Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-09-2024 11:30
Static task
static1
Behavioral task
behavioral1
Sample
Output.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Output.exe
Resource
win10v2004-20240802-en
General
-
Target
Output.exe
-
Size
11.6MB
-
MD5
d7c99b9559332b8652b2cf85c34f1dea
-
SHA1
cbd247890c862d964683f8dc81cc3d7747bdfb73
-
SHA256
53d398e45aaad1c1cbbb4be5abd2a0d2c039b746792fb63bd8b9b28aebf359ca
-
SHA512
184945ec88ebe3e3ec5e3a71b9870b3459a0bb37491a665f356d3cb7286e0e79bed44a19e21cceba0fe0ec07a1d89e2238c70b06bd9c5dc5956b7715e8a8911f
-
SSDEEP
196608:tO3ytpGu2gWR5fMEseOI8LG8Ac+g6sFZstcVw8q1Q6HmVF:tO3j5gWR5fBSI58t+gbZst9
Malware Config
Extracted
xworm
reason-warnings.gl.at.ply.gg:20382
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000015cc9-11.dat family_xworm behavioral1/memory/1620-12-0x00000000013D0000-0x0000000001402000-memory.dmp family_xworm -
MilleniumRat
MilleniumRat is a remote access trojan written in C#.
-
Executes dropped EXE 4 IoCs
pid Process 2256 qscan_original.exe 1620 system user.exe 2724 built.exe 2832 DotStealerBuild.exe -
Loads dropped DLL 2 IoCs
pid Process 2832 DotStealerBuild.exe 2724 built.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\built.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 7 raw.githubusercontent.com 13 raw.githubusercontent.com 6 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 DotStealerBuild.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier DotStealerBuild.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 built.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier built.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2180 reg.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2832 DotStealerBuild.exe 2832 DotStealerBuild.exe 2832 DotStealerBuild.exe 2724 built.exe 2724 built.exe 2724 built.exe 2832 DotStealerBuild.exe 2832 DotStealerBuild.exe 2832 DotStealerBuild.exe 2832 DotStealerBuild.exe 2832 DotStealerBuild.exe 2832 DotStealerBuild.exe 2724 built.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1620 system user.exe Token: SeDebugPrivilege 2832 DotStealerBuild.exe Token: SeDebugPrivilege 2724 built.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2724 built.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2428 wrote to memory of 2256 2428 Output.exe 30 PID 2428 wrote to memory of 2256 2428 Output.exe 30 PID 2428 wrote to memory of 2256 2428 Output.exe 30 PID 2428 wrote to memory of 1620 2428 Output.exe 31 PID 2428 wrote to memory of 1620 2428 Output.exe 31 PID 2428 wrote to memory of 1620 2428 Output.exe 31 PID 2256 wrote to memory of 2724 2256 qscan_original.exe 32 PID 2256 wrote to memory of 2724 2256 qscan_original.exe 32 PID 2256 wrote to memory of 2724 2256 qscan_original.exe 32 PID 2256 wrote to memory of 2832 2256 qscan_original.exe 33 PID 2256 wrote to memory of 2832 2256 qscan_original.exe 33 PID 2256 wrote to memory of 2832 2256 qscan_original.exe 33 PID 2832 wrote to memory of 740 2832 DotStealerBuild.exe 36 PID 2832 wrote to memory of 740 2832 DotStealerBuild.exe 36 PID 2832 wrote to memory of 740 2832 DotStealerBuild.exe 36 PID 2724 wrote to memory of 2512 2724 built.exe 38 PID 2724 wrote to memory of 2512 2724 built.exe 38 PID 2724 wrote to memory of 2512 2724 built.exe 38 PID 2512 wrote to memory of 2180 2512 cmd.exe 40 PID 2512 wrote to memory of 2180 2512 cmd.exe 40 PID 2512 wrote to memory of 2180 2512 cmd.exe 40 PID 2724 wrote to memory of 1516 2724 built.exe 41 PID 2724 wrote to memory of 1516 2724 built.exe 41 PID 2724 wrote to memory of 1516 2724 built.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\Output.exe"C:\Users\Admin\AppData\Local\Temp\Output.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\AppData\Roaming\qscan_original.exe"C:\Users\Admin\AppData\Roaming\qscan_original.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Roaming\built.exe"C:\Users\Admin\AppData\Roaming\built.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\built.exe /f4⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\built.exe /f5⤵
- Adds Run key to start application
- Modifies registry key
PID:2180
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2724 -s 17564⤵PID:1516
-
-
-
C:\Users\Admin\AppData\Roaming\DotStealerBuild.exe"C:\Users\Admin\AppData\Roaming\DotStealerBuild.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD4DC.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD4DC.tmp.bat4⤵PID:740
-
-
-
-
C:\Users\Admin\AppData\Roaming\system user.exe"C:\Users\Admin\AppData\Roaming\system user.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180B
MD590c32a443b766d13a18c2667f1fe4c1c
SHA1cc83881532987be840f5cd8367cc76be22a9df34
SHA256f1f5fcdcdd790ced70395489a454d47937739d5a36c34f0554224b9d98bf3bf2
SHA5121abc2817875627021dd58c5740cc6b451e41552126251e51b7ad8770e3a4615d1e7925d49bb2dcd961fc94af1b32da362027357eba6fe969b0119e8f56f2f5c9
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
92KB
MD55a11d4c52a76804780cbb414b2595bdb
SHA114c89a2283c41b10ce8f1576404e1541c04a8125
SHA256e1b3260b2607c6a5fcf91575d1de278deceaf4e5f9f0530a3782c6d9567749d8
SHA5120bffe811cbba5278d39e20b66a5c4770e3855d1f5cbd45161e8ad304b78da73f555a3c42a198378efab3dfc81f384fdaefc6cbb893a708c7e2649a89fdd11762
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
13KB
MD5db31b25ecc302c4b621e7059e7636a93
SHA1c20b5b2673d65ae3c84e535a7af1e59e355a5193
SHA256a3695259c75a0f62b5412d11d582697f4f8feee8fcfd151ef77c198fd21c05df
SHA5127ef666ac7d49ae5731103ac44e1687bd720d861cc87eb1ac010744f380835e4ba5bdaaab580f1bf89e14e903f77fc3d33ab8c53caef923f43c1b88477eeb89e0
-
Filesize
5.6MB
MD5f239a3a3bf4ae3bdf42659c2c22cb270
SHA13827636f0703be1a9dfbd3ff9efce30ef0da43c8
SHA256a5fb7d12b140c0adfcefce222d9806233b6dcca69533e84f5f82f7216b097263
SHA51256df258f8eb274ddd128ed98ddd1a80af14f11a2799201b8a34319e7680e169a51b2377922dced4e6ea4a1d2d69b37c807d9ffafd178a0c056c055655d8cd9ae
-
Filesize
5.6MB
MD50edfa1005fee9b98800ab3e447944c87
SHA15ab856560c8293044f2a2391aae9c4961e2ddd03
SHA2561e1760588cdd811a36243278251a1da277b30e1c8451cfbdcab83a26f34d0611
SHA512033d320728072fb3dd51b08d97871554c68779485f0c8e13c9d887ea0b1d02b29e53e2c06324e92959242e17b16cbd80a822034a78307acc983a49abb3556074
-
Filesize
11.3MB
MD54bee8c6e2c7a30b0fd7d468532c19447
SHA1d91dcf39c0c8f360411cb0f9fc31c9a5dd2c8f7c
SHA2561c9f16ebad32e5d7e124e0553ce52802040fc70448a04af42a1b934080288c09
SHA5123b7e908bf6162141e5d42951216897b849fe37404d25beacacc3a0c096c7d76738ddf16f55d271ec9eadb00c75b257937f4a02e5bae4a730f3f17cbd44ca72fa
-
Filesize
179KB
MD56082abd8cccf27a1c8527210c139489f
SHA1f3b5ceb84ebdcb8df4abfdce3cac47293bad0e2f
SHA256ce1d896325cac0ef1f0332d6b513987566ce29a5a6a56275496ba5f38e3d292d
SHA51278cbe63b1280909306e6759328a2e8eeff22c0c925135ee842d55738f4d51bad89ee68a2022cc34da656280621a2aeb112fcd5712bed1349ec38eb646897eb34
-
Filesize
1.7MB
MD565ccd6ecb99899083d43f7c24eb8f869
SHA127037a9470cc5ed177c0b6688495f3a51996a023
SHA256aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d