Analysis

  • max time kernel
    599s
  • max time network
    602s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-10-2024 15:41

General

  • Target

    Luxury Crypter 18.0.0/Luxury Crypter‌.exe

  • Size

    2.9MB

  • MD5

    ffaf52e43618a09017ba3b764c5e205f

  • SHA1

    f2d6751870948308817dceda259111101eb2e3b2

  • SHA256

    4efb2b692fd63845dc443f589f83d410905c7cf4a1013444d083120506a26076

  • SHA512

    3d462f333c3c68b5fbad691949c57aeedba2fa3d7a1acc1e40f4e18a83d9db34e5e86e10a7d2fa1a991a053e2a5281b459f69c9228a534beb0d6b0f13443cd59

  • SSDEEP

    49152:jOnLUriuqNoO3vKbITB5CtHHBzNYkd/xP9wUU4F8TEK7wzSrsjqz:in5TuiBwBCkd/NSUUB4K0uYjY

Malware Config

Extracted

Family

xworm

C2

146.190.110.91:3389

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805

Signatures

  • Detect Xworm Payload 2 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Luxury Crypter 18.0.0\Luxury Crypter‌.exe
    "C:\Users\Admin\AppData\Local\Temp\Luxury Crypter 18.0.0\Luxury Crypter‌.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:100
    • C:\Users\Admin\AppData\Local\Temp\Luxury Crypter 18.0.0\Luxury Crypter.exe
      "C:\Users\Admin\AppData\Local\Temp\Luxury Crypter 18.0.0\Luxury Crypter.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3880
      • C:\Users\Admin\AppData\Local\Temp\Luxury Crypter 18.0.0\ILMerge.exe
        "C:\Users\Admin\AppData\Local\Temp\Luxury Crypter 18.0.0\ILMerge.exe"
        3⤵
          PID:4172
        • C:\Windows\SysWOW64\cscript.exe
          "C:\Windows\System32\cscript.exe" "C:\Users\Admin\AppData\Roaming\WK.Libraries.FontsInstaller\\Unavailable\Installer.vbs"
          3⤵
          • Blocklisted process makes network request
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          PID:4444
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        2⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3420
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:984
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3212
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4056
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4900
      • C:\ProgramData\msedgewebview2.exe
        "C:\ProgramData\msedgewebview2.exe"
        2⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1472
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks.exe" /create /tn msedgewebview2 /tr "C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe" /st 09:54 /du 23:59 /sc daily /ri 1 /f
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4432
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedgewebview2'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3184
        • C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
          "C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          PID:772
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp29BB.tmp.cmd""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4700
          • C:\Windows\system32\timeout.exe
            timeout 6
            4⤵
            • Delays execution with timeout.exe
            PID:3604
    • C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
      C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
      1⤵
      • Executes dropped EXE
      PID:2208
    • C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
      C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
      1⤵
      • Executes dropped EXE
      PID:4884
    • C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
      C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
      1⤵
      • Executes dropped EXE
      PID:2632
    • C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
      C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
      1⤵
      • Executes dropped EXE
      PID:3496
    • C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
      C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
      1⤵
      • Executes dropped EXE
      PID:3848
    • C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
      C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
      1⤵
      • Executes dropped EXE
      PID:3012

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedgewebview2.exe.log

      Filesize

      660B

      MD5

      1c5e1d0ff3381486370760b0f2eb656b

      SHA1

      f9df6be8804ef611063f1ff277e323b1215372de

      SHA256

      f424c891fbc7385e9826beed2dd8755aeac5495744b5de0a1e370891a7beaf7a

      SHA512

      78f5fc40a185d04c9e4a02a3d1b10b4bd684c579a45a0d1e8f49f8dee9018ed7bc8875cbf21f98632f93ead667214a41904226ce54817b85caeeb4b0de54a743

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      a83ce2908066654f712d1858746bc3c4

      SHA1

      14887f0537ce076cdc91801fb5fa584b25f1089f

      SHA256

      7c32ae0eaa4fef7404ce708744116ab8ea17d9575bbb3b06eb41a443f963456f

      SHA512

      991b20116815c7db3497d0ede9a216c7b78795e65f898847ffec513692f0c24d146a123725d14a2e1e3efb5744a626dd025a364f2f55f581e21640794a0cc551

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      d28a889fd956d5cb3accfbaf1143eb6f

      SHA1

      157ba54b365341f8ff06707d996b3635da8446f7

      SHA256

      21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

      SHA512

      0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      15dde0683cd1ca19785d7262f554ba93

      SHA1

      d039c577e438546d10ac64837b05da480d06bf69

      SHA256

      d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

      SHA512

      57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      ef72c47dbfaae0b9b0d09f22ad4afe20

      SHA1

      5357f66ba69b89440b99d4273b74221670129338

      SHA256

      692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

      SHA512

      7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

    • C:\Users\Admin\AppData\Local\Temp\Luxury Crypter 18.0.0\Luxury Crypter.exe

      Filesize

      2.6MB

      MD5

      a4a60f3b5d721833f9ffa0b957d71900

      SHA1

      2705f17e8ed9793daa2970af167ba24c41610fe3

      SHA256

      f9488fbe7c1f411f07396de7cb57f76bca81ab354ca680c51a616ce1ceff1726

      SHA512

      f168d29a9aa8ce3a2f6d2b8fb2c1f12c280fc20e807bdb96ab24d7bb0f2d5cc132f9a67d961ed1476c16372fc67a6272b6a12f2065984fb2feb4b3eb1b0a0d03

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tcwwlyrs.0wm.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\tmp29BB.tmp.cmd

      Filesize

      147B

      MD5

      189107a02aa3e83809db89e18ae17f00

      SHA1

      f558e6f64a9a34655f655074e78844d3ae818285

      SHA256

      d3073e3397802fbaee0f21b753a9923b23b2ab19407ccfcfb18d45c59d5a3438

      SHA512

      56d416208a51b64a22fd4c6a868f79e4e02a01a5d6a27f6eda85ab60ffc814818d84031babddd20d6f3bd596f1d11f16e5ae5de4b9da45abdf9d6def0944dedb

    • C:\Users\Admin\AppData\Roaming\WK.Libraries.FontsInstaller\Mulish.ttf

      Filesize

      103KB

      MD5

      987e18dffd501e760afdbea36a4dbeed

      SHA1

      17352fd4b1929910ad99ec6b9d1e04cb40662147

      SHA256

      0d12a5128d541738d925cc8dda9630be3fd808ab8c04f19a8b83bcdebf64498a

      SHA512

      30ee46154728f6587a2cb89bacd3808209a635e745f4ffd7b909d44129a66894fa370d246228c9782e61569a175fb31ae381995334b75f23570cbbd95c03781d

    • C:\Users\Admin\AppData\Roaming\WK.Libraries.FontsInstaller\Unavailable\Installer.vbs

      Filesize

      15KB

      MD5

      f3040d44a71f07e4117dbf0755391d90

      SHA1

      099fb8bbb44b1d83b9c0e942d3530870c32ffc47

      SHA256

      590538e3897a340f3e9549155f93152afaf378d2cbee8027d3fb23bf5265a475

      SHA512

      20385d05d2701a101069f760a1ca09cd8fc332daf4000c0d4e9e35d0d5d647c0cc7197e6a52ec796644f5fd5d9f3e07d2d54ea311633ce0c7ea44cb9f0df877a

    • C:\Users\Admin\AppData\Roaming\svchost.exe

      Filesize

      65KB

      MD5

      36dde308d5e09405a94dad6844ca0c44

      SHA1

      c585d502f48206f767f97ac7f7acd4112c314ccc

      SHA256

      c901ffc47365a32dcb7e1981386cc0d60833bab6addfc88b813a5a8cdc4fb11b

      SHA512

      5964d137c5b510ae978b331161bc20c7ecfd4a35aa6c65c4d95a13c8568f774a483807c4ca555e3559a83712421c811d1af18f7aa2981367129244c1bfc74923

    • memory/100-327-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

      Filesize

      10.8MB

    • memory/100-67-0x00007FFC2E373000-0x00007FFC2E375000-memory.dmp

      Filesize

      8KB

    • memory/100-1-0x0000000000A00000-0x0000000000CEE000-memory.dmp

      Filesize

      2.9MB

    • memory/100-4-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

      Filesize

      10.8MB

    • memory/100-335-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

      Filesize

      10.8MB

    • memory/100-0-0x00007FFC2E373000-0x00007FFC2E375000-memory.dmp

      Filesize

      8KB

    • memory/984-50-0x00000199F2F50000-0x00000199F2F72000-memory.dmp

      Filesize

      136KB

    • memory/1472-334-0x000001D8CF6B0000-0x000001D8CF6F2000-memory.dmp

      Filesize

      264KB

    • memory/3420-29-0x0000000000390000-0x00000000003A6000-memory.dmp

      Filesize

      88KB

    • memory/3420-328-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

      Filesize

      10.8MB

    • memory/3420-30-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

      Filesize

      10.8MB

    • memory/3880-35-0x0000000005D50000-0x0000000005DEC000-memory.dmp

      Filesize

      624KB

    • memory/3880-330-0x000000007533E000-0x000000007533F000-memory.dmp

      Filesize

      4KB

    • memory/3880-97-0x00000000098F0000-0x00000000098FA000-memory.dmp

      Filesize

      40KB

    • memory/3880-32-0x0000000000DC0000-0x0000000001068000-memory.dmp

      Filesize

      2.7MB

    • memory/3880-99-0x000000000B8D0000-0x000000000B8F6000-memory.dmp

      Filesize

      152KB

    • memory/3880-31-0x000000007533E000-0x000000007533F000-memory.dmp

      Filesize

      4KB

    • memory/3880-65-0x0000000006CF0000-0x0000000006D46000-memory.dmp

      Filesize

      344KB

    • memory/3880-64-0x0000000006720000-0x000000000672A000-memory.dmp

      Filesize

      40KB

    • memory/3880-34-0x0000000075330000-0x0000000075AE0000-memory.dmp

      Filesize

      7.7MB

    • memory/3880-33-0x0000000005980000-0x0000000005ADC000-memory.dmp

      Filesize

      1.4MB

    • memory/3880-37-0x0000000005E90000-0x0000000005F22000-memory.dmp

      Filesize

      584KB

    • memory/3880-36-0x0000000007660000-0x0000000007C04000-memory.dmp

      Filesize

      5.6MB

    • memory/3880-336-0x0000000075330000-0x0000000075AE0000-memory.dmp

      Filesize

      7.7MB

    • memory/3880-40-0x00000000061A0000-0x0000000006332000-memory.dmp

      Filesize

      1.6MB

    • memory/3880-368-0x000000000E7E0000-0x000000000E966000-memory.dmp

      Filesize

      1.5MB

    • memory/3880-39-0x0000000007560000-0x00000000075C2000-memory.dmp

      Filesize

      392KB

    • memory/3880-38-0x00000000072D0000-0x00000000074E4000-memory.dmp

      Filesize

      2.1MB