Analysis
-
max time kernel
125s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2024 21:12
Static task
static1
Behavioral task
behavioral1
Sample
56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe
Resource
win7-20240729-en
General
-
Target
56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe
-
Size
7.0MB
-
MD5
f52edee9472d973f7aedaa58baed96e6
-
SHA1
dee4734806f0a47e81627a66b2c75e5ec37b6b1a
-
SHA256
56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260
-
SHA512
1568f66ea43208900e1800ac59946f92d426d05d00783decdce31eb088ec54cd467adf640e5b2a5388f5ee6ccd2840dfe551f9ae18c06b168a469ec18a85ef0b
-
SSDEEP
98304:bmurSHFk4vh9IWa/LP3Nm9Zlxne1uxetbDEgovbddnY6Jy3yH/O:b6m7P3Nm9ZWiADEp5F0R
Malware Config
Extracted
xworm
146.190.110.91:3389
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663
Extracted
gurcu
https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/memory/4352-26-0x0000000000DB0000-0x0000000000DC6000-memory.dmp family_xworm behavioral2/files/0x000700000002359f-25.dat family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3484 powershell.exe 4532 powershell.exe 3412 powershell.exe 2272 powershell.exe 4772 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation 56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation msedgewebview2.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedgewebview2.exe.lnk msedgewebview2.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 1748 Luxury Crypter.exe 4352 svchost.exe 3544 msedgewebview2.exe 4148 msedgewebview2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2284 1748 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Luxury Crypter.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3624 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 400 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4352 svchost.exe 4148 msedgewebview2.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 3484 powershell.exe 3484 powershell.exe 3484 powershell.exe 4532 powershell.exe 4532 powershell.exe 4532 powershell.exe 3412 powershell.exe 3412 powershell.exe 3412 powershell.exe 2272 powershell.exe 2272 powershell.exe 2272 powershell.exe 4352 svchost.exe 4352 svchost.exe 4772 powershell.exe 4772 powershell.exe 4772 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 4352 svchost.exe Token: SeDebugPrivilege 3484 powershell.exe Token: SeDebugPrivilege 4532 powershell.exe Token: SeDebugPrivilege 3412 powershell.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeDebugPrivilege 4352 svchost.exe Token: SeDebugPrivilege 3544 msedgewebview2.exe Token: SeDebugPrivilege 4772 powershell.exe Token: SeDebugPrivilege 4148 msedgewebview2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4352 svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3820 wrote to memory of 1748 3820 56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe 89 PID 3820 wrote to memory of 1748 3820 56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe 89 PID 3820 wrote to memory of 1748 3820 56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe 89 PID 3820 wrote to memory of 4352 3820 56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe 90 PID 3820 wrote to memory of 4352 3820 56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe 90 PID 4352 wrote to memory of 3484 4352 svchost.exe 97 PID 4352 wrote to memory of 3484 4352 svchost.exe 97 PID 4352 wrote to memory of 4532 4352 svchost.exe 99 PID 4352 wrote to memory of 4532 4352 svchost.exe 99 PID 4352 wrote to memory of 3412 4352 svchost.exe 103 PID 4352 wrote to memory of 3412 4352 svchost.exe 103 PID 4352 wrote to memory of 2272 4352 svchost.exe 105 PID 4352 wrote to memory of 2272 4352 svchost.exe 105 PID 3820 wrote to memory of 3544 3820 56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe 107 PID 3820 wrote to memory of 3544 3820 56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe 107 PID 3544 wrote to memory of 400 3544 msedgewebview2.exe 111 PID 3544 wrote to memory of 400 3544 msedgewebview2.exe 111 PID 3544 wrote to memory of 4772 3544 msedgewebview2.exe 112 PID 3544 wrote to memory of 4772 3544 msedgewebview2.exe 112 PID 3544 wrote to memory of 4148 3544 msedgewebview2.exe 115 PID 3544 wrote to memory of 4148 3544 msedgewebview2.exe 115 PID 3544 wrote to memory of 2448 3544 msedgewebview2.exe 116 PID 3544 wrote to memory of 2448 3544 msedgewebview2.exe 116 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe"C:\Users\Admin\AppData\Local\Temp\56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 7803⤵
- Program crash
PID:2284
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
-
C:\ProgramData\msedgewebview2.exe"C:\ProgramData\msedgewebview2.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /create /tn msedgewebview2 /tr "C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe" /st 21:17 /du 23:59 /sc daily /ri 1 /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\ACCApi'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe"C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:4148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8875.tmp.cmd""3⤵PID:2448
-
C:\Windows\system32\timeout.exetimeout 64⤵
- Delays execution with timeout.exe
PID:3624
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1748 -ip 17481⤵PID:4916
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4308,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=4280 /prefetch:81⤵PID:2888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
660B
MD51c5e1d0ff3381486370760b0f2eb656b
SHA1f9df6be8804ef611063f1ff277e323b1215372de
SHA256f424c891fbc7385e9826beed2dd8755aeac5495744b5de0a1e370891a7beaf7a
SHA51278f5fc40a185d04c9e4a02a3d1b10b4bd684c579a45a0d1e8f49f8dee9018ed7bc8875cbf21f98632f93ead667214a41904226ce54817b85caeeb4b0de54a743
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5b55c6ff35916daee92d67e736a0e6411
SHA117d526ac0eb82d8491cf14490d0e0c4997636c4b
SHA256bd4b0bdf4dfa57793600a1648b43b17a0d7cff75bf20875963f7ff487efc3a29
SHA512e31a30bda087b270862f51b9063af90b3a80cf1a7fbaf18cf82a197b2cfd9609ec90aa16ae364bbff5862e1047742c9529019b5b12f71a6777116610999dc61c
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD5b51dc9e5ec3c97f72b4ca9488bbb4462
SHA15c1e8c0b728cd124edcacefb399bbd5e25b21bd3
SHA256976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db
SHA5120e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280
-
Filesize
944B
MD5cae60f0ddddac635da71bba775a2c5b4
SHA1386f1a036af61345a7d303d45f5230e2df817477
SHA256b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16
SHA51228ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253
-
Filesize
8.8MB
MD59c55d8c0b720f652e4ad3753e9939b99
SHA1ee69da72e65d44638f352791b2114887e2110384
SHA25644a220f92ce2822d3d8e9c7ded429c9e53f650224759c8ec75c49706716fda77
SHA512ea88bcf9b289ef4b2ba34f3b7818aee672867418d4e8fb29d5fac99688e30babfc21a7279151397ef47f8d852b8129ed63a42eec7e1a5bd598c744af9da320b7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
67KB
MD539f4793e3bd69fde3059e02b84875bef
SHA14ae174ff10e05e7946c6220b2ef7565830596b3c
SHA256eee698d53132459d85ad39ef66c6b33769dbf69469a346a1ea26c13eebfb4102
SHA5124642ba370d794ffc0dac13a84f8ea3501f9a88a0d2584daecbb340b92cce1dd14c46b7d9d5f4a27a60c1365584f995aa7e93fdc70c4775425f5b3590f6eeec50