Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2024 20:09
Static task
static1
Behavioral task
behavioral1
Sample
13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe
Resource
win7-20241010-en
General
-
Target
13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe
-
Size
1.6MB
-
MD5
9d8b111c3743b5b77fdd8fce1e30b50c
-
SHA1
963e2bb076141300843bc8b61d6808ebd7a6dfae
-
SHA256
13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2
-
SHA512
0a916cd6c28b71e342aa4c4d2f06253b3b89913ecce33b7776179d4e88f7e925712801265c6a7ebd440874e4226a16988155ebb8cccb3cb37c298276df2a063f
-
SSDEEP
24576:RRVHmGd0BwUzR+frsjqz86M0/i/U7vqqp:VGGd4NzSrsjqzh/i/kvfp
Malware Config
Extracted
xworm
146.190.110.91:3389
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805
Extracted
gurcu
https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x0002000000022efc-19.dat family_xworm behavioral2/memory/4872-29-0x0000000000090000-0x00000000000A6000-memory.dmp family_xworm -
Gurcu family
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4236 powershell.exe 2232 powershell.exe 1072 powershell.exe 2292 powershell.exe 1660 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation msedgewebview2.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedgewebview2.exe.lnk msedgewebview2.exe -
Executes dropped EXE 4 IoCs
pid Process 4424 SilverBulletPro.exe 4872 svchost.exe 4428 msedgewebview2.exe 2124 msedgewebview2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 1012 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2768 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4872 svchost.exe 2124 msedgewebview2.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4236 powershell.exe 4236 powershell.exe 2232 powershell.exe 2232 powershell.exe 1072 powershell.exe 1072 powershell.exe 2292 powershell.exe 2292 powershell.exe 4872 svchost.exe 1660 powershell.exe 1660 powershell.exe 1660 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 4872 svchost.exe Token: SeDebugPrivilege 4236 powershell.exe Token: SeDebugPrivilege 2232 powershell.exe Token: SeDebugPrivilege 1072 powershell.exe Token: SeDebugPrivilege 2292 powershell.exe Token: SeDebugPrivilege 4428 msedgewebview2.exe Token: SeDebugPrivilege 1660 powershell.exe Token: SeDebugPrivilege 2124 msedgewebview2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4872 svchost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3152 wrote to memory of 4424 3152 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 89 PID 3152 wrote to memory of 4424 3152 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 89 PID 3152 wrote to memory of 4872 3152 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 90 PID 3152 wrote to memory of 4872 3152 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 90 PID 4872 wrote to memory of 4236 4872 svchost.exe 93 PID 4872 wrote to memory of 4236 4872 svchost.exe 93 PID 4872 wrote to memory of 2232 4872 svchost.exe 95 PID 4872 wrote to memory of 2232 4872 svchost.exe 95 PID 4872 wrote to memory of 1072 4872 svchost.exe 98 PID 4872 wrote to memory of 1072 4872 svchost.exe 98 PID 4872 wrote to memory of 2292 4872 svchost.exe 100 PID 4872 wrote to memory of 2292 4872 svchost.exe 100 PID 3152 wrote to memory of 4428 3152 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 102 PID 3152 wrote to memory of 4428 3152 13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe 102 PID 4428 wrote to memory of 2768 4428 msedgewebview2.exe 105 PID 4428 wrote to memory of 2768 4428 msedgewebview2.exe 105 PID 4428 wrote to memory of 1660 4428 msedgewebview2.exe 106 PID 4428 wrote to memory of 1660 4428 msedgewebview2.exe 106 PID 4428 wrote to memory of 2124 4428 msedgewebview2.exe 109 PID 4428 wrote to memory of 2124 4428 msedgewebview2.exe 109 PID 4428 wrote to memory of 2352 4428 msedgewebview2.exe 110 PID 4428 wrote to memory of 2352 4428 msedgewebview2.exe 110 PID 2352 wrote to memory of 1012 2352 cmd.exe 112 PID 2352 wrote to memory of 1012 2352 cmd.exe 112 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe"C:\Users\Admin\AppData\Local\Temp\13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"2⤵
- Executes dropped EXE
PID:4424
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
-
C:\ProgramData\msedgewebview2.exe"C:\ProgramData\msedgewebview2.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /create /tn msedgewebview2 /tr "C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe" /st 20:14 /du 23:59 /sc daily /ri 1 /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedgewebview2'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe"C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF433.tmp.cmd""3⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\system32\timeout.exetimeout 64⤵
- Delays execution with timeout.exe
PID:1012
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
660B
MD51c5e1d0ff3381486370760b0f2eb656b
SHA1f9df6be8804ef611063f1ff277e323b1215372de
SHA256f424c891fbc7385e9826beed2dd8755aeac5495744b5de0a1e370891a7beaf7a
SHA51278f5fc40a185d04c9e4a02a3d1b10b4bd684c579a45a0d1e8f49f8dee9018ed7bc8875cbf21f98632f93ead667214a41904226ce54817b85caeeb4b0de54a743
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD52d06ce10e4e5b9e174b5ebbdad300fad
SHA1bcc1c231e22238cef02ae25331320060ada2f131
SHA25687d1dd56f12a88907ba5aebca8d555443d6f77ed214497277cc8bcd31c669f2c
SHA51238cfbeb59605854ae4fcfae8619a6b26bd916148acfb5636383672a3960b45ca41fed5c241f97465129e92eaf78c4c85dcf258f1ab501a2bf771287ce04f76a7
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5e3161f4edbc9b963debe22e29658050b
SHA145dbf88dadafe5dd1cfee1e987c8a219d3208cdb
SHA2561359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a
SHA512006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2
-
Filesize
944B
MD51de9e2252e7a01131b4e7f2960efeb41
SHA139b84bd90c13c97185ab20b9fa973e113d2053d3
SHA256e1e8f346075003d30042c8eba065f3c27585d12a31ecccae84c9e94385d077ab
SHA5120726b3f4a20726344f9b29a77a49c5274603b3db411544da56cd716c3524b9e4d8679e2e09da01e34a34d6d9f117b943d2188e2a8e799af7ea66cc384185135b
-
Filesize
602KB
MD5347d21e54202cc42486f1be0f38ebea1
SHA1f3a17fd7d1581928d8bf773c0f99433da64253db
SHA25680e06ccb6370aca19137d47b6ecf3256d6a34b67a3d4bf0b7c3190a1c5feacad
SHA512620f6318b95253cee873b21b90bdc8f75fb32c30bc42032b9eed5773890a700e66ca3f27f2418bb6b39c8a33f2dea718c2215852e64063e0187131be841950b9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
147B
MD57c3732eade5a9768df84737eacf39032
SHA169b33dcf08fba35bdc904408701c6b1d78585a41
SHA256ff51d0e40d13ca40aa491284ebe3c9e87f6d64e6deec3112981fe2054bfa4714
SHA5120df239352b726fc28f9e7e47a24aece835e3dfae0fefceeff7494a68aff33aac0aa832b968abe7bbf4ffe965f619b76b3986707c1e161a037cd64548ee436d81
-
Filesize
65KB
MD536dde308d5e09405a94dad6844ca0c44
SHA1c585d502f48206f767f97ac7f7acd4112c314ccc
SHA256c901ffc47365a32dcb7e1981386cc0d60833bab6addfc88b813a5a8cdc4fb11b
SHA5125964d137c5b510ae978b331161bc20c7ecfd4a35aa6c65c4d95a13c8568f774a483807c4ca555e3559a83712421c811d1af18f7aa2981367129244c1bfc74923