Analysis
-
max time kernel
125s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
29-10-2024 20:09
Static task
static1
Behavioral task
behavioral1
Sample
13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe
Resource
win7-20241010-en
General
-
Target
13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe
-
Size
1.6MB
-
MD5
9d8b111c3743b5b77fdd8fce1e30b50c
-
SHA1
963e2bb076141300843bc8b61d6808ebd7a6dfae
-
SHA256
13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2
-
SHA512
0a916cd6c28b71e342aa4c4d2f06253b3b89913ecce33b7776179d4e88f7e925712801265c6a7ebd440874e4226a16988155ebb8cccb3cb37c298276df2a063f
-
SSDEEP
24576:RRVHmGd0BwUzR+frsjqz86M0/i/U7vqqp:VGGd4NzSrsjqzh/i/kvfp
Malware Config
Extracted
xworm
146.190.110.91:3389
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x002f000000018bd7-15.dat family_xworm behavioral1/memory/3060-17-0x0000000001350000-0x0000000001366000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1000 powershell.exe 2924 powershell.exe 2780 powershell.exe 628 powershell.exe 2040 powershell.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedgewebview2.exe.lnk msedgewebview2.exe -
Executes dropped EXE 4 IoCs
pid Process 2892 SilverBulletPro.exe 3060 svchost.exe 1240 msedgewebview2.exe 900 msedgewebview2.exe -
Loads dropped DLL 2 IoCs
pid Process 2380 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 2380 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2820 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1780 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3060 svchost.exe 900 msedgewebview2.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2924 powershell.exe 2780 powershell.exe 628 powershell.exe 2040 powershell.exe 3060 svchost.exe 1000 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 3060 svchost.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 2780 powershell.exe Token: SeDebugPrivilege 628 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeDebugPrivilege 1240 msedgewebview2.exe Token: SeDebugPrivilege 1000 powershell.exe Token: SeDebugPrivilege 900 msedgewebview2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3060 svchost.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2892 2380 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 30 PID 2380 wrote to memory of 2892 2380 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 30 PID 2380 wrote to memory of 2892 2380 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 30 PID 2380 wrote to memory of 3060 2380 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 31 PID 2380 wrote to memory of 3060 2380 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 31 PID 2380 wrote to memory of 3060 2380 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 31 PID 3060 wrote to memory of 2924 3060 svchost.exe 32 PID 3060 wrote to memory of 2924 3060 svchost.exe 32 PID 3060 wrote to memory of 2924 3060 svchost.exe 32 PID 3060 wrote to memory of 2780 3060 svchost.exe 34 PID 3060 wrote to memory of 2780 3060 svchost.exe 34 PID 3060 wrote to memory of 2780 3060 svchost.exe 34 PID 3060 wrote to memory of 628 3060 svchost.exe 36 PID 3060 wrote to memory of 628 3060 svchost.exe 36 PID 3060 wrote to memory of 628 3060 svchost.exe 36 PID 3060 wrote to memory of 2040 3060 svchost.exe 38 PID 3060 wrote to memory of 2040 3060 svchost.exe 38 PID 3060 wrote to memory of 2040 3060 svchost.exe 38 PID 2380 wrote to memory of 1240 2380 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 41 PID 2380 wrote to memory of 1240 2380 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 41 PID 2380 wrote to memory of 1240 2380 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 41 PID 1240 wrote to memory of 1000 1240 msedgewebview2.exe 42 PID 1240 wrote to memory of 1000 1240 msedgewebview2.exe 42 PID 1240 wrote to memory of 1000 1240 msedgewebview2.exe 42 PID 1240 wrote to memory of 1780 1240 msedgewebview2.exe 44 PID 1240 wrote to memory of 1780 1240 msedgewebview2.exe 44 PID 1240 wrote to memory of 1780 1240 msedgewebview2.exe 44 PID 1240 wrote to memory of 900 1240 msedgewebview2.exe 46 PID 1240 wrote to memory of 900 1240 msedgewebview2.exe 46 PID 1240 wrote to memory of 900 1240 msedgewebview2.exe 46 PID 1240 wrote to memory of 1776 1240 msedgewebview2.exe 47 PID 1240 wrote to memory of 1776 1240 msedgewebview2.exe 47 PID 1240 wrote to memory of 1776 1240 msedgewebview2.exe 47 PID 1776 wrote to memory of 2820 1776 cmd.exe 49 PID 1776 wrote to memory of 2820 1776 cmd.exe 49 PID 1776 wrote to memory of 2820 1776 cmd.exe 49 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe"C:\Users\Admin\AppData\Local\Temp\13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"2⤵
- Executes dropped EXE
PID:2892
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
-
C:\ProgramData\msedgewebview2.exe"C:\ProgramData\msedgewebview2.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedgewebview2'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /create /tn msedgewebview2 /tr "C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe" /st 20:14 /du 23:59 /sc daily /ri 1 /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1780
-
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe"C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:900
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2462.tmp.cmd""3⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\system32\timeout.exetimeout 64⤵
- Delays execution with timeout.exe
PID:2820
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147B
MD5f6df63a72865c8101a43fdeaa872a67b
SHA10849942ab178f9361ff9898712b82f5a90ff7dc3
SHA256e35aa40b52cfd621c77feacd303cbff3aa46baf37562835559e1d429f8fb7c24
SHA5127cf9bd69fd31d86cddb23015ea3c89a3c98a71c10f07fa0bbd3f9437459a2f867eaf067aacb046f1fc02d5d06551b87e06b9585ff3c876178edc8869f578248e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD545b7ce57cf031c2131960dca48ab4c9e
SHA1acf8ca21157f20cd68a839205df015bfc1ce4b5e
SHA256058d4c0e7b5553d61078a5cdf4443ecd9fa2e76a64aef63185588d7e9e2fd6bc
SHA5129cf24183544983e5976c2e969d6fe557a09469448704558542b24d9f3bfc59114682d1384feec1d13e150bbcb12b6a605a340cae57f1fdacfc6d9915b184d782
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51097d3eeb2f913fe0595f065be983912
SHA17ab5fd48c9f5c64bf81cdeabd56e54e40da27f30
SHA2569decdb662d2088a516633f993922ea213c19eaaf77db72af3ffc94f84933637d
SHA512a822d571e5d52068d324ec75aec80c6124249e72fd3ecca3b99e578da1c0da31870c7b0d738072e936eb158b2fb0ef29015acca10bf6b4b32db4228faf856e70
-
Filesize
65KB
MD536dde308d5e09405a94dad6844ca0c44
SHA1c585d502f48206f767f97ac7f7acd4112c314ccc
SHA256c901ffc47365a32dcb7e1981386cc0d60833bab6addfc88b813a5a8cdc4fb11b
SHA5125964d137c5b510ae978b331161bc20c7ecfd4a35aa6c65c4d95a13c8568f774a483807c4ca555e3559a83712421c811d1af18f7aa2981367129244c1bfc74923
-
Filesize
602KB
MD5347d21e54202cc42486f1be0f38ebea1
SHA1f3a17fd7d1581928d8bf773c0f99433da64253db
SHA25680e06ccb6370aca19137d47b6ecf3256d6a34b67a3d4bf0b7c3190a1c5feacad
SHA512620f6318b95253cee873b21b90bdc8f75fb32c30bc42032b9eed5773890a700e66ca3f27f2418bb6b39c8a33f2dea718c2215852e64063e0187131be841950b9