Analysis
-
max time kernel
292s -
max time network
296s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
05-10-2024 17:51
Static task
static1
Behavioral task
behavioral1
Sample
Luxury Crypter.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Luxury Crypter.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
Luxury Crypter.exe
Resource
win10v2004-20240802-en
General
-
Target
Luxury Crypter.exe
-
Size
7.0MB
-
MD5
f52edee9472d973f7aedaa58baed96e6
-
SHA1
dee4734806f0a47e81627a66b2c75e5ec37b6b1a
-
SHA256
56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260
-
SHA512
1568f66ea43208900e1800ac59946f92d426d05d00783decdce31eb088ec54cd467adf640e5b2a5388f5ee6ccd2840dfe551f9ae18c06b168a469ec18a85ef0b
-
SSDEEP
98304:bmurSHFk4vh9IWa/LP3Nm9Zlxne1uxetbDEgovbddnY6Jy3yH/O:b6m7P3Nm9ZWiADEp5F0R
Malware Config
Extracted
xworm
146.190.110.91:3389
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663
Extracted
gurcu
https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral4/files/0x000300000002aa7c-18.dat family_xworm behavioral4/memory/1824-26-0x0000000000FF0000-0x0000000001006000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2276 powershell.exe 2864 powershell.exe 4104 powershell.exe 1156 powershell.exe 1016 powershell.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedgewebview2.exe.lnk msedgewebview2.exe -
Executes dropped EXE 5 IoCs
pid Process 5068 Luxury Crypter.exe 1824 svchost.exe 4836 msedgewebview2.exe 408 msedgewebview2.exe 380 msedgewebview2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3112 5068 WerFault.exe 79 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Luxury Crypter.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2540 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1140 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1824 svchost.exe 408 msedgewebview2.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1016 powershell.exe 1016 powershell.exe 2276 powershell.exe 2276 powershell.exe 2864 powershell.exe 2864 powershell.exe 4104 powershell.exe 4104 powershell.exe 1824 svchost.exe 1156 powershell.exe 1156 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 1824 svchost.exe Token: SeDebugPrivilege 1016 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 4104 powershell.exe Token: SeDebugPrivilege 1824 svchost.exe Token: SeDebugPrivilege 4836 msedgewebview2.exe Token: SeDebugPrivilege 1156 powershell.exe Token: SeDebugPrivilege 408 msedgewebview2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1824 svchost.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 744 wrote to memory of 5068 744 Luxury Crypter.exe 79 PID 744 wrote to memory of 5068 744 Luxury Crypter.exe 79 PID 744 wrote to memory of 5068 744 Luxury Crypter.exe 79 PID 744 wrote to memory of 1824 744 Luxury Crypter.exe 80 PID 744 wrote to memory of 1824 744 Luxury Crypter.exe 80 PID 1824 wrote to memory of 1016 1824 svchost.exe 84 PID 1824 wrote to memory of 1016 1824 svchost.exe 84 PID 1824 wrote to memory of 2276 1824 svchost.exe 86 PID 1824 wrote to memory of 2276 1824 svchost.exe 86 PID 1824 wrote to memory of 2864 1824 svchost.exe 88 PID 1824 wrote to memory of 2864 1824 svchost.exe 88 PID 1824 wrote to memory of 4104 1824 svchost.exe 90 PID 1824 wrote to memory of 4104 1824 svchost.exe 90 PID 744 wrote to memory of 4836 744 Luxury Crypter.exe 92 PID 744 wrote to memory of 4836 744 Luxury Crypter.exe 92 PID 4836 wrote to memory of 1156 4836 msedgewebview2.exe 94 PID 4836 wrote to memory of 1156 4836 msedgewebview2.exe 94 PID 4836 wrote to memory of 1140 4836 msedgewebview2.exe 96 PID 4836 wrote to memory of 1140 4836 msedgewebview2.exe 96 PID 4836 wrote to memory of 408 4836 msedgewebview2.exe 98 PID 4836 wrote to memory of 408 4836 msedgewebview2.exe 98 PID 4836 wrote to memory of 2452 4836 msedgewebview2.exe 99 PID 4836 wrote to memory of 2452 4836 msedgewebview2.exe 99 PID 2452 wrote to memory of 2540 2452 cmd.exe 101 PID 2452 wrote to memory of 2540 2452 cmd.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 7923⤵
- Program crash
PID:3112
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
-
-
C:\ProgramData\msedgewebview2.exe"C:\ProgramData\msedgewebview2.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\ACCApi'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /create /tn msedgewebview2 /tr "C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe" /st 17:57 /du 23:59 /sc daily /ri 1 /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1140
-
-
C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe"C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFAAC.tmp.cmd""3⤵
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\system32\timeout.exetimeout 64⤵
- Delays execution with timeout.exe
PID:2540
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5068 -ip 50681⤵PID:4716
-
C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exeC:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe1⤵
- Executes dropped EXE
PID:380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
660B
MD5284393596fdd49bebd7b861bf339b82d
SHA1a36767dfc423b3c7fd3ff439b616862743a053c8
SHA2560e692bcbba51ca4e766a427c9f28a7a4a9e326d2cf835493e57a9dc2121326b5
SHA5128d3247ee0c3bf9a9fceea23eb5c646dbd8b3d954f4d62622f49070629e642d6a13bfb0d27949e2355c081d45f5a1101f05a9972782a0f0a478ed90f551d2efeb
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD5bc40d8c37ce7816261293b9ed574b270
SHA19f9fd009081257a6050e7593873241db1def78ed
SHA2560b60de9fe9eaa95a17fc18f9951888dbd101b0b43df2050acb4c0c2ca49c36ec
SHA512e8669c1f32a660c63c46a4322c11072059cd9203ae8c1eb13925b0f126d83eb53a789e966ce4af19e0e79e77eafeb62a0bb90a6ea1fbb453dfc322638621f2ed
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
944B
MD5050567a067ffea4eb40fe2eefebdc1ee
SHA16e1fb2c7a7976e0724c532449e97722787a00fec
SHA2563952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e
SHA512341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259
-
Filesize
944B
MD5df808b11175970c23f00e611a7b6d2cc
SHA10243f099e483fcafb6838c0055982e65634b6db6
SHA2562d5eec6aeee0c568d08cc1777a67b529dce3133efc761ef4b4643d4b2003d43d
SHA512c7c4e39be7cb6bfda48055cd2b0b05a6b6a71131a124730f62928600a5870303e06e3db54634c45f86310413126d2524f51002d5f36f7012e41b641992b5ac89
-
Filesize
8.8MB
MD59c55d8c0b720f652e4ad3753e9939b99
SHA1ee69da72e65d44638f352791b2114887e2110384
SHA25644a220f92ce2822d3d8e9c7ded429c9e53f650224759c8ec75c49706716fda77
SHA512ea88bcf9b289ef4b2ba34f3b7818aee672867418d4e8fb29d5fac99688e30babfc21a7279151397ef47f8d852b8129ed63a42eec7e1a5bd598c744af9da320b7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
147B
MD55a5db229387f96a316387cd8ad97fc8e
SHA15f45d518150b2b930e9bdb57d185d9fd59a22df3
SHA25631dcea62265af5f83dd0ae1628057c01d49c22780391f2b29180adac0b663a30
SHA512635e33d440da8b7559ec79d26b7ead7488962a60d0fc4db751c482b9b753b1050731d7a9d171ca62e7029d6dc7f7010be44099f35c358e71f5527b3994e36572
-
Filesize
67KB
MD539f4793e3bd69fde3059e02b84875bef
SHA14ae174ff10e05e7946c6220b2ef7565830596b3c
SHA256eee698d53132459d85ad39ef66c6b33769dbf69469a346a1ea26c13eebfb4102
SHA5124642ba370d794ffc0dac13a84f8ea3501f9a88a0d2584daecbb340b92cce1dd14c46b7d9d5f4a27a60c1365584f995aa7e93fdc70c4775425f5b3590f6eeec50