Analysis
-
max time kernel
30s -
max time network
30s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
29/10/2024, 22:03
Static task
static1
General
-
Target
Dekbangtlez.exe
-
Size
675KB
-
MD5
ed8c4275d9e7eb916315fec83f38375f
-
SHA1
ee3943deb752b8f85124f5d4885a1914ac6e7d61
-
SHA256
0dc0610dbac4926a7d3ab442dba98ed1efdea06c7b53b690d1cd2a85e77af3fd
-
SHA512
c2fdec5c745d8dd71cd586227909c2c6c917fca9e6ffc98bb9d7d82fb6206c545f3dc6cac7f266b074a3e06c7fae447e9516ecc66dc24122d3efa01e428b99d7
-
SSDEEP
12288:RtQ/bSl7hk4oSEBOZh0XLiWH/2stVM/Ta5CCoyychTyS8VZmsCj3HvzBLk:xl7h1oScQh0XZH/2Ii2oyFhTyzmsCjXa
Malware Config
Extracted
xworm
185.84.161.64:7000
45.141.26.194:7000
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral1/files/0x0029000000045031-18.dat family_xworm behavioral1/memory/3960-32-0x0000000000970000-0x0000000000988000-memory.dmp family_xworm behavioral1/files/0x0028000000045034-47.dat family_xworm behavioral1/memory/4424-61-0x0000000000F50000-0x0000000000F6A000-memory.dmp family_xworm -
Xworm family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation Dekbangtlez.exe Key value queried \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation Dekbangtlez.exe -
Executes dropped EXE 4 IoCs
pid Process 1428 Dekbangtlez.exe 3960 svchost.exe 2848 Dekbangtlez.exe 4424 Update.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2848 Dekbangtlez.exe 2848 Dekbangtlez.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3960 svchost.exe Token: SeDebugPrivilege 4424 Update.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1572 wrote to memory of 1428 1572 Dekbangtlez.exe 82 PID 1572 wrote to memory of 1428 1572 Dekbangtlez.exe 82 PID 1572 wrote to memory of 3960 1572 Dekbangtlez.exe 83 PID 1572 wrote to memory of 3960 1572 Dekbangtlez.exe 83 PID 1428 wrote to memory of 2848 1428 Dekbangtlez.exe 84 PID 1428 wrote to memory of 2848 1428 Dekbangtlez.exe 84 PID 1428 wrote to memory of 4424 1428 Dekbangtlez.exe 86 PID 1428 wrote to memory of 4424 1428 Dekbangtlez.exe 86 PID 2848 wrote to memory of 2000 2848 Dekbangtlez.exe 87 PID 2848 wrote to memory of 2000 2848 Dekbangtlez.exe 87 PID 2000 wrote to memory of 4088 2000 cmd.exe 88 PID 2000 wrote to memory of 4088 2000 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dekbangtlez.exe"C:\Users\Admin\AppData\Local\Temp\Dekbangtlez.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Roaming\Dekbangtlez.exe"C:\Users\Admin\AppData\Roaming\Dekbangtlez.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\ProgramData\Dekbangtlez.exe"C:\ProgramData\Dekbangtlez.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mode 70,104⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\system32\mode.commode 70,105⤵PID:4088
-
-
-
-
C:\ProgramData\Update.exe"C:\ProgramData\Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3960
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
498KB
MD584416279a7351a91459d74dcea00fc7c
SHA15b9930ef311221e61a3ac7070ea423474e588f76
SHA256c7b8225f79a9aee29c753d4442a1884711a73aa90956f055278f9fac083d1392
SHA5121d712f30db5c75067bf50acf1015fbae0577e7c0b9242a6bff23e2c13648eca52d58e82f5a08d69cc8f80c72b4bcc6e8a6acd7797d725fa2349dca70871460e5
-
Filesize
80KB
MD5da9a4e81a524746aaba1013d22b8fda1
SHA16069cf40c5989d407afceb1ad85b511278ac309e
SHA2560f927c26e97088f77bcec0ce7c273d3b6674b0c3b31cd802f2a1999235f6a038
SHA51234d05ead4af3468d5411b99c2027945cc37eb7633add16f169cdb0963dd533aee355ab0396dfea468abcbf557180f1d2c88f34a831aded1251be3b1a8206386c
-
Filesize
654B
MD511c6e74f0561678d2cf7fc075a6cc00c
SHA1535ee79ba978554abcb98c566235805e7ea18490
SHA256d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63
SHA51232c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0
-
Filesize
590KB
MD5c1ad42cb1379c36cd605cbd758bc5001
SHA11a471c3089ca4acc7bbef2423717ae8e89e8906c
SHA2566d69c9b00d9af49c3267f0aa6c77cde27f9a37e60aa03849bc6796b94b2c8d59
SHA512909f1b2b5f2ebd7486e5a2947b8e61d4688dc05906166cf227eff27a0021a4913ee25b4854dca928bc1b279a621041f260f58b46933043cbb128a6abf02c8c12
-
Filesize
70KB
MD5ae702d156a2ee10aa0df4e5a365654a1
SHA1bad92787d53da53bda2f180f770752e679ba80c0
SHA25607cc6cdf43c5bfa4c7dc097c3abc5a6fcdfbbda8a52db993ed9f397c4a8af716
SHA5123a6daf7b4ee44cfd6c9a15575f9b4bbc54f22192c72ff4380a2fb3f33227645a4c25cd5cfb15445b446d6485c6bfb38fdf6adf94f121b719ed373e2b5c9a0d9c