Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2024 11:30

General

  • Target

    Output.exe

  • Size

    11.6MB

  • MD5

    d7c99b9559332b8652b2cf85c34f1dea

  • SHA1

    cbd247890c862d964683f8dc81cc3d7747bdfb73

  • SHA256

    53d398e45aaad1c1cbbb4be5abd2a0d2c039b746792fb63bd8b9b28aebf359ca

  • SHA512

    184945ec88ebe3e3ec5e3a71b9870b3459a0bb37491a665f356d3cb7286e0e79bed44a19e21cceba0fe0ec07a1d89e2238c70b06bd9c5dc5956b7715e8a8911f

  • SSDEEP

    196608:tO3ytpGu2gWR5fMEseOI8LG8Ac+g6sFZstcVw8q1Q6HmVF:tO3j5gWR5fBSI58t+gbZst9

Malware Config

Extracted

Family

xworm

C2

reason-warnings.gl.at.ply.gg:20382

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • MilleniumRat

    MilleniumRat is a remote access trojan written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Output.exe
    "C:\Users\Admin\AppData\Local\Temp\Output.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Users\Admin\AppData\Roaming\qscan_original.exe
      "C:\Users\Admin\AppData\Roaming\qscan_original.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2256
      • C:\Users\Admin\AppData\Roaming\built.exe
        "C:\Users\Admin\AppData\Roaming\built.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\built.exe /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2512
          • C:\Windows\system32\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\built.exe /f
            5⤵
            • Adds Run key to start application
            • Modifies registry key
            PID:2180
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2724 -s 1756
          4⤵
            PID:1516
        • C:\Users\Admin\AppData\Roaming\DotStealerBuild.exe
          "C:\Users\Admin\AppData\Roaming\DotStealerBuild.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2832
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD4DC.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD4DC.tmp.bat
            4⤵
              PID:740
        • C:\Users\Admin\AppData\Roaming\system user.exe
          "C:\Users\Admin\AppData\Roaming\system user.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1620

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpD4DC.tmp.bat

        Filesize

        180B

        MD5

        90c32a443b766d13a18c2667f1fe4c1c

        SHA1

        cc83881532987be840f5cd8367cc76be22a9df34

        SHA256

        f1f5fcdcdd790ced70395489a454d47937739d5a36c34f0554224b9d98bf3bf2

        SHA512

        1abc2817875627021dd58c5740cc6b451e41552126251e51b7ad8770e3a4615d1e7925d49bb2dcd961fc94af1b32da362027357eba6fe969b0119e8f56f2f5c9

      • C:\Users\Admin\AppData\Roaming\AdminUserCash\COOKIE~1

        Filesize

        20KB

        MD5

        c9ff7748d8fcef4cf84a5501e996a641

        SHA1

        02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

        SHA256

        4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

        SHA512

        d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

      • C:\Users\Admin\AppData\Roaming\AdminUserCash\CREDIT~1

        Filesize

        92KB

        MD5

        5a11d4c52a76804780cbb414b2595bdb

        SHA1

        14c89a2283c41b10ce8f1576404e1541c04a8125

        SHA256

        e1b3260b2607c6a5fcf91575d1de278deceaf4e5f9f0530a3782c6d9567749d8

        SHA512

        0bffe811cbba5278d39e20b66a5c4770e3855d1f5cbd45161e8ad304b78da73f555a3c42a198378efab3dfc81f384fdaefc6cbb893a708c7e2649a89fdd11762

      • C:\Users\Admin\AppData\Roaming\AdminUserCash\LOGIN_~1

        Filesize

        46KB

        MD5

        02d2c46697e3714e49f46b680b9a6b83

        SHA1

        84f98b56d49f01e9b6b76a4e21accf64fd319140

        SHA256

        522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

        SHA512

        60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

      • C:\Users\Admin\AppData\Roaming\AdminUserCash\[GB]376319664 - Log\DesktopFiles\DenyRevoke.xlsx

        Filesize

        13KB

        MD5

        db31b25ecc302c4b621e7059e7636a93

        SHA1

        c20b5b2673d65ae3c84e535a7af1e59e355a5193

        SHA256

        a3695259c75a0f62b5412d11d582697f4f8feee8fcfd151ef77c198fd21c05df

        SHA512

        7ef666ac7d49ae5731103ac44e1687bd720d861cc87eb1ac010744f380835e4ba5bdaaab580f1bf89e14e903f77fc3d33ab8c53caef923f43c1b88477eeb89e0

      • C:\Users\Admin\AppData\Roaming\DotStealerBuild.exe

        Filesize

        5.6MB

        MD5

        f239a3a3bf4ae3bdf42659c2c22cb270

        SHA1

        3827636f0703be1a9dfbd3ff9efce30ef0da43c8

        SHA256

        a5fb7d12b140c0adfcefce222d9806233b6dcca69533e84f5f82f7216b097263

        SHA512

        56df258f8eb274ddd128ed98ddd1a80af14f11a2799201b8a34319e7680e169a51b2377922dced4e6ea4a1d2d69b37c807d9ffafd178a0c056c055655d8cd9ae

      • C:\Users\Admin\AppData\Roaming\built.exe

        Filesize

        5.6MB

        MD5

        0edfa1005fee9b98800ab3e447944c87

        SHA1

        5ab856560c8293044f2a2391aae9c4961e2ddd03

        SHA256

        1e1760588cdd811a36243278251a1da277b30e1c8451cfbdcab83a26f34d0611

        SHA512

        033d320728072fb3dd51b08d97871554c68779485f0c8e13c9d887ea0b1d02b29e53e2c06324e92959242e17b16cbd80a822034a78307acc983a49abb3556074

      • C:\Users\Admin\AppData\Roaming\qscan_original.exe

        Filesize

        11.3MB

        MD5

        4bee8c6e2c7a30b0fd7d468532c19447

        SHA1

        d91dcf39c0c8f360411cb0f9fc31c9a5dd2c8f7c

        SHA256

        1c9f16ebad32e5d7e124e0553ce52802040fc70448a04af42a1b934080288c09

        SHA512

        3b7e908bf6162141e5d42951216897b849fe37404d25beacacc3a0c096c7d76738ddf16f55d271ec9eadb00c75b257937f4a02e5bae4a730f3f17cbd44ca72fa

      • C:\Users\Admin\AppData\Roaming\system user.exe

        Filesize

        179KB

        MD5

        6082abd8cccf27a1c8527210c139489f

        SHA1

        f3b5ceb84ebdcb8df4abfdce3cac47293bad0e2f

        SHA256

        ce1d896325cac0ef1f0332d6b513987566ce29a5a6a56275496ba5f38e3d292d

        SHA512

        78cbe63b1280909306e6759328a2e8eeff22c0c925135ee842d55738f4d51bad89ee68a2022cc34da656280621a2aeb112fcd5712bed1349ec38eb646897eb34

      • \Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

        Filesize

        1.7MB

        MD5

        65ccd6ecb99899083d43f7c24eb8f869

        SHA1

        27037a9470cc5ed177c0b6688495f3a51996a023

        SHA256

        aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

        SHA512

        533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

      • memory/1620-12-0x00000000013D0000-0x0000000001402000-memory.dmp

        Filesize

        200KB

      • memory/2256-13-0x0000000000DB0000-0x0000000001902000-memory.dmp

        Filesize

        11.3MB

      • memory/2256-14-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

        Filesize

        9.9MB

      • memory/2256-27-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

        Filesize

        9.9MB

      • memory/2428-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

        Filesize

        4KB

      • memory/2428-1-0x0000000000860000-0x00000000013FA000-memory.dmp

        Filesize

        11.6MB

      • memory/2724-25-0x00000000003C0000-0x0000000000962000-memory.dmp

        Filesize

        5.6MB

      • memory/2724-82-0x0000000000AA0000-0x0000000000AC5000-memory.dmp

        Filesize

        148KB

      • memory/2832-38-0x0000000000B70000-0x0000000000B95000-memory.dmp

        Filesize

        148KB

      • memory/2832-36-0x000000001C1E0000-0x000000001C292000-memory.dmp

        Filesize

        712KB

      • memory/2832-34-0x000000001BDA0000-0x000000001BE0A000-memory.dmp

        Filesize

        424KB

      • memory/2832-26-0x0000000000BB0000-0x0000000001148000-memory.dmp

        Filesize

        5.6MB