Overview

overview

10

Static

static

3

Worm.Win32...ma.exe

windows7-x64

10

Worm.Win32...ma.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/09/2024, 09:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Worm.Win32.Ludbaruma.exe

  • Size

    91KB

  • MD5

    873ef5c05d08ea689a7089b2587d2330

  • SHA1

    9aba971d627abf02ea1e0b00600912eb0f8626a5

  • SHA256

    806ff5a4291ace6371cfa09d584567b7d652d7b28c167a5ab9c4115e9aa4e1f7

  • SHA512

    f92df22b69780ace53fbe815b066b3dbaabe56b4f697375c6627be513ef6799f05eeb70ced00bde6c05836bd8dfb467044889af33cd37d2abf699d3aecba9b15

  • SSDEEP

    1536:FAwEmBGz1lNNqDaG0PoxhlzmnAwEmBGz1lNNqDaG0Poxhlzm/:FGmUXNQDaG0A8nGmUXNQDaG0A8/

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Worm.Win32.Ludbaruma.exe
    "C:\Users\Admin\AppData\Local\Temp\Worm.Win32.Ludbaruma.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4276
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4672
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3152
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4128
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1280
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1504
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:512
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    5b0a945ac69d64fd957a5eb138947492

    SHA1

    5e93992549f9a7ed16f916398423ec943ed43696

    SHA256

    5e50c86e4c3fe7fc8e829c7e68387d921b3cebdf6f76393bf24381b394c8f439

    SHA512

    4187db27c0d3a05405cd2e84425334449894ed889bcebbbcfca7a3a8b7ccb26a47b82b525930afab59504bb19a9fac3799d8e70859fb13bc1efeb3ef875d8dfb

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    eb1554eafd4e99ff836f2699d5cf81b4

    SHA1

    47683b96399b8aac454ff92a9e8dc2fe2607cb50

    SHA256

    bc7e6728b3cddc26a0a4edbacaeec6329f9956aa8ea7280446426f8e67dc65e5

    SHA512

    2d119f242758c623cd317667ea56c2e60f8c035e7cb413ca8f0a857d47b8437230d5aafc0565bd353eb7fb543a84ff45bb834ff4650ffdd23d4bf1e021272094

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    5c9b728ccfe26eb8874074eab5a8b61b

    SHA1

    bef23a54a6904683a46750e3752d781b906b9a47

    SHA256

    19045bf4148cfa7859abe18b66bf847222da3ddaa6ca7baf12669a9cf7d6c08a

    SHA512

    a6383fcd1ca3a9fb4d578ae3712538825f20b271d04b1e33a61cb9eac4ea4a6722607ea4ac5a74f738e7e685526173fc842658586f412aca44e475f50b968195

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    a6bed34aa42cef55fc54ea1d073702b4

    SHA1

    e0ab286b735f3da7d3341b97cf1320503ae500a1

    SHA256

    0ed68060ee0996bb53f5aef5b568017fbc22f8c8f9f7ce7382d173e1bd541758

    SHA512

    0ead44a7f76fdae7fce9debf12ff8d86536ab588683e585dd60abb9cd69f9aa30f603cfc8b6e00a03670c53e52068a485e8fcea11e02260941937228b2824c48

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    873ef5c05d08ea689a7089b2587d2330

    SHA1

    9aba971d627abf02ea1e0b00600912eb0f8626a5

    SHA256

    806ff5a4291ace6371cfa09d584567b7d652d7b28c167a5ab9c4115e9aa4e1f7

    SHA512

    f92df22b69780ace53fbe815b066b3dbaabe56b4f697375c6627be513ef6799f05eeb70ced00bde6c05836bd8dfb467044889af33cd37d2abf699d3aecba9b15

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    b4d4fd1aa2fb4463910bb5ae49dda4e8

    SHA1

    9795b361ac436970b8fab8b5bf9be4d8ef0601e5

    SHA256

    3d8833281a180070ee2b03a1a59d1d7ed217b2fd381dc482ed878cd62e90bddd

    SHA512

    1960d3c3672f9d778a7a234c70c1ee2fe68d1dc29eb68d3195895da716dfbb3417cb17103561ad616bfa0a8cab84d7e0dda28b62f6eb417270e209a9c1aaa9ff

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    09b81700eda23a7412425fb77b58955a

    SHA1

    bc161acd24ad9d29dfeae3e05bdc418c69f37773

    SHA256

    d9419ac54db979f68e32ede87f1cce50f3cfd99963e00108c81fb32cdf9d51dd

    SHA512

    4f36a4ee0ac98816183e18e0656d10fd517d65e1dcb031b8e9350044ad521db7c1805eaf3460aa23fb7134e3f78131e49f64c31582c63893a3d2c78fe8787c34

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    4cb99e36a1043b0230c0aa488222d72a

    SHA1

    f1a5aebddc2356e7fd57494ac6bd27fe30e2910f

    SHA256

    850b003839c6398801f065a37a2ae237cb0f6ba89724fbf1f9a86dad77a46635

    SHA512

    c12977ddcaf7463efa3af605a5d3c45e6208524476c7f2ae9da98e6c5a1c4b312361fcbfc3615ecc26c14b2b5380b7e546a89aea48ba0f42d54eb5f1ed33f300

    Download Submit

  • memory/1280-130-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1504-137-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3152-117-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4128-123-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4276-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4276-152-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4364-150-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4672-111-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download