Analysis
-
max time kernel
30s -
max time network
6s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
29/10/2024, 22:03
Static task
static1
General
-
Target
3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe
-
Size
88KB
-
MD5
d5193774c90ba82c65541beadd6c313e
-
SHA1
3925fc50ab0c8ce843e08941cb3f418a7eae379b
-
SHA256
c3673d01d7ccd2a3c7735b8b00b050f731e73af3feb6e5b14bf3689bf89b884c
-
SHA512
f4a4e24cc173458222a742d00bf461623ab0fba5309d3d275ba93a6840a267c8d460479767f1e637e53a6933d734ce76b7e9f579b7ff3711e582eb4caf8bca54
-
SSDEEP
1536:Pm1GBOZ7//G3CFdS313hZsB77buO4MHXpZqVhrcLEuwTnq:PmMq7bFdSF3mXimyV5mEjnq
Malware Config
Extracted
xworm
185.84.161.64:7000
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x00290000000450b6-12.dat family_xworm behavioral1/memory/4876-23-0x0000000000CA0000-0x0000000000CB8000-memory.dmp family_xworm -
Xworm family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation 3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe -
Executes dropped EXE 1 IoCs
pid Process 4876 svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4876 svchost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3020 wrote to memory of 2492 3020 3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe 80 PID 3020 wrote to memory of 2492 3020 3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe 80 PID 3020 wrote to memory of 4876 3020 3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe 82 PID 3020 wrote to memory of 4876 3020 3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe 82 PID 2492 wrote to memory of 2388 2492 cmd.exe 83 PID 2492 wrote to memory of 2388 2492 cmd.exe 83 PID 2492 wrote to memory of 3228 2492 cmd.exe 85 PID 2492 wrote to memory of 3228 2492 cmd.exe 85 PID 2492 wrote to memory of 3700 2492 cmd.exe 86 PID 2492 wrote to memory of 3700 2492 cmd.exe 86 PID 2492 wrote to memory of 4308 2492 cmd.exe 91 PID 2492 wrote to memory of 4308 2492 cmd.exe 91 PID 2492 wrote to memory of 4652 2492 cmd.exe 92 PID 2492 wrote to memory of 4652 2492 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe"C:\Users\Admin\AppData\Local\Temp\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"3⤵PID:2388
-
-
C:\Windows\system32\chcp.comchcp 650013⤵PID:3228
-
-
C:\Windows\system32\mode.commode 103,53⤵PID:3700
-
-
C:\Windows\system32\chcp.comchcp 650013⤵PID:4308
-
-
C:\Windows\system32\mode.commode 120,173⤵PID:4652
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4876
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD51a29286ae9d746284b195a34811f5e89
SHA12418da95e35c84e8b922cd6c525463bab7e43a06
SHA256061d3b55f7cfd4bd35e48768fb993a1444d5ed4990cda5ef813220715325f630
SHA512370288124edecdfb611d65b93f2ed9c0205299653a0819d351b226a595c4a4fda636c50444d3bac2c43c4678119cf53b7c9e5d1bc69f16452be16eb720b90c07
-
Filesize
70KB
MD5ae702d156a2ee10aa0df4e5a365654a1
SHA1bad92787d53da53bda2f180f770752e679ba80c0
SHA25607cc6cdf43c5bfa4c7dc097c3abc5a6fcdfbbda8a52db993ed9f397c4a8af716
SHA5123a6daf7b4ee44cfd6c9a15575f9b4bbc54f22192c72ff4380a2fb3f33227645a4c25cd5cfb15445b446d6485c6bfb38fdf6adf94f121b719ed373e2b5c9a0d9c