Users\Admin\AppData\Local\Temp\Parynah.exe"C:\Users\Admin\AppData\Local\Temp\Parynah.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2900 -s 5003⤵PID:2920
-
-
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵PID:2984
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
-
C:\Users\Admin\AppData\Local\svchost.exe"C:\Users\Admin\AppData\Local\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Microsoft Teams.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Teams.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2E8F.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:548
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
121KB
MD5d133118d33c184b72ca217ef7135ca21
SHA12d24907dc8ab775f2f204281e48c4f626daaf3ee
SHA25679e28785a6b291d6fa50d4784c0fe0936cc326380153d7732e973bcb7a9ddba2
SHA5126fbda67a0091388db4367aec3882e838253c9488b99955978187647f445eb775bb6b1913cc3e9fdacfa0193fe854d45945a3b48b68c76ded7eeef4d46fcc9219
-
Filesize
154B
MD5c4600144caa76fa293e78819a90303ea
SHA1a735b1975f6313d61ca63e532f5697593f23f0cd
SHA256caa3bf020b5cffd1da57a2824dd852021f9df37f9f63e87a3a6b72c56faa3b01
SHA512d81613943ff9cb303d3a794c7e5d87c99161b1ba9dd75fa8b28e2f74d70d81f7334b1bec9a73a6c4cad26659efac5aad99c5c87c6bb22f20760c00a362d44787
-
Filesize
41KB
MD5fc056dfd563e0a955a60c2eaeb14e70e
SHA13c84ee4f1226d7d5f501021234b1e5fbbc277de8
SHA256ed977d71ffa080570dfc92b91e8b71d07d279482e21c1ba0622f8e44400807c0
SHA512973457e2d759031f6fee35518332ea0b9b0141657c20c227182f15028f98f0c435e6ac575dc7c64175c4024a872c9e10126d6180491f10b29b959bd48bacc243
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD500149f7dda9397e7bff8a9954267de56
SHA1c12eccc669e21fd23368c1c7e167ec5a57251593
SHA2560972389788cf5867939f8c5be9af908e0334a3c227b1f11352a62c74480667f8
SHA5127691f6db36ccf2c1dd6ab8379257f087580b3fa323751725554c765d831f69dad664397d0b7f801a3a2eb688467813b3d8ecb26a7579cb163de47cd19149bef6
-
Filesize
251KB
MD5f71fc206efa0533dc5a9bdce59fd342e
SHA1077e3d50d9db91cb943c6dcdfb8913b6b4e8bfda
SHA25698d7a0cf5249443da87cc97998d885ed9811bd0790d49c8ee45577e54296acc6
SHA5122913315fdc26efced8114173761a20c52705778d8fe65a84fc6ca99e8218bf85eabec67a4693dfa9e57596d9e85597aca0d7fafc18b649a2c7b0fa71062daa8e