Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2024 20:06

General

  • Target

    13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe

  • Size

    1.6MB

  • MD5

    9d8b111c3743b5b77fdd8fce1e30b50c

  • SHA1

    963e2bb076141300843bc8b61d6808ebd7a6dfae

  • SHA256

    13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2

  • SHA512

    0a916cd6c28b71e342aa4c4d2f06253b3b89913ecce33b7776179d4e88f7e925712801265c6a7ebd440874e4226a16988155ebb8cccb3cb37c298276df2a063f

  • SSDEEP

    24576:RRVHmGd0BwUzR+frsjqz86M0/i/U7vqqp:VGGd4NzSrsjqzh/i/kvfp

Malware Config

Extracted

Family

xworm

C2

146.190.110.91:3389

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805

Signatures

  • Detect Xworm Payload 2 IoCs
  • Gurcu family
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe
    "C:\Users\Admin\AppData\Local\Temp\13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4588
    • C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe
      "C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"
      2⤵
      • Executes dropped EXE
      PID:4496
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4660
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3420
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3732
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2224
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2104
    • C:\ProgramData\msedgewebview2.exe
      "C:\ProgramData\msedgewebview2.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4532
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedgewebview2'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3672
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks.exe" /create /tn msedgewebview2 /tr "C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe" /st 20:11 /du 23:59 /sc daily /ri 1 /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1480
      • C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
        "C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        PID:4616
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF136.tmp.cmd""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4524
        • C:\Windows\system32\timeout.exe
          timeout 6
          4⤵
          • Delays execution with timeout.exe
          PID:3488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedgewebview2.exe.log

    Filesize

    660B

    MD5

    1c5e1d0ff3381486370760b0f2eb656b

    SHA1

    f9df6be8804ef611063f1ff277e323b1215372de

    SHA256

    f424c891fbc7385e9826beed2dd8755aeac5495744b5de0a1e370891a7beaf7a

    SHA512

    78f5fc40a185d04c9e4a02a3d1b10b4bd684c579a45a0d1e8f49f8dee9018ed7bc8875cbf21f98632f93ead667214a41904226ce54817b85caeeb4b0de54a743

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    eb1ad317bd25b55b2bbdce8a28a74a94

    SHA1

    98a3978be4d10d62e7411946474579ee5bdc5ea6

    SHA256

    9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

    SHA512

    d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    d28a889fd956d5cb3accfbaf1143eb6f

    SHA1

    157ba54b365341f8ff06707d996b3635da8446f7

    SHA256

    21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

    SHA512

    0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    22310ad6749d8cc38284aa616efcd100

    SHA1

    440ef4a0a53bfa7c83fe84326a1dff4326dcb515

    SHA256

    55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

    SHA512

    2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    cae60f0ddddac635da71bba775a2c5b4

    SHA1

    386f1a036af61345a7d303d45f5230e2df817477

    SHA256

    b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

    SHA512

    28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

  • C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe

    Filesize

    602KB

    MD5

    347d21e54202cc42486f1be0f38ebea1

    SHA1

    f3a17fd7d1581928d8bf773c0f99433da64253db

    SHA256

    80e06ccb6370aca19137d47b6ecf3256d6a34b67a3d4bf0b7c3190a1c5feacad

    SHA512

    620f6318b95253cee873b21b90bdc8f75fb32c30bc42032b9eed5773890a700e66ca3f27f2418bb6b39c8a33f2dea718c2215852e64063e0187131be841950b9

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0i2nujoo.2hu.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\tmpF136.tmp.cmd

    Filesize

    147B

    MD5

    0f0f4157fdaa85e324ff142be0da25d9

    SHA1

    1c803d14a81121b6045d57af6284fbe5ccd5fe1f

    SHA256

    2eb4cb009f53eaa86c3caa3a1f249f656390e8fbd203e45881e4f54832715e23

    SHA512

    fc72b6765d262211ad821caf687d4e6b627374d5463ab82fa04755abdc96521ddd72c2dfdab191313df73b1f447b4ff0818f3cbd88b01b12737c778390bc448f

  • C:\Users\Admin\AppData\Roaming\svchost.exe

    Filesize

    65KB

    MD5

    36dde308d5e09405a94dad6844ca0c44

    SHA1

    c585d502f48206f767f97ac7f7acd4112c314ccc

    SHA256

    c901ffc47365a32dcb7e1981386cc0d60833bab6addfc88b813a5a8cdc4fb11b

    SHA512

    5964d137c5b510ae978b331161bc20c7ecfd4a35aa6c65c4d95a13c8568f774a483807c4ca555e3559a83712421c811d1af18f7aa2981367129244c1bfc74923

  • memory/3420-36-0x00000278A05B0000-0x00000278A05D2000-memory.dmp

    Filesize

    136KB

  • memory/4532-92-0x00000151CC610000-0x00000151CC652000-memory.dmp

    Filesize

    264KB

  • memory/4588-93-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp

    Filesize

    10.8MB

  • memory/4588-87-0x00007FF9F5A73000-0x00007FF9F5A75000-memory.dmp

    Filesize

    8KB

  • memory/4588-0-0x00007FF9F5A73000-0x00007FF9F5A75000-memory.dmp

    Filesize

    8KB

  • memory/4588-4-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp

    Filesize

    10.8MB

  • memory/4588-1-0x0000000000A00000-0x0000000000B96000-memory.dmp

    Filesize

    1.6MB

  • memory/4660-30-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp

    Filesize

    10.8MB

  • memory/4660-94-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp

    Filesize

    10.8MB

  • memory/4660-29-0x0000000000870000-0x0000000000886000-memory.dmp

    Filesize

    88KB