Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29-10-2024 20:06
Static task
static1
Behavioral task
behavioral1
Sample
13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe
Resource
win7-20240903-en
General
-
Target
13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe
-
Size
1.6MB
-
MD5
9d8b111c3743b5b77fdd8fce1e30b50c
-
SHA1
963e2bb076141300843bc8b61d6808ebd7a6dfae
-
SHA256
13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2
-
SHA512
0a916cd6c28b71e342aa4c4d2f06253b3b89913ecce33b7776179d4e88f7e925712801265c6a7ebd440874e4226a16988155ebb8cccb3cb37c298276df2a063f
-
SSDEEP
24576:RRVHmGd0BwUzR+frsjqz86M0/i/U7vqqp:VGGd4NzSrsjqzh/i/kvfp
Malware Config
Extracted
xworm
146.190.110.91:3389
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0009000000015ccc-15.dat family_xworm behavioral1/memory/1160-17-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 692 powershell.exe 488 powershell.exe 2692 powershell.exe 548 powershell.exe 2196 powershell.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedgewebview2.exe.lnk msedgewebview2.exe -
Executes dropped EXE 4 IoCs
pid Process 452 SilverBulletPro.exe 1160 svchost.exe 2780 msedgewebview2.exe 2296 msedgewebview2.exe -
Loads dropped DLL 2 IoCs
pid Process 1836 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 1836 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 1384 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1676 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1160 svchost.exe 2296 msedgewebview2.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 692 powershell.exe 488 powershell.exe 2692 powershell.exe 548 powershell.exe 1160 svchost.exe 2196 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1160 svchost.exe Token: SeDebugPrivilege 692 powershell.exe Token: SeDebugPrivilege 488 powershell.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 548 powershell.exe Token: SeDebugPrivilege 2780 msedgewebview2.exe Token: SeDebugPrivilege 2196 powershell.exe Token: SeDebugPrivilege 2296 msedgewebview2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1160 svchost.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1836 wrote to memory of 452 1836 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 32 PID 1836 wrote to memory of 452 1836 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 32 PID 1836 wrote to memory of 452 1836 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 32 PID 1836 wrote to memory of 1160 1836 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 33 PID 1836 wrote to memory of 1160 1836 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 33 PID 1836 wrote to memory of 1160 1836 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 33 PID 1160 wrote to memory of 692 1160 svchost.exe 34 PID 1160 wrote to memory of 692 1160 svchost.exe 34 PID 1160 wrote to memory of 692 1160 svchost.exe 34 PID 1160 wrote to memory of 488 1160 svchost.exe 36 PID 1160 wrote to memory of 488 1160 svchost.exe 36 PID 1160 wrote to memory of 488 1160 svchost.exe 36 PID 1836 wrote to memory of 2780 1836 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 38 PID 1836 wrote to memory of 2780 1836 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 38 PID 1836 wrote to memory of 2780 1836 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 38 PID 1160 wrote to memory of 2692 1160 svchost.exe 39 PID 1160 wrote to memory of 2692 1160 svchost.exe 39 PID 1160 wrote to memory of 2692 1160 svchost.exe 39 PID 1160 wrote to memory of 548 1160 svchost.exe 41 PID 1160 wrote to memory of 548 1160 svchost.exe 41 PID 1160 wrote to memory of 548 1160 svchost.exe 41 PID 2780 wrote to memory of 2196 2780 msedgewebview2.exe 44 PID 2780 wrote to memory of 2196 2780 msedgewebview2.exe 44 PID 2780 wrote to memory of 2196 2780 msedgewebview2.exe 44 PID 2780 wrote to memory of 1676 2780 msedgewebview2.exe 46 PID 2780 wrote to memory of 1676 2780 msedgewebview2.exe 46 PID 2780 wrote to memory of 1676 2780 msedgewebview2.exe 46 PID 2780 wrote to memory of 2296 2780 msedgewebview2.exe 48 PID 2780 wrote to memory of 2296 2780 msedgewebview2.exe 48 PID 2780 wrote to memory of 2296 2780 msedgewebview2.exe 48 PID 2780 wrote to memory of 1808 2780 msedgewebview2.exe 49 PID 2780 wrote to memory of 1808 2780 msedgewebview2.exe 49 PID 2780 wrote to memory of 1808 2780 msedgewebview2.exe 49 PID 1808 wrote to memory of 1384 1808 cmd.exe 51 PID 1808 wrote to memory of 1384 1808 cmd.exe 51 PID 1808 wrote to memory of 1384 1808 cmd.exe 51 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe"C:\Users\Admin\AppData\Local\Temp\13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"2⤵
- Executes dropped EXE
PID:452
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548
-
-
-
C:\ProgramData\msedgewebview2.exe"C:\ProgramData\msedgewebview2.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedgewebview2'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /create /tn msedgewebview2 /tr "C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe" /st 20:11 /du 23:59 /sc daily /ri 1 /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1676
-
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe"C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpFFB3.tmp.cmd""3⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\system32\timeout.exetimeout 64⤵
- Delays execution with timeout.exe
PID:1384
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147B
MD5c7fd50cee08e949c8b50169a73950499
SHA1f46aa1a82245f93e9b3e321fe3f27291fdd154f0
SHA256e8ed2b4ac5073cbd8a753bce648a4d5a0344199c896eb1b8be054f9ada012546
SHA5128f55308c0e96a2db0e9d81d088ed645a79a3e75e86cf5da56fba9005d9a82a039ba42f0979c248fc31222172bd620d239719f5b3b8bff771be76bf9e34d371c2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5aecdda7b40a91f6f4b181de0128ffc1c
SHA194a2454e2f08e29d5519123a933afb0e2b4df456
SHA2569f3f191a78c0e24fc8009d40c9e537f1b717ae7b699aeae90215de57ed920cef
SHA512ab6de5439e5adad7c5b65a2478c37e7cf45b80f1a1ef4920d441f8c609f670d4a453a4b40c48a07a906d36b9ac3335a00ccb130fa64b1dcf1fb08c087990d58c
-
Filesize
65KB
MD536dde308d5e09405a94dad6844ca0c44
SHA1c585d502f48206f767f97ac7f7acd4112c314ccc
SHA256c901ffc47365a32dcb7e1981386cc0d60833bab6addfc88b813a5a8cdc4fb11b
SHA5125964d137c5b510ae978b331161bc20c7ecfd4a35aa6c65c4d95a13c8568f774a483807c4ca555e3559a83712421c811d1af18f7aa2981367129244c1bfc74923
-
Filesize
602KB
MD5347d21e54202cc42486f1be0f38ebea1
SHA1f3a17fd7d1581928d8bf773c0f99433da64253db
SHA25680e06ccb6370aca19137d47b6ecf3256d6a34b67a3d4bf0b7c3190a1c5feacad
SHA512620f6318b95253cee873b21b90bdc8f75fb32c30bc42032b9eed5773890a700e66ca3f27f2418bb6b39c8a33f2dea718c2215852e64063e0187131be841950b9