Analysis

  • max time kernel
    125s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2024 21:12

General

  • Target

    56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe

  • Size

    7.0MB

  • MD5

    f52edee9472d973f7aedaa58baed96e6

  • SHA1

    dee4734806f0a47e81627a66b2c75e5ec37b6b1a

  • SHA256

    56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260

  • SHA512

    1568f66ea43208900e1800ac59946f92d426d05d00783decdce31eb088ec54cd467adf640e5b2a5388f5ee6ccd2840dfe551f9ae18c06b168a469ec18a85ef0b

  • SSDEEP

    98304:bmurSHFk4vh9IWa/LP3Nm9Zlxne1uxetbDEgovbddnY6Jy3yH/O:b6m7P3Nm9ZWiADEp5F0R

Malware Config

Extracted

Family

xworm

C2

146.190.110.91:3389

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Signatures

  • Detect Xworm Payload 2 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe
    "C:\Users\Admin\AppData\Local\Temp\56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3820
    • C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe
      "C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1748
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 780
        3⤵
        • Program crash
        PID:2284
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4352
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3484
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4532
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3412
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2272
    • C:\ProgramData\msedgewebview2.exe
      "C:\ProgramData\msedgewebview2.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3544
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks.exe" /create /tn msedgewebview2 /tr "C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe" /st 21:17 /du 23:59 /sc daily /ri 1 /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:400
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\ACCApi'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4772
      • C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe
        "C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        PID:4148
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8875.tmp.cmd""
        3⤵
          PID:2448
          • C:\Windows\system32\timeout.exe
            timeout 6
            4⤵
            • Delays execution with timeout.exe
            PID:3624
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1748 -ip 1748
      1⤵
        PID:4916
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4308,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=4280 /prefetch:8
        1⤵
          PID:2888

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedgewebview2.exe.log

          Filesize

          660B

          MD5

          1c5e1d0ff3381486370760b0f2eb656b

          SHA1

          f9df6be8804ef611063f1ff277e323b1215372de

          SHA256

          f424c891fbc7385e9826beed2dd8755aeac5495744b5de0a1e370891a7beaf7a

          SHA512

          78f5fc40a185d04c9e4a02a3d1b10b4bd684c579a45a0d1e8f49f8dee9018ed7bc8875cbf21f98632f93ead667214a41904226ce54817b85caeeb4b0de54a743

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          b55c6ff35916daee92d67e736a0e6411

          SHA1

          17d526ac0eb82d8491cf14490d0e0c4997636c4b

          SHA256

          bd4b0bdf4dfa57793600a1648b43b17a0d7cff75bf20875963f7ff487efc3a29

          SHA512

          e31a30bda087b270862f51b9063af90b3a80cf1a7fbaf18cf82a197b2cfd9609ec90aa16ae364bbff5862e1047742c9529019b5b12f71a6777116610999dc61c

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          77d622bb1a5b250869a3238b9bc1402b

          SHA1

          d47f4003c2554b9dfc4c16f22460b331886b191b

          SHA256

          f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

          SHA512

          d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          b51dc9e5ec3c97f72b4ca9488bbb4462

          SHA1

          5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

          SHA256

          976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

          SHA512

          0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          cae60f0ddddac635da71bba775a2c5b4

          SHA1

          386f1a036af61345a7d303d45f5230e2df817477

          SHA256

          b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

          SHA512

          28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

        • C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe

          Filesize

          8.8MB

          MD5

          9c55d8c0b720f652e4ad3753e9939b99

          SHA1

          ee69da72e65d44638f352791b2114887e2110384

          SHA256

          44a220f92ce2822d3d8e9c7ded429c9e53f650224759c8ec75c49706716fda77

          SHA512

          ea88bcf9b289ef4b2ba34f3b7818aee672867418d4e8fb29d5fac99688e30babfc21a7279151397ef47f8d852b8129ed63a42eec7e1a5bd598c744af9da320b7

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_algi2apt.k3b.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Roaming\svchost.exe

          Filesize

          67KB

          MD5

          39f4793e3bd69fde3059e02b84875bef

          SHA1

          4ae174ff10e05e7946c6220b2ef7565830596b3c

          SHA256

          eee698d53132459d85ad39ef66c6b33769dbf69469a346a1ea26c13eebfb4102

          SHA512

          4642ba370d794ffc0dac13a84f8ea3501f9a88a0d2584daecbb340b92cce1dd14c46b7d9d5f4a27a60c1365584f995aa7e93fdc70c4775425f5b3590f6eeec50

        • memory/1748-29-0x0000000074A2E000-0x0000000074A2F000-memory.dmp

          Filesize

          4KB

        • memory/1748-30-0x0000000000DA0000-0x000000000167A000-memory.dmp

          Filesize

          8.9MB

        • memory/3484-40-0x000002293EAF0000-0x000002293EB12000-memory.dmp

          Filesize

          136KB

        • memory/3544-94-0x000002882B1A0000-0x000002882B1E2000-memory.dmp

          Filesize

          264KB

        • memory/3820-0-0x00007FFAABD83000-0x00007FFAABD85000-memory.dmp

          Filesize

          8KB

        • memory/3820-77-0x00007FFAABD83000-0x00007FFAABD85000-memory.dmp

          Filesize

          8KB

        • memory/3820-88-0x00007FFAABD80000-0x00007FFAAC841000-memory.dmp

          Filesize

          10.8MB

        • memory/3820-95-0x00007FFAABD80000-0x00007FFAAC841000-memory.dmp

          Filesize

          10.8MB

        • memory/3820-4-0x00007FFAABD80000-0x00007FFAAC841000-memory.dmp

          Filesize

          10.8MB

        • memory/3820-1-0x00000000001A0000-0x00000000008A8000-memory.dmp

          Filesize

          7.0MB

        • memory/4352-28-0x00007FFAABD80000-0x00007FFAAC841000-memory.dmp

          Filesize

          10.8MB

        • memory/4352-26-0x0000000000DB0000-0x0000000000DC6000-memory.dmp

          Filesize

          88KB

        • memory/4352-89-0x00007FFAABD80000-0x00007FFAAC841000-memory.dmp

          Filesize

          10.8MB