Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-09-2024 09:34

General

  • Target

    35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe

  • Size

    291KB

  • MD5

    37992d4e5349d0a9275c8d1fe0290591

  • SHA1

    2ea1bb73a8459672c7f8a1133c4edc8040c2c63c

  • SHA256

    35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6

  • SHA512

    dc2bd50f573d806c88eba2f599476d431ad3b2c64cf14e058e6df53edd2383d2a8b18e99aeae14af6fbbdec7f14c4403ced2883cb20a93c77515b1ed5fae7d88

  • SSDEEP

    6144:rTiaVHkOlGtyUFB3XjdOwkL1xOJ9NLzof6TUIa1bq/KMw:rXJUFB3zEjLPDf6J

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:19121

goods-flex.gl.at.ply.gg:19121

Attributes
  • Install_directory

    %AppData%

  • install_file

    GoogleUpdateUA.exe

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot6766891578:AAE47sIyviQ0_skRFQtvxeYcndg1C8RFyo4/sendDocument

Signatures

  • Detect Xworm Payload 4 IoCs
  • Phemedrone

    An information and wallet stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe
    "C:\Users\Admin\AppData\Local\Temp\35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2188
    • C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe
      "C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2956
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GoogleUpdateUA.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2528
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2068
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GoogleUpdateUA.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2292
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "GoogleUpdateUA" /tr "C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2776
    • C:\Users\Admin\AppData\Local\Temp\launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2824
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c pause
        3⤵
          PID:2832
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1900
      • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2128
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2128 -s 636
          3⤵
            PID:1224
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {0E9897F3-625F-4359-9A59-F2274636CE52} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe
          C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1836
        • C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe
          C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2588

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe

        Filesize

        63KB

        MD5

        9d84713a034176855221121b1b82e66d

        SHA1

        1f8b51b489510ba4d7d899b698f0ae1cf24380c3

        SHA256

        43fe14e317713480c623a3fef46f3347c7051796eac95f489db2ea2f5a9830f3

        SHA512

        434a8d9e81fb22ed38ba8c593b7d17be1d8b674b9a0441b194352a7072b7dfc20fdb81bb4aa8451d8b69671ac9f008e3d5611a209894cb1fbc86583a924e84dc

      • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe

        Filesize

        121KB

        MD5

        7b6c19c2c8fc4ff9cc5b136f22cf490d

        SHA1

        e557a697a268c54a73aaffd02d25e54c4f601719

        SHA256

        cf6c9880812d48fe7ba3a1d1a1692a881745a7fb8cf6534f94555dd7dd1c3353

        SHA512

        afe23d16011e1eb71ce3be9f8796cf0398cc9e01415c93cd4e8403f1ee84f48e23396ab7709b60d5a9e5b3e5daee9e8f90bae99e6a85ece6475fa8bdd82f953b

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

        Filesize

        7KB

        MD5

        ce2217a9c39ea918cbe321a09f8410db

        SHA1

        01c04247f656303eb9712f7fd4d04ed9cccfdff3

        SHA256

        a3aef42b915affefeaab1422c1c1a1cdefcb659914936469ff2f4c1c6b5c19ad

        SHA512

        fd47d4ebafb7c1602235ef7e936fd41244afef202b79ecdf4039e50ebbd316419cbfb7b5fe3f0e19c6faf481b14f099f187567abc56c3133a4916f70d141009e

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LRDWC200STC2SHDM4YCO.temp

        Filesize

        7KB

        MD5

        22e02d3e017029ed6865e1915feb2851

        SHA1

        a59631455ddaea426a3ca4c96be4f6af64f73200

        SHA256

        51b63799e2de52753fad60da37294ea7ddd072d401bfa8760ee1cb9cb6e408fe

        SHA512

        6586f752e7b5a69433720e84e004de0d48baac557e267482715e672eac927cdd7b6aa34d49a9bfbab21642f5327ca04a92354e4d28c68895822cb9ad93b9fb81

      • \Users\Admin\AppData\Local\Temp\launcher.exe

        Filesize

        251KB

        MD5

        f71fc206efa0533dc5a9bdce59fd342e

        SHA1

        077e3d50d9db91cb943c6dcdfb8913b6b4e8bfda

        SHA256

        98d7a0cf5249443da87cc97998d885ed9811bd0790d49c8ee45577e54296acc6

        SHA512

        2913315fdc26efced8114173761a20c52705778d8fe65a84fc6ca99e8218bf85eabec67a4693dfa9e57596d9e85597aca0d7fafc18b649a2c7b0fa71062daa8e

      • memory/1812-1-0x00000000009E0000-0x0000000000A2E000-memory.dmp

        Filesize

        312KB

      • memory/1812-2-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

        Filesize

        9.9MB

      • memory/1812-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

        Filesize

        4KB

      • memory/1812-41-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

        Filesize

        9.9MB

      • memory/1836-70-0x0000000000270000-0x0000000000286000-memory.dmp

        Filesize

        88KB

      • memory/2128-40-0x0000000000AF0000-0x0000000000B14000-memory.dmp

        Filesize

        144KB

      • memory/2188-9-0x0000000002790000-0x0000000002798000-memory.dmp

        Filesize

        32KB

      • memory/2188-8-0x000000001B5B0000-0x000000001B892000-memory.dmp

        Filesize

        2.9MB

      • memory/2188-7-0x0000000002C60000-0x0000000002CE0000-memory.dmp

        Filesize

        512KB

      • memory/2528-52-0x0000000002810000-0x0000000002818000-memory.dmp

        Filesize

        32KB

      • memory/2588-73-0x00000000013D0000-0x00000000013E6000-memory.dmp

        Filesize

        88KB

      • memory/2720-15-0x00000000011D0000-0x00000000011E6000-memory.dmp

        Filesize

        88KB

      • memory/2776-22-0x0000000002970000-0x0000000002978000-memory.dmp

        Filesize

        32KB

      • memory/2776-21-0x000000001B520000-0x000000001B802000-memory.dmp

        Filesize

        2.9MB