Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2024 20:06
Static task
static1
Behavioral task
behavioral1
Sample
13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe
Resource
win7-20240903-en
General
-
Target
13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe
-
Size
1.6MB
-
MD5
9d8b111c3743b5b77fdd8fce1e30b50c
-
SHA1
963e2bb076141300843bc8b61d6808ebd7a6dfae
-
SHA256
13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2
-
SHA512
0a916cd6c28b71e342aa4c4d2f06253b3b89913ecce33b7776179d4e88f7e925712801265c6a7ebd440874e4226a16988155ebb8cccb3cb37c298276df2a063f
-
SSDEEP
24576:RRVHmGd0BwUzR+frsjqz86M0/i/U7vqqp:VGGd4NzSrsjqzh/i/kvfp
Malware Config
Extracted
xworm
146.190.110.91:3389
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805
Extracted
gurcu
https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x000e000000023a69-19.dat family_xworm behavioral2/memory/4660-29-0x0000000000870000-0x0000000000886000-memory.dmp family_xworm -
Gurcu family
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3420 powershell.exe 3732 powershell.exe 2224 powershell.exe 2104 powershell.exe 3672 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation msedgewebview2.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedgewebview2.exe.lnk msedgewebview2.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4496 SilverBulletPro.exe 4660 svchost.exe 4532 msedgewebview2.exe 4616 msedgewebview2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 3488 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1480 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4660 svchost.exe 4616 msedgewebview2.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3420 powershell.exe 3420 powershell.exe 3732 powershell.exe 3732 powershell.exe 2224 powershell.exe 2224 powershell.exe 2104 powershell.exe 2104 powershell.exe 4660 svchost.exe 3672 powershell.exe 3672 powershell.exe 3672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 4660 svchost.exe Token: SeDebugPrivilege 3420 powershell.exe Token: SeDebugPrivilege 3732 powershell.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 2104 powershell.exe Token: SeDebugPrivilege 4532 msedgewebview2.exe Token: SeDebugPrivilege 3672 powershell.exe Token: SeDebugPrivilege 4616 msedgewebview2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4660 svchost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4588 wrote to memory of 4496 4588 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 87 PID 4588 wrote to memory of 4496 4588 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 87 PID 4588 wrote to memory of 4660 4588 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 88 PID 4588 wrote to memory of 4660 4588 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 88 PID 4660 wrote to memory of 3420 4660 svchost.exe 94 PID 4660 wrote to memory of 3420 4660 svchost.exe 94 PID 4660 wrote to memory of 3732 4660 svchost.exe 96 PID 4660 wrote to memory of 3732 4660 svchost.exe 96 PID 4660 wrote to memory of 2224 4660 svchost.exe 98 PID 4660 wrote to memory of 2224 4660 svchost.exe 98 PID 4660 wrote to memory of 2104 4660 svchost.exe 100 PID 4660 wrote to memory of 2104 4660 svchost.exe 100 PID 4588 wrote to memory of 4532 4588 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 104 PID 4588 wrote to memory of 4532 4588 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 104 PID 4532 wrote to memory of 3672 4532 msedgewebview2.exe 109 PID 4532 wrote to memory of 3672 4532 msedgewebview2.exe 109 PID 4532 wrote to memory of 1480 4532 msedgewebview2.exe 111 PID 4532 wrote to memory of 1480 4532 msedgewebview2.exe 111 PID 4532 wrote to memory of 4616 4532 msedgewebview2.exe 113 PID 4532 wrote to memory of 4616 4532 msedgewebview2.exe 113 PID 4532 wrote to memory of 4524 4532 msedgewebview2.exe 114 PID 4532 wrote to memory of 4524 4532 msedgewebview2.exe 114 PID 4524 wrote to memory of 3488 4524 cmd.exe 116 PID 4524 wrote to memory of 3488 4524 cmd.exe 116 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe"C:\Users\Admin\AppData\Local\Temp\13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"2⤵
- Executes dropped EXE
PID:4496
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
-
-
C:\ProgramData\msedgewebview2.exe"C:\ProgramData\msedgewebview2.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedgewebview2'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3672
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /create /tn msedgewebview2 /tr "C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe" /st 20:11 /du 23:59 /sc daily /ri 1 /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1480
-
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe"C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:4616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF136.tmp.cmd""3⤵
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\system32\timeout.exetimeout 64⤵
- Delays execution with timeout.exe
PID:3488
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
660B
MD51c5e1d0ff3381486370760b0f2eb656b
SHA1f9df6be8804ef611063f1ff277e323b1215372de
SHA256f424c891fbc7385e9826beed2dd8755aeac5495744b5de0a1e370891a7beaf7a
SHA51278f5fc40a185d04c9e4a02a3d1b10b4bd684c579a45a0d1e8f49f8dee9018ed7bc8875cbf21f98632f93ead667214a41904226ce54817b85caeeb4b0de54a743
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5eb1ad317bd25b55b2bbdce8a28a74a94
SHA198a3978be4d10d62e7411946474579ee5bdc5ea6
SHA2569e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
Filesize
944B
MD5cae60f0ddddac635da71bba775a2c5b4
SHA1386f1a036af61345a7d303d45f5230e2df817477
SHA256b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16
SHA51228ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253
-
Filesize
602KB
MD5347d21e54202cc42486f1be0f38ebea1
SHA1f3a17fd7d1581928d8bf773c0f99433da64253db
SHA25680e06ccb6370aca19137d47b6ecf3256d6a34b67a3d4bf0b7c3190a1c5feacad
SHA512620f6318b95253cee873b21b90bdc8f75fb32c30bc42032b9eed5773890a700e66ca3f27f2418bb6b39c8a33f2dea718c2215852e64063e0187131be841950b9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
147B
MD50f0f4157fdaa85e324ff142be0da25d9
SHA11c803d14a81121b6045d57af6284fbe5ccd5fe1f
SHA2562eb4cb009f53eaa86c3caa3a1f249f656390e8fbd203e45881e4f54832715e23
SHA512fc72b6765d262211ad821caf687d4e6b627374d5463ab82fa04755abdc96521ddd72c2dfdab191313df73b1f447b4ff0818f3cbd88b01b12737c778390bc448f
-
Filesize
65KB
MD536dde308d5e09405a94dad6844ca0c44
SHA1c585d502f48206f767f97ac7f7acd4112c314ccc
SHA256c901ffc47365a32dcb7e1981386cc0d60833bab6addfc88b813a5a8cdc4fb11b
SHA5125964d137c5b510ae978b331161bc20c7ecfd4a35aa6c65c4d95a13c8568f774a483807c4ca555e3559a83712421c811d1af18f7aa2981367129244c1bfc74923