Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-09-2024 09:34
Static task
static1
Behavioral task
behavioral1
Sample
35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe
Resource
win10v2004-20240802-en
General
-
Target
35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe
-
Size
291KB
-
MD5
37992d4e5349d0a9275c8d1fe0290591
-
SHA1
2ea1bb73a8459672c7f8a1133c4edc8040c2c63c
-
SHA256
35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6
-
SHA512
dc2bd50f573d806c88eba2f599476d431ad3b2c64cf14e058e6df53edd2383d2a8b18e99aeae14af6fbbdec7f14c4403ced2883cb20a93c77515b1ed5fae7d88
-
SSDEEP
6144:rTiaVHkOlGtyUFB3XjdOwkL1xOJ9NLzof6TUIa1bq/KMw:rXJUFB3zEjLPDf6J
Malware Config
Extracted
xworm
127.0.0.1:19121
goods-flex.gl.at.ply.gg:19121
-
Install_directory
%AppData%
-
install_file
GoogleUpdateUA.exe
Extracted
phemedrone
https://api.telegram.org/bot6766891578:AAE47sIyviQ0_skRFQtvxeYcndg1C8RFyo4/sendDocument
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral1/files/0x0007000000004e76-13.dat family_xworm behavioral1/memory/2720-15-0x00000000011D0000-0x00000000011E6000-memory.dmp family_xworm behavioral1/memory/1836-70-0x0000000000270000-0x0000000000286000-memory.dmp family_xworm behavioral1/memory/2588-73-0x00000000013D0000-0x00000000013E6000-memory.dmp family_xworm -
Phemedrone
An information and wallet stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2188 powershell.exe 2776 powershell.exe 1900 powershell.exe 2956 powershell.exe 2528 powershell.exe 2068 powershell.exe 2292 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleUpdateUA.lnk GoogleUpdateUA.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleUpdateUA.lnk GoogleUpdateUA.exe -
Executes dropped EXE 5 IoCs
pid Process 2720 GoogleUpdateUA.exe 2824 launcher.exe 2128 Sync Center.exe 1836 GoogleUpdateUA.exe 2588 GoogleUpdateUA.exe -
Loads dropped DLL 2 IoCs
pid Process 1812 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 2612 Process not Found -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdateUA = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleUpdateUA.exe" GoogleUpdateUA.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\launcher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\launcher.exe" 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1252 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2188 powershell.exe 2776 powershell.exe 1900 powershell.exe 2128 Sync Center.exe 2956 powershell.exe 2528 powershell.exe 2068 powershell.exe 2292 powershell.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 1812 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe Token: SeDebugPrivilege 2188 powershell.exe Token: SeDebugPrivilege 2720 GoogleUpdateUA.exe Token: SeDebugPrivilege 2776 powershell.exe Token: SeDebugPrivilege 1900 powershell.exe Token: SeDebugPrivilege 2128 Sync Center.exe Token: SeDebugPrivilege 2956 powershell.exe Token: SeDebugPrivilege 2528 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 2292 powershell.exe Token: SeDebugPrivilege 2720 GoogleUpdateUA.exe Token: SeDebugPrivilege 1836 GoogleUpdateUA.exe Token: SeDebugPrivilege 2588 GoogleUpdateUA.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 1812 wrote to memory of 2188 1812 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 32 PID 1812 wrote to memory of 2188 1812 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 32 PID 1812 wrote to memory of 2188 1812 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 32 PID 1812 wrote to memory of 2720 1812 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 34 PID 1812 wrote to memory of 2720 1812 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 34 PID 1812 wrote to memory of 2720 1812 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 34 PID 1812 wrote to memory of 2776 1812 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 35 PID 1812 wrote to memory of 2776 1812 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 35 PID 1812 wrote to memory of 2776 1812 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 35 PID 1812 wrote to memory of 2824 1812 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 37 PID 1812 wrote to memory of 2824 1812 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 37 PID 1812 wrote to memory of 2824 1812 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 37 PID 1812 wrote to memory of 1900 1812 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 39 PID 1812 wrote to memory of 1900 1812 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 39 PID 1812 wrote to memory of 1900 1812 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 39 PID 2824 wrote to memory of 2832 2824 launcher.exe 41 PID 2824 wrote to memory of 2832 2824 launcher.exe 41 PID 2824 wrote to memory of 2832 2824 launcher.exe 41 PID 1812 wrote to memory of 2128 1812 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 42 PID 1812 wrote to memory of 2128 1812 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 42 PID 1812 wrote to memory of 2128 1812 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 42 PID 2128 wrote to memory of 1224 2128 Sync Center.exe 43 PID 2128 wrote to memory of 1224 2128 Sync Center.exe 43 PID 2128 wrote to memory of 1224 2128 Sync Center.exe 43 PID 2720 wrote to memory of 2956 2720 GoogleUpdateUA.exe 44 PID 2720 wrote to memory of 2956 2720 GoogleUpdateUA.exe 44 PID 2720 wrote to memory of 2956 2720 GoogleUpdateUA.exe 44 PID 2720 wrote to memory of 2528 2720 GoogleUpdateUA.exe 46 PID 2720 wrote to memory of 2528 2720 GoogleUpdateUA.exe 46 PID 2720 wrote to memory of 2528 2720 GoogleUpdateUA.exe 46 PID 2720 wrote to memory of 2068 2720 GoogleUpdateUA.exe 48 PID 2720 wrote to memory of 2068 2720 GoogleUpdateUA.exe 48 PID 2720 wrote to memory of 2068 2720 GoogleUpdateUA.exe 48 PID 2720 wrote to memory of 2292 2720 GoogleUpdateUA.exe 50 PID 2720 wrote to memory of 2292 2720 GoogleUpdateUA.exe 50 PID 2720 wrote to memory of 2292 2720 GoogleUpdateUA.exe 50 PID 2720 wrote to memory of 1252 2720 GoogleUpdateUA.exe 52 PID 2720 wrote to memory of 1252 2720 GoogleUpdateUA.exe 52 PID 2720 wrote to memory of 1252 2720 GoogleUpdateUA.exe 52 PID 2428 wrote to memory of 1836 2428 taskeng.exe 55 PID 2428 wrote to memory of 1836 2428 taskeng.exe 55 PID 2428 wrote to memory of 1836 2428 taskeng.exe 55 PID 2428 wrote to memory of 2588 2428 taskeng.exe 56 PID 2428 wrote to memory of 2588 2428 taskeng.exe 56 PID 2428 wrote to memory of 2588 2428 taskeng.exe 56 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe"C:\Users\Admin\AppData\Local\Temp\35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe"C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GoogleUpdateUA.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GoogleUpdateUA.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "GoogleUpdateUA" /tr "C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1252
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵PID:2832
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2128 -s 6363⤵PID:1224
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {0E9897F3-625F-4359-9A59-F2274636CE52} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exeC:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exeC:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD59d84713a034176855221121b1b82e66d
SHA11f8b51b489510ba4d7d899b698f0ae1cf24380c3
SHA25643fe14e317713480c623a3fef46f3347c7051796eac95f489db2ea2f5a9830f3
SHA512434a8d9e81fb22ed38ba8c593b7d17be1d8b674b9a0441b194352a7072b7dfc20fdb81bb4aa8451d8b69671ac9f008e3d5611a209894cb1fbc86583a924e84dc
-
Filesize
121KB
MD57b6c19c2c8fc4ff9cc5b136f22cf490d
SHA1e557a697a268c54a73aaffd02d25e54c4f601719
SHA256cf6c9880812d48fe7ba3a1d1a1692a881745a7fb8cf6534f94555dd7dd1c3353
SHA512afe23d16011e1eb71ce3be9f8796cf0398cc9e01415c93cd4e8403f1ee84f48e23396ab7709b60d5a9e5b3e5daee9e8f90bae99e6a85ece6475fa8bdd82f953b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ce2217a9c39ea918cbe321a09f8410db
SHA101c04247f656303eb9712f7fd4d04ed9cccfdff3
SHA256a3aef42b915affefeaab1422c1c1a1cdefcb659914936469ff2f4c1c6b5c19ad
SHA512fd47d4ebafb7c1602235ef7e936fd41244afef202b79ecdf4039e50ebbd316419cbfb7b5fe3f0e19c6faf481b14f099f187567abc56c3133a4916f70d141009e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LRDWC200STC2SHDM4YCO.temp
Filesize7KB
MD522e02d3e017029ed6865e1915feb2851
SHA1a59631455ddaea426a3ca4c96be4f6af64f73200
SHA25651b63799e2de52753fad60da37294ea7ddd072d401bfa8760ee1cb9cb6e408fe
SHA5126586f752e7b5a69433720e84e004de0d48baac557e267482715e672eac927cdd7b6aa34d49a9bfbab21642f5327ca04a92354e4d28c68895822cb9ad93b9fb81
-
Filesize
251KB
MD5f71fc206efa0533dc5a9bdce59fd342e
SHA1077e3d50d9db91cb943c6dcdfb8913b6b4e8bfda
SHA25698d7a0cf5249443da87cc97998d885ed9811bd0790d49c8ee45577e54296acc6
SHA5122913315fdc26efced8114173761a20c52705778d8fe65a84fc6ca99e8218bf85eabec67a4693dfa9e57596d9e85597aca0d7fafc18b649a2c7b0fa71062daa8e