Analysis
-
max time kernel
78s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
24-09-2024 21:12
Static task
static1
Behavioral task
behavioral1
Sample
56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe
Resource
win7-20240729-en
General
-
Target
56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe
-
Size
7.0MB
-
MD5
f52edee9472d973f7aedaa58baed96e6
-
SHA1
dee4734806f0a47e81627a66b2c75e5ec37b6b1a
-
SHA256
56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260
-
SHA512
1568f66ea43208900e1800ac59946f92d426d05d00783decdce31eb088ec54cd467adf640e5b2a5388f5ee6ccd2840dfe551f9ae18c06b168a469ec18a85ef0b
-
SSDEEP
98304:bmurSHFk4vh9IWa/LP3Nm9Zlxne1uxetbDEgovbddnY6Jy3yH/O:b6m7P3Nm9ZWiADEp5F0R
Malware Config
Extracted
xworm
146.190.110.91:3389
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/memory/2732-16-0x0000000000F70000-0x0000000000F86000-memory.dmp family_xworm behavioral1/files/0x0035000000017530-15.dat family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2444 powershell.exe 1360 powershell.exe 2712 powershell.exe 2268 powershell.exe 1232 powershell.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedgewebview2.exe.lnk msedgewebview2.exe -
Executes dropped EXE 4 IoCs
pid Process 988 Luxury Crypter.exe 2732 svchost.exe 2680 msedgewebview2.exe 2228 msedgewebview2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Luxury Crypter.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 400 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2008 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2732 svchost.exe 2228 msedgewebview2.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2444 powershell.exe 1360 powershell.exe 2712 powershell.exe 2268 powershell.exe 2732 svchost.exe 1232 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2732 svchost.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 1360 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 2732 svchost.exe Token: SeDebugPrivilege 2680 msedgewebview2.exe Token: SeDebugPrivilege 1232 powershell.exe Token: SeDebugPrivilege 2228 msedgewebview2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2732 svchost.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 2380 wrote to memory of 988 2380 56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe 29 PID 2380 wrote to memory of 988 2380 56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe 29 PID 2380 wrote to memory of 988 2380 56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe 29 PID 2380 wrote to memory of 988 2380 56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe 29 PID 2380 wrote to memory of 2732 2380 56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe 30 PID 2380 wrote to memory of 2732 2380 56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe 30 PID 2380 wrote to memory of 2732 2380 56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe 30 PID 2732 wrote to memory of 2444 2732 svchost.exe 31 PID 2732 wrote to memory of 2444 2732 svchost.exe 31 PID 2732 wrote to memory of 2444 2732 svchost.exe 31 PID 2732 wrote to memory of 1360 2732 svchost.exe 33 PID 2732 wrote to memory of 1360 2732 svchost.exe 33 PID 2732 wrote to memory of 1360 2732 svchost.exe 33 PID 2732 wrote to memory of 2712 2732 svchost.exe 35 PID 2732 wrote to memory of 2712 2732 svchost.exe 35 PID 2732 wrote to memory of 2712 2732 svchost.exe 35 PID 2380 wrote to memory of 2680 2380 56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe 37 PID 2380 wrote to memory of 2680 2380 56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe 37 PID 2380 wrote to memory of 2680 2380 56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe 37 PID 2732 wrote to memory of 2268 2732 svchost.exe 38 PID 2732 wrote to memory of 2268 2732 svchost.exe 38 PID 2732 wrote to memory of 2268 2732 svchost.exe 38 PID 2680 wrote to memory of 1232 2680 msedgewebview2.exe 41 PID 2680 wrote to memory of 1232 2680 msedgewebview2.exe 41 PID 2680 wrote to memory of 1232 2680 msedgewebview2.exe 41 PID 2680 wrote to memory of 2008 2680 msedgewebview2.exe 43 PID 2680 wrote to memory of 2008 2680 msedgewebview2.exe 43 PID 2680 wrote to memory of 2008 2680 msedgewebview2.exe 43 PID 2680 wrote to memory of 2228 2680 msedgewebview2.exe 45 PID 2680 wrote to memory of 2228 2680 msedgewebview2.exe 45 PID 2680 wrote to memory of 2228 2680 msedgewebview2.exe 45 PID 2680 wrote to memory of 1668 2680 msedgewebview2.exe 46 PID 2680 wrote to memory of 1668 2680 msedgewebview2.exe 46 PID 2680 wrote to memory of 1668 2680 msedgewebview2.exe 46 PID 1668 wrote to memory of 400 1668 cmd.exe 48 PID 1668 wrote to memory of 400 1668 cmd.exe 48 PID 1668 wrote to memory of 400 1668 cmd.exe 48 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe"C:\Users\Admin\AppData\Local\Temp\56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:988
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
-
C:\ProgramData\msedgewebview2.exe"C:\ProgramData\msedgewebview2.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\ACCApi'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1232
-
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /create /tn msedgewebview2 /tr "C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe" /st 21:17 /du 23:59 /sc daily /ri 1 /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2008
-
-
C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe"C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3218.tmp.cmd""3⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\system32\timeout.exetimeout 64⤵
- Delays execution with timeout.exe
PID:400
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.8MB
MD59c55d8c0b720f652e4ad3753e9939b99
SHA1ee69da72e65d44638f352791b2114887e2110384
SHA25644a220f92ce2822d3d8e9c7ded429c9e53f650224759c8ec75c49706716fda77
SHA512ea88bcf9b289ef4b2ba34f3b7818aee672867418d4e8fb29d5fac99688e30babfc21a7279151397ef47f8d852b8129ed63a42eec7e1a5bd598c744af9da320b7
-
Filesize
147B
MD5bc486dee4bccddaa61f8c4acdf3dda83
SHA1eafa003d5738ddff14fe831eac347a0f241f873a
SHA2564e6f4951c2c3e3906822f17ef742740ac28bb1ddbcdf1cac86641e5bdad6351b
SHA5128f8124391a772182d5f48e80ee91244cbb26a401e9eb5d7c62f1d7158cba7697be3b1715fe029ae2226bfe52235c2a9dd3f082fb5cdd7f90c237dda1fb5edf05
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD56999f241cfabfa28d34f24337b511bae
SHA112d67c2ade68686e81f6b9b33386edb4e26f0478
SHA2565721c2a0edf042b3e53b057ab4552f34aae58ac4919a78755407168c0c30425a
SHA512239e7dfa4bf757e3b995bdd9c7c9691ebff0558c76493bfecd8373fea8856e50a041eb2b61247b0ac047e1c29c54a5bcd2be561513b295f59162b0276c2735e5
-
Filesize
67KB
MD539f4793e3bd69fde3059e02b84875bef
SHA14ae174ff10e05e7946c6220b2ef7565830596b3c
SHA256eee698d53132459d85ad39ef66c6b33769dbf69469a346a1ea26c13eebfb4102
SHA5124642ba370d794ffc0dac13a84f8ea3501f9a88a0d2584daecbb340b92cce1dd14c46b7d9d5f4a27a60c1365584f995aa7e93fdc70c4775425f5b3590f6eeec50