Analysis

  • max time kernel
    292s
  • max time network
    296s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    05-10-2024 17:51

General

  • Target

    Luxury Crypter‌.exe

  • Size

    7.0MB

  • MD5

    f52edee9472d973f7aedaa58baed96e6

  • SHA1

    dee4734806f0a47e81627a66b2c75e5ec37b6b1a

  • SHA256

    56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260

  • SHA512

    1568f66ea43208900e1800ac59946f92d426d05d00783decdce31eb088ec54cd467adf640e5b2a5388f5ee6ccd2840dfe551f9ae18c06b168a469ec18a85ef0b

  • SSDEEP

    98304:bmurSHFk4vh9IWa/LP3Nm9Zlxne1uxetbDEgovbddnY6Jy3yH/O:b6m7P3Nm9ZWiADEp5F0R

Malware Config

Extracted

Family

xworm

C2

146.190.110.91:3389

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Signatures

  • Detect Xworm Payload 2 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Luxury Crypter‌.exe
    "C:\Users\Admin\AppData\Local\Temp\Luxury Crypter‌.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe
      "C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5068
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 792
        3⤵
        • Program crash
        PID:3112
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1016
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2276
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2864
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4104
    • C:\ProgramData\msedgewebview2.exe
      "C:\ProgramData\msedgewebview2.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4836
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\ACCApi'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1156
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks.exe" /create /tn msedgewebview2 /tr "C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe" /st 17:57 /du 23:59 /sc daily /ri 1 /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1140
      • C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe
        "C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        PID:408
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFAAC.tmp.cmd""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2452
        • C:\Windows\system32\timeout.exe
          timeout 6
          4⤵
          • Delays execution with timeout.exe
          PID:2540
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5068 -ip 5068
    1⤵
      PID:4716
    • C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe
      C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe
      1⤵
      • Executes dropped EXE
      PID:380

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedgewebview2.exe.log

      Filesize

      660B

      MD5

      284393596fdd49bebd7b861bf339b82d

      SHA1

      a36767dfc423b3c7fd3ff439b616862743a053c8

      SHA256

      0e692bcbba51ca4e766a427c9f28a7a4a9e326d2cf835493e57a9dc2121326b5

      SHA512

      8d3247ee0c3bf9a9fceea23eb5c646dbd8b3d954f4d62622f49070629e642d6a13bfb0d27949e2355c081d45f5a1101f05a9972782a0f0a478ed90f551d2efeb

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      627073ee3ca9676911bee35548eff2b8

      SHA1

      4c4b68c65e2cab9864b51167d710aa29ebdcff2e

      SHA256

      85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

      SHA512

      3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      bc40d8c37ce7816261293b9ed574b270

      SHA1

      9f9fd009081257a6050e7593873241db1def78ed

      SHA256

      0b60de9fe9eaa95a17fc18f9951888dbd101b0b43df2050acb4c0c2ca49c36ec

      SHA512

      e8669c1f32a660c63c46a4322c11072059cd9203ae8c1eb13925b0f126d83eb53a789e966ce4af19e0e79e77eafeb62a0bb90a6ea1fbb453dfc322638621f2ed

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      1a9fa92a4f2e2ec9e244d43a6a4f8fb9

      SHA1

      9910190edfaccece1dfcc1d92e357772f5dae8f7

      SHA256

      0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

      SHA512

      5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      050567a067ffea4eb40fe2eefebdc1ee

      SHA1

      6e1fb2c7a7976e0724c532449e97722787a00fec

      SHA256

      3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

      SHA512

      341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      df808b11175970c23f00e611a7b6d2cc

      SHA1

      0243f099e483fcafb6838c0055982e65634b6db6

      SHA256

      2d5eec6aeee0c568d08cc1777a67b529dce3133efc761ef4b4643d4b2003d43d

      SHA512

      c7c4e39be7cb6bfda48055cd2b0b05a6b6a71131a124730f62928600a5870303e06e3db54634c45f86310413126d2524f51002d5f36f7012e41b641992b5ac89

    • C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe

      Filesize

      8.8MB

      MD5

      9c55d8c0b720f652e4ad3753e9939b99

      SHA1

      ee69da72e65d44638f352791b2114887e2110384

      SHA256

      44a220f92ce2822d3d8e9c7ded429c9e53f650224759c8ec75c49706716fda77

      SHA512

      ea88bcf9b289ef4b2ba34f3b7818aee672867418d4e8fb29d5fac99688e30babfc21a7279151397ef47f8d852b8129ed63a42eec7e1a5bd598c744af9da320b7

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fja2cgpu.rqm.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\tmpFAAC.tmp.cmd

      Filesize

      147B

      MD5

      5a5db229387f96a316387cd8ad97fc8e

      SHA1

      5f45d518150b2b930e9bdb57d185d9fd59a22df3

      SHA256

      31dcea62265af5f83dd0ae1628057c01d49c22780391f2b29180adac0b663a30

      SHA512

      635e33d440da8b7559ec79d26b7ead7488962a60d0fc4db751c482b9b753b1050731d7a9d171ca62e7029d6dc7f7010be44099f35c358e71f5527b3994e36572

    • C:\Users\Admin\AppData\Roaming\svchost.exe

      Filesize

      67KB

      MD5

      39f4793e3bd69fde3059e02b84875bef

      SHA1

      4ae174ff10e05e7946c6220b2ef7565830596b3c

      SHA256

      eee698d53132459d85ad39ef66c6b33769dbf69469a346a1ea26c13eebfb4102

      SHA512

      4642ba370d794ffc0dac13a84f8ea3501f9a88a0d2584daecbb340b92cce1dd14c46b7d9d5f4a27a60c1365584f995aa7e93fdc70c4775425f5b3590f6eeec50

    • memory/744-84-0x00007FFE30A50000-0x00007FFE31512000-memory.dmp

      Filesize

      10.8MB

    • memory/744-0-0x00007FFE30A53000-0x00007FFE30A55000-memory.dmp

      Filesize

      8KB

    • memory/744-91-0x00007FFE30A50000-0x00007FFE31512000-memory.dmp

      Filesize

      10.8MB

    • memory/744-2-0x00007FFE30A50000-0x00007FFE31512000-memory.dmp

      Filesize

      10.8MB

    • memory/744-63-0x00007FFE30A53000-0x00007FFE30A55000-memory.dmp

      Filesize

      8KB

    • memory/744-1-0x0000000000FF0000-0x00000000016F8000-memory.dmp

      Filesize

      7.0MB

    • memory/1016-36-0x0000027C78320000-0x0000027C78342000-memory.dmp

      Filesize

      136KB

    • memory/1824-85-0x00007FFE30A50000-0x00007FFE31512000-memory.dmp

      Filesize

      10.8MB

    • memory/1824-28-0x00007FFE30A50000-0x00007FFE31512000-memory.dmp

      Filesize

      10.8MB

    • memory/1824-119-0x000000001BBF0000-0x000000001BBFC000-memory.dmp

      Filesize

      48KB

    • memory/1824-26-0x0000000000FF0000-0x0000000001006000-memory.dmp

      Filesize

      88KB

    • memory/4836-90-0x000001E1DB540000-0x000001E1DB582000-memory.dmp

      Filesize

      264KB

    • memory/5068-30-0x0000000000830000-0x000000000110A000-memory.dmp

      Filesize

      8.9MB

    • memory/5068-29-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

      Filesize

      4KB