Analysis
-
max time kernel
121s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17-10-2024 01:32
Static task
static1
Behavioral task
behavioral1
Sample
5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357.exe
Resource
win10v2004-20241007-en
General
-
Target
5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357.exe
-
Size
1.3MB
-
MD5
1b99f0bf9216a89b8320e63cbd18a292
-
SHA1
6a199cb43cb4f808183918ddb6eadc760f7cb680
-
SHA256
5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357
-
SHA512
02b7f410c6ccfd7d43159287424916a310b7e82c91cdb85eaeade16cf5614265a8bdcce8e6dcc2240ea54930cfb190f26ada3d5c926b50617a9826197f9cf382
-
SSDEEP
24576:J64p16BppRskYGC/cJUE7P6nxhpBaTn+CC6YtGz:JzpEBrRb4MonrpATDcUz
Malware Config
Extracted
xworm
5.0
104.219.239.11:6969
QMHDjhLW52nOcp4a
-
Install_directory
%AppData%
-
install_file
OneDrive.exe
-
telegram
https://api.telegram.org/bot5372344229:AAEM46DF5hWBLPbN5UErJaoJvlNvm-ZJXyg
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/3052-1104-0x000000001C200000-0x000000001C20E000-memory.dmp disable_win_def -
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/memory/3052-1095-0x000000001B750000-0x000000001B77C000-memory.dmp family_xworm behavioral1/files/0x000a000000016ce0-1100.dat family_xworm behavioral1/memory/1240-1102-0x0000000000C00000-0x0000000000C2A000-memory.dmp family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral1/memory/3052-1103-0x000000001C2B0000-0x000000001C3D0000-memory.dmp family_stormkitty -
Executes dropped EXE 1 IoCs
pid Process 1240 wlawue.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\documents\\OneDrive.exe" 5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4872 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3052 5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357.exe Token: SeDebugPrivilege 4872 powershell.exe Token: SeDebugPrivilege 3052 5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357.exe Token: SeDebugPrivilege 3052 5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357.exe Token: SeDebugPrivilege 1240 wlawue.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3052 wrote to memory of 4872 3052 5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357.exe 30 PID 3052 wrote to memory of 4872 3052 5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357.exe 30 PID 3052 wrote to memory of 4872 3052 5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357.exe 30 PID 3052 wrote to memory of 1240 3052 5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357.exe 33 PID 3052 wrote to memory of 1240 3052 5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357.exe 33 PID 3052 wrote to memory of 1240 3052 5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357.exe"C:\Users\Admin\AppData\Local\Temp\5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwANQAyADcANQBlADMAZABiADYAMgA3ADYAZQA1AGYAMABiADgANQBlAGYAZgAwAGMANwBiADAAMgA4ADIAZgA1ADYAMgA2ADgANgA0ADYANwA2ADYAYgAxADUANgA2AGIAYQA4AGYANwA5ADcAZQA2AGIAYQAyAGEAOQAzADUANwAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAA1ADIANwA1AGUAMwBkAGIANgAyADcANgBlADUAZgAwAGIAOAA1AGUAZgBmADAAYwA3AGIAMAAyADgAMgBmADUANgAyADYAOAA2ADQANgA3ADYANgBiADEANQA2ADYAYgBhADgAZgA3ADkANwBlADYAYgBhADIAYQA5ADMANQA3AC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAZABvAGMAdQBtAGUAbgB0AHMAXABPAG4AZQBEAHIAaQB2AGUALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAGQAbwBjAHUAbQBlAG4AdABzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUA2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4872
-
-
C:\Users\Admin\AppData\Local\Temp\wlawue.exe"C:\Users\Admin\AppData\Local\Temp\wlawue.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
146KB
MD534fb99630bab94b3cbf92c1c6dec493f
SHA1d6cc3d729e7971f7144f902d482f723ddd77cad8
SHA256f2e2e2e4b066e98a05012853f4fabf37e04b9c5dc18d8341cc98b145f9a7f12a
SHA51262bfc6a7fb0d895907da815859e7d118b16de33111210443a745b0cb9d11db82bd0531efef8503266c1269a037153794ea52bc2ce70a127389fce0e5ac4d9fcf