Analysis
-
max time kernel
293s -
max time network
292s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
05-10-2024 17:51
Static task
static1
Behavioral task
behavioral1
Sample
Luxury Crypter.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Luxury Crypter.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
Luxury Crypter.exe
Resource
win10v2004-20240802-en
General
-
Target
Luxury Crypter.exe
-
Size
7.0MB
-
MD5
f52edee9472d973f7aedaa58baed96e6
-
SHA1
dee4734806f0a47e81627a66b2c75e5ec37b6b1a
-
SHA256
56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260
-
SHA512
1568f66ea43208900e1800ac59946f92d426d05d00783decdce31eb088ec54cd467adf640e5b2a5388f5ee6ccd2840dfe551f9ae18c06b168a469ec18a85ef0b
-
SSDEEP
98304:bmurSHFk4vh9IWa/LP3Nm9Zlxne1uxetbDEgovbddnY6Jy3yH/O:b6m7P3Nm9ZWiADEp5F0R
Malware Config
Extracted
xworm
146.190.110.91:3389
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x000800000001ac40-13.dat family_xworm behavioral1/memory/1316-15-0x0000000000A30000-0x0000000000A46000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2364 powershell.exe 4988 powershell.exe 4876 powershell.exe 760 powershell.exe 1476 powershell.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedgewebview2.exe.lnk msedgewebview2.exe -
Executes dropped EXE 5 IoCs
pid Process 212 Luxury Crypter.exe 1316 svchost.exe 984 msedgewebview2.exe 828 msedgewebview2.exe 4236 msedgewebview2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3316 212 WerFault.exe 73 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Luxury Crypter.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 872 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3328 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1316 svchost.exe 828 msedgewebview2.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2364 powershell.exe 2364 powershell.exe 2364 powershell.exe 4988 powershell.exe 4988 powershell.exe 4988 powershell.exe 4876 powershell.exe 4876 powershell.exe 4876 powershell.exe 760 powershell.exe 760 powershell.exe 760 powershell.exe 1316 svchost.exe 1476 powershell.exe 1476 powershell.exe 1476 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1316 svchost.exe Token: SeDebugPrivilege 2364 powershell.exe Token: SeIncreaseQuotaPrivilege 2364 powershell.exe Token: SeSecurityPrivilege 2364 powershell.exe Token: SeTakeOwnershipPrivilege 2364 powershell.exe Token: SeLoadDriverPrivilege 2364 powershell.exe Token: SeSystemProfilePrivilege 2364 powershell.exe Token: SeSystemtimePrivilege 2364 powershell.exe Token: SeProfSingleProcessPrivilege 2364 powershell.exe Token: SeIncBasePriorityPrivilege 2364 powershell.exe Token: SeCreatePagefilePrivilege 2364 powershell.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeRestorePrivilege 2364 powershell.exe Token: SeShutdownPrivilege 2364 powershell.exe Token: SeDebugPrivilege 2364 powershell.exe Token: SeSystemEnvironmentPrivilege 2364 powershell.exe Token: SeRemoteShutdownPrivilege 2364 powershell.exe Token: SeUndockPrivilege 2364 powershell.exe Token: SeManageVolumePrivilege 2364 powershell.exe Token: 33 2364 powershell.exe Token: 34 2364 powershell.exe Token: 35 2364 powershell.exe Token: 36 2364 powershell.exe Token: SeDebugPrivilege 4988 powershell.exe Token: SeIncreaseQuotaPrivilege 4988 powershell.exe Token: SeSecurityPrivilege 4988 powershell.exe Token: SeTakeOwnershipPrivilege 4988 powershell.exe Token: SeLoadDriverPrivilege 4988 powershell.exe Token: SeSystemProfilePrivilege 4988 powershell.exe Token: SeSystemtimePrivilege 4988 powershell.exe Token: SeProfSingleProcessPrivilege 4988 powershell.exe Token: SeIncBasePriorityPrivilege 4988 powershell.exe Token: SeCreatePagefilePrivilege 4988 powershell.exe Token: SeBackupPrivilege 4988 powershell.exe Token: SeRestorePrivilege 4988 powershell.exe Token: SeShutdownPrivilege 4988 powershell.exe Token: SeDebugPrivilege 4988 powershell.exe Token: SeSystemEnvironmentPrivilege 4988 powershell.exe Token: SeRemoteShutdownPrivilege 4988 powershell.exe Token: SeUndockPrivilege 4988 powershell.exe Token: SeManageVolumePrivilege 4988 powershell.exe Token: 33 4988 powershell.exe Token: 34 4988 powershell.exe Token: 35 4988 powershell.exe Token: 36 4988 powershell.exe Token: SeDebugPrivilege 4876 powershell.exe Token: SeIncreaseQuotaPrivilege 4876 powershell.exe Token: SeSecurityPrivilege 4876 powershell.exe Token: SeTakeOwnershipPrivilege 4876 powershell.exe Token: SeLoadDriverPrivilege 4876 powershell.exe Token: SeSystemProfilePrivilege 4876 powershell.exe Token: SeSystemtimePrivilege 4876 powershell.exe Token: SeProfSingleProcessPrivilege 4876 powershell.exe Token: SeIncBasePriorityPrivilege 4876 powershell.exe Token: SeCreatePagefilePrivilege 4876 powershell.exe Token: SeBackupPrivilege 4876 powershell.exe Token: SeRestorePrivilege 4876 powershell.exe Token: SeShutdownPrivilege 4876 powershell.exe Token: SeDebugPrivilege 4876 powershell.exe Token: SeSystemEnvironmentPrivilege 4876 powershell.exe Token: SeRemoteShutdownPrivilege 4876 powershell.exe Token: SeUndockPrivilege 4876 powershell.exe Token: SeManageVolumePrivilege 4876 powershell.exe Token: 33 4876 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1316 svchost.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4024 wrote to memory of 212 4024 Luxury Crypter.exe 73 PID 4024 wrote to memory of 212 4024 Luxury Crypter.exe 73 PID 4024 wrote to memory of 212 4024 Luxury Crypter.exe 73 PID 4024 wrote to memory of 1316 4024 Luxury Crypter.exe 74 PID 4024 wrote to memory of 1316 4024 Luxury Crypter.exe 74 PID 1316 wrote to memory of 2364 1316 svchost.exe 77 PID 1316 wrote to memory of 2364 1316 svchost.exe 77 PID 1316 wrote to memory of 4988 1316 svchost.exe 80 PID 1316 wrote to memory of 4988 1316 svchost.exe 80 PID 1316 wrote to memory of 4876 1316 svchost.exe 82 PID 1316 wrote to memory of 4876 1316 svchost.exe 82 PID 1316 wrote to memory of 760 1316 svchost.exe 84 PID 1316 wrote to memory of 760 1316 svchost.exe 84 PID 4024 wrote to memory of 984 4024 Luxury Crypter.exe 86 PID 4024 wrote to memory of 984 4024 Luxury Crypter.exe 86 PID 984 wrote to memory of 3328 984 msedgewebview2.exe 89 PID 984 wrote to memory of 3328 984 msedgewebview2.exe 89 PID 984 wrote to memory of 1476 984 msedgewebview2.exe 90 PID 984 wrote to memory of 1476 984 msedgewebview2.exe 90 PID 984 wrote to memory of 828 984 msedgewebview2.exe 94 PID 984 wrote to memory of 828 984 msedgewebview2.exe 94 PID 984 wrote to memory of 4416 984 msedgewebview2.exe 95 PID 984 wrote to memory of 4416 984 msedgewebview2.exe 95 PID 4416 wrote to memory of 872 4416 cmd.exe 97 PID 4416 wrote to memory of 872 4416 cmd.exe 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:212 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 7003⤵
- Program crash
PID:3316
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:760
-
-
-
C:\ProgramData\msedgewebview2.exe"C:\ProgramData\msedgewebview2.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /create /tn msedgewebview2 /tr "C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe" /st 17:57 /du 23:59 /sc daily /ri 1 /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\ACCApi'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1476
-
-
C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe"C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC10E.tmp.cmd""3⤵
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\system32\timeout.exetimeout 64⤵
- Delays execution with timeout.exe
PID:872
-
-
-
-
C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exeC:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe1⤵
- Executes dropped EXE
PID:4236
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
660B
MD56f8201778bb230fb0ac7c8b78a134a12
SHA106570db78997747dd80e558a483d29af167f43c5
SHA256984fcdb20fcd38e921511def1e720e36c7a20887010f4f5035b0a6b24c75148f
SHA51286ebbb74d94c382073f4481bb3a4c0747b801753adba15ee36c97dc8b09827e7a29b46209b559c1ab4fa836fbbe6a90b0339e97ed9d5d4856179604e380f2254
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD57239d990aa52025e40fd42acfe5214c4
SHA14fb62afab54b95c0d06e836ae4dbaecddfc60fd3
SHA25699c45caac633ae4eebdb1243f729ce6a54a9f0229913830b8c500c120916cdad
SHA512c53e0eff839d3bb12d5692805c148d50d642083d38f5ef0c273f04e2c6c41a4656b980bdae9dad7d438021dd76dcb4c1118e11f1486c9b4ba4313a774ba6fc26
-
Filesize
1KB
MD511b6511c0ca29fcfff13f0bc4a57ef6d
SHA100e221c11d27fbfcd0c32a628cb69eeebe927116
SHA25604571f4823c89ad36b1ad416e9d98222f603fa37eebbbd4914edf9248b8e102d
SHA5125cdad62e62452abac4f8a19dbc816a7db37afcc0a47ed1e40813fc6a5600f431789cc040f1990d4e9d391945e3cc5011b152b875a863b3e46db1c7b61dcfe312
-
Filesize
1KB
MD5fad4e55913a3f37bbc17e86f9cc8be25
SHA196e81d722a7b47690f686c2b39ac4fa0a69801ac
SHA2564b4ffc92138dcf42a4dec4d6e707f19e5c53b55de93a1aa75097ab72048352a1
SHA512b2c9e040178f1a0f638ec01a089863bfc79c9a3492f20ff372ffb8ad88f29e98128ddb553b3025a8877514aa852ea3153066b55fad7225370b527cfa76b44f14
-
Filesize
1KB
MD5d9b6645e99293eb9127d883997861652
SHA10c01f8cf9a9e4ab8f175cf64a4c5a175d5ffa318
SHA256b2e042e19659de6cbb334f3f37317e4cb2fa0fce1d8d501c4a4490f1775c0a5b
SHA51246c0304708d27cfaa88cc37d54cde7176a2ececb0e9f3425d436a1dbb58caef30c512a36f4a305a01deafa9a0d82bd625a59ae7cc4a09afe7e00e6aecef4c8f7
-
Filesize
8.8MB
MD59c55d8c0b720f652e4ad3753e9939b99
SHA1ee69da72e65d44638f352791b2114887e2110384
SHA25644a220f92ce2822d3d8e9c7ded429c9e53f650224759c8ec75c49706716fda77
SHA512ea88bcf9b289ef4b2ba34f3b7818aee672867418d4e8fb29d5fac99688e30babfc21a7279151397ef47f8d852b8129ed63a42eec7e1a5bd598c744af9da320b7
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
147B
MD5e836bc45d98cc54431172ca3ca9bc586
SHA1c653ea82e187bcdfe551f68a08e1d6f63f786473
SHA256bec3cd71626cd3b66a74d3b8eebf33695f3aeb51524acaaddb3c39ae513ed20f
SHA512e39c1af633b2c991d87cd170bcabf57b1e2fbb94ef74559102815f0afa1a736696a7bb062a6a5d6bc07b120b74ce518663abc036325ab9ca3f292920a7dc9726
-
Filesize
67KB
MD539f4793e3bd69fde3059e02b84875bef
SHA14ae174ff10e05e7946c6220b2ef7565830596b3c
SHA256eee698d53132459d85ad39ef66c6b33769dbf69469a346a1ea26c13eebfb4102
SHA5124642ba370d794ffc0dac13a84f8ea3501f9a88a0d2584daecbb340b92cce1dd14c46b7d9d5f4a27a60c1365584f995aa7e93fdc70c4775425f5b3590f6eeec50