Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-09-2024 09:38
Static task
static1
Behavioral task
behavioral1
Sample
XBinderOutput.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
XBinderOutput.exe
Resource
win10v2004-20240802-en
General
-
Target
XBinderOutput.exe
-
Size
269KB
-
MD5
8b45e5989e41d1512ab5aeb7e79a0646
-
SHA1
bb5eac66225b3fda93ad83a1eb5d98ace5b9c6d4
-
SHA256
3c74b4676f493cabec4327fc8f9f95a4e1755d3f7d1e156dc076b5915495682b
-
SHA512
c753483cd538e856e894e0b4d5d9211b07e17b02209bc463d6afc5e645e627b2385ee46b8a8c7825eda617e20fd6b318750d878e3fc7a9f3d1ff0a83b44064af
-
SSDEEP
6144:gDixhyqtRZ2XdRB3XjdOwkL1xOnD+Y96xf6TUIa1bq/KMw:gmxhHtRZqdRB3zEjLPPf6J
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7375773294:AAFZUnpXCxGuVizu2hOj5WMYl9ULnbeqZ6c/sendDocument
Extracted
xworm
5.0
89.31.122.114:1488
8hQA9bqDdqRhTokn
-
Install_directory
%LocalAppData%
-
install_file
Microsoft Teams.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x000c000000023331-55.dat family_xworm behavioral2/memory/4596-63-0x0000000000790000-0x00000000007A0000-memory.dmp family_xworm -
Phemedrone
An information and wallet stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2232 powershell.exe 1872 powershell.exe 3872 powershell.exe 4120 powershell.exe 1988 powershell.exe 1684 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation XBinderOutput.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Teams.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Teams.lnk svchost.exe -
Executes dropped EXE 3 IoCs
pid Process 3540 Parynah.exe 5116 launcher.exe 4596 svchost.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Teams = "C:\\Users\\Admin\\AppData\\Local\\Microsoft Teams.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parynah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Parynah.exe" XBinderOutput.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe" XBinderOutput.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2588 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1684 powershell.exe 1684 powershell.exe 1684 powershell.exe 2232 powershell.exe 2232 powershell.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 2232 powershell.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe 3540 Parynah.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 1684 powershell.exe Token: SeDebugPrivilege 2232 powershell.exe Token: SeDebugPrivilege 3540 Parynah.exe Token: SeDebugPrivilege 4596 svchost.exe Token: SeDebugPrivilege 1872 powershell.exe Token: SeDebugPrivilege 3872 powershell.exe Token: SeDebugPrivilege 4120 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 4596 svchost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1452 wrote to memory of 1684 1452 XBinderOutput.exe 93 PID 1452 wrote to memory of 1684 1452 XBinderOutput.exe 93 PID 1452 wrote to memory of 3540 1452 XBinderOutput.exe 95 PID 1452 wrote to memory of 3540 1452 XBinderOutput.exe 95 PID 1452 wrote to memory of 5116 1452 XBinderOutput.exe 96 PID 1452 wrote to memory of 5116 1452 XBinderOutput.exe 96 PID 1452 wrote to memory of 2232 1452 XBinderOutput.exe 97 PID 1452 wrote to memory of 2232 1452 XBinderOutput.exe 97 PID 5116 wrote to memory of 4184 5116 launcher.exe 103 PID 5116 wrote to memory of 4184 5116 launcher.exe 103 PID 1452 wrote to memory of 4596 1452 XBinderOutput.exe 104 PID 1452 wrote to memory of 4596 1452 XBinderOutput.exe 104 PID 4596 wrote to memory of 1872 4596 svchost.exe 108 PID 4596 wrote to memory of 1872 4596 svchost.exe 108 PID 4596 wrote to memory of 3872 4596 svchost.exe 110 PID 4596 wrote to memory of 3872 4596 svchost.exe 110 PID 4596 wrote to memory of 4120 4596 svchost.exe 112 PID 4596 wrote to memory of 4120 4596 svchost.exe 112 PID 4596 wrote to memory of 1988 4596 svchost.exe 114 PID 4596 wrote to memory of 1988 4596 svchost.exe 114 PID 4596 wrote to memory of 3208 4596 svchost.exe 118 PID 4596 wrote to memory of 3208 4596 svchost.exe 118 PID 3208 wrote to memory of 2588 3208 cmd.exe 120 PID 3208 wrote to memory of 2588 3208 cmd.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Parynah.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Users\Admin\AppData\Local\Temp\Parynah.exe"C:\Users\Admin\AppData\Local\Temp\Parynah.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3540
-
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵PID:4184
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Users\Admin\AppData\Local\svchost.exe"C:\Users\Admin\AppData\Local\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Microsoft Teams.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Teams.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD4F6.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:2588
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4548,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=3692 /prefetch:81⤵PID:3740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5fe9b96bc4e29457b2d225a5412322a52
SHA1551e29903e926b5d6c52a8f57cf10475ba790bd0
SHA256e81b9bfd38a5199813d703d5caf75baa6f62847b2b9632302b5d6f10dd6cf997
SHA512ff912526647f6266f37749dfdc3ed5fd37c35042ba481331434168704c827d128c22093ba73d7ad0cecde10365f0978fcd3f3e2af1a1c280cd2e592a62d5fa80
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD5a5e0d50fb884fb8a741fc1e3607069f8
SHA1a243a80777685f77085fcd8150941eb031c2e813
SHA2561cdfcf768abf27ba45d8748cefbf068e94b255f43d700443a0a0bb1aedf94c24
SHA512b5fba675c532eca3b20469dee34b073c3ba988e5b294e328bc190a1925945a4bb561bd998e9dc81108c6cc782daeff104b8cdef14baa6699d7b70c37cb02147a
-
Filesize
944B
MD54857503def5a24a152c052a38f239686
SHA10e7db0dc1ef7aecbd1e2f7c45c15fe559da240c3
SHA2569d1bad7ff7cb95da5f1eca5df87756b0c1ab7c80bd55d841026940c87d430bdf
SHA5127f472229dabdc37e2fd647b287b5843d4db38c18ca8e88308cbf30a3781e6b4542156f36ed8c3ea81454c1c47d82f3833cd67cc77f1ef5aac41d14aa4af48c88
-
Filesize
944B
MD5e58749a7a1826f6ea62df1e2ef63a32b
SHA1c0bca21658b8be4f37b71eec9578bfefa44f862d
SHA2560e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93
SHA5124cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70
-
Filesize
121KB
MD5d133118d33c184b72ca217ef7135ca21
SHA12d24907dc8ab775f2f204281e48c4f626daaf3ee
SHA25679e28785a6b291d6fa50d4784c0fe0936cc326380153d7732e973bcb7a9ddba2
SHA5126fbda67a0091388db4367aec3882e838253c9488b99955978187647f445eb775bb6b1913cc3e9fdacfa0193fe854d45945a3b48b68c76ded7eeef4d46fcc9219
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
251KB
MD5f71fc206efa0533dc5a9bdce59fd342e
SHA1077e3d50d9db91cb943c6dcdfb8913b6b4e8bfda
SHA25698d7a0cf5249443da87cc97998d885ed9811bd0790d49c8ee45577e54296acc6
SHA5122913315fdc26efced8114173761a20c52705778d8fe65a84fc6ca99e8218bf85eabec67a4693dfa9e57596d9e85597aca0d7fafc18b649a2c7b0fa71062daa8e
-
Filesize
154B
MD558536bcc46c6ac1fb2ccf5fbd0b9c544
SHA1cf083c191bafa44aa8ef5bb0de1f201a7c27d501
SHA256b4ac95184b7fa1b2c0ed60f362bab86b2f0d85adbc1dfe7e538ddeba887f407c
SHA5120201ef8255a590d9ff4fbb8f47212c67acc8f631fa44ea276fcbd5e17f0975ba69ee148956411f4c9320eb84d3dfc5666b9e3de18229ea7aa8ed280c23b0ea61
-
Filesize
41KB
MD5fc056dfd563e0a955a60c2eaeb14e70e
SHA13c84ee4f1226d7d5f501021234b1e5fbbc277de8
SHA256ed977d71ffa080570dfc92b91e8b71d07d279482e21c1ba0622f8e44400807c0
SHA512973457e2d759031f6fee35518332ea0b9b0141657c20c227182f15028f98f0c435e6ac575dc7c64175c4024a872c9e10126d6180491f10b29b959bd48bacc243