Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-09-2024 09:38

General

  • Target

    XBinderOutput.exe

  • Size

    269KB

  • MD5

    8b45e5989e41d1512ab5aeb7e79a0646

  • SHA1

    bb5eac66225b3fda93ad83a1eb5d98ace5b9c6d4

  • SHA256

    3c74b4676f493cabec4327fc8f9f95a4e1755d3f7d1e156dc076b5915495682b

  • SHA512

    c753483cd538e856e894e0b4d5d9211b07e17b02209bc463d6afc5e645e627b2385ee46b8a8c7825eda617e20fd6b318750d878e3fc7a9f3d1ff0a83b44064af

  • SSDEEP

    6144:gDixhyqtRZ2XdRB3XjdOwkL1xOnD+Y96xf6TUIa1bq/KMw:gmxhHtRZqdRB3zEjLPPf6J

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7375773294:AAFZUnpXCxGuVizu2hOj5WMYl9ULnbeqZ6c/sendDocument

Extracted

Family

xworm

Version

5.0

C2

89.31.122.114:1488

Mutex

8hQA9bqDdqRhTokn

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    Microsoft Teams.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Phemedrone

    An information and wallet stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
    "C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Parynah.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1776
    • C:\Users\Admin\AppData\Local\Temp\Parynah.exe
      "C:\Users\Admin\AppData\Local\Temp\Parynah.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2900 -s 500
        3⤵
          PID:2920
      • C:\Users\Admin\AppData\Local\Temp\launcher.exe
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c pause
          3⤵
            PID:2984
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2856
        • C:\Users\Admin\AppData\Local\svchost.exe
          "C:\Users\Admin\AppData\Local\svchost.exe"
          2⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2732
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2956
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2280
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Microsoft Teams.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2492
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Teams.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1320
          • C:\Windows\system32\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2E8F.tmp.bat""
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:908
            • C:\Windows\system32\timeout.exe
              timeout 3
              4⤵
              • Delays execution with timeout.exe
              PID:548

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Parynah.exe

        Filesize

        121KB

        MD5

        d133118d33c184b72ca217ef7135ca21

        SHA1

        2d24907dc8ab775f2f204281e48c4f626daaf3ee

        SHA256

        79e28785a6b291d6fa50d4784c0fe0936cc326380153d7732e973bcb7a9ddba2

        SHA512

        6fbda67a0091388db4367aec3882e838253c9488b99955978187647f445eb775bb6b1913cc3e9fdacfa0193fe854d45945a3b48b68c76ded7eeef4d46fcc9219

      • C:\Users\Admin\AppData\Local\Temp\tmp2E8F.tmp.bat

        Filesize

        154B

        MD5

        c4600144caa76fa293e78819a90303ea

        SHA1

        a735b1975f6313d61ca63e532f5697593f23f0cd

        SHA256

        caa3bf020b5cffd1da57a2824dd852021f9df37f9f63e87a3a6b72c56faa3b01

        SHA512

        d81613943ff9cb303d3a794c7e5d87c99161b1ba9dd75fa8b28e2f74d70d81f7334b1bec9a73a6c4cad26659efac5aad99c5c87c6bb22f20760c00a362d44787

      • C:\Users\Admin\AppData\Local\svchost.exe

        Filesize

        41KB

        MD5

        fc056dfd563e0a955a60c2eaeb14e70e

        SHA1

        3c84ee4f1226d7d5f501021234b1e5fbbc277de8

        SHA256

        ed977d71ffa080570dfc92b91e8b71d07d279482e21c1ba0622f8e44400807c0

        SHA512

        973457e2d759031f6fee35518332ea0b9b0141657c20c227182f15028f98f0c435e6ac575dc7c64175c4024a872c9e10126d6180491f10b29b959bd48bacc243

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

        Filesize

        7KB

        MD5

        00149f7dda9397e7bff8a9954267de56

        SHA1

        c12eccc669e21fd23368c1c7e167ec5a57251593

        SHA256

        0972389788cf5867939f8c5be9af908e0334a3c227b1f11352a62c74480667f8

        SHA512

        7691f6db36ccf2c1dd6ab8379257f087580b3fa323751725554c765d831f69dad664397d0b7f801a3a2eb688467813b3d8ecb26a7579cb163de47cd19149bef6

      • \Users\Admin\AppData\Local\Temp\launcher.exe

        Filesize

        251KB

        MD5

        f71fc206efa0533dc5a9bdce59fd342e

        SHA1

        077e3d50d9db91cb943c6dcdfb8913b6b4e8bfda

        SHA256

        98d7a0cf5249443da87cc97998d885ed9811bd0790d49c8ee45577e54296acc6

        SHA512

        2913315fdc26efced8114173761a20c52705778d8fe65a84fc6ca99e8218bf85eabec67a4693dfa9e57596d9e85597aca0d7fafc18b649a2c7b0fa71062daa8e

      • memory/1680-1-0x00000000009D0000-0x0000000000A1A000-memory.dmp

        Filesize

        296KB

      • memory/1680-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

        Filesize

        4KB

      • memory/1776-8-0x0000000002860000-0x0000000002868000-memory.dmp

        Filesize

        32KB

      • memory/1776-7-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

        Filesize

        2.9MB

      • memory/1776-6-0x0000000002C50000-0x0000000002CD0000-memory.dmp

        Filesize

        512KB

      • memory/2280-46-0x0000000001F00000-0x0000000001F08000-memory.dmp

        Filesize

        32KB

      • memory/2732-33-0x0000000000A40000-0x0000000000A50000-memory.dmp

        Filesize

        64KB

      • memory/2856-26-0x000000001B770000-0x000000001BA52000-memory.dmp

        Filesize

        2.9MB

      • memory/2856-27-0x0000000002040000-0x0000000002048000-memory.dmp

        Filesize

        32KB

      • memory/2900-18-0x0000000000920000-0x0000000000944000-memory.dmp

        Filesize

        144KB

      • memory/2956-39-0x0000000001D90000-0x0000000001D98000-memory.dmp

        Filesize

        32KB