Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2024 20:09

General

  • Target

    13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe

  • Size

    1.6MB

  • MD5

    9d8b111c3743b5b77fdd8fce1e30b50c

  • SHA1

    963e2bb076141300843bc8b61d6808ebd7a6dfae

  • SHA256

    13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2

  • SHA512

    0a916cd6c28b71e342aa4c4d2f06253b3b89913ecce33b7776179d4e88f7e925712801265c6a7ebd440874e4226a16988155ebb8cccb3cb37c298276df2a063f

  • SSDEEP

    24576:RRVHmGd0BwUzR+frsjqz86M0/i/U7vqqp:VGGd4NzSrsjqzh/i/kvfp

Malware Config

Extracted

Family

xworm

C2

146.190.110.91:3389

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805

Signatures

  • Detect Xworm Payload 2 IoCs
  • Gurcu family
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe
    "C:\Users\Admin\AppData\Local\Temp\13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3152
    • C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe
      "C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"
      2⤵
      • Executes dropped EXE
      PID:4424
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4872
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4236
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2232
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1072
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2292
    • C:\ProgramData\msedgewebview2.exe
      "C:\ProgramData\msedgewebview2.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4428
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks.exe" /create /tn msedgewebview2 /tr "C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe" /st 20:14 /du 23:59 /sc daily /ri 1 /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2768
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedgewebview2'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1660
      • C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
        "C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        PID:2124
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF433.tmp.cmd""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2352
        • C:\Windows\system32\timeout.exe
          timeout 6
          4⤵
          • Delays execution with timeout.exe
          PID:1012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedgewebview2.exe.log

    Filesize

    660B

    MD5

    1c5e1d0ff3381486370760b0f2eb656b

    SHA1

    f9df6be8804ef611063f1ff277e323b1215372de

    SHA256

    f424c891fbc7385e9826beed2dd8755aeac5495744b5de0a1e370891a7beaf7a

    SHA512

    78f5fc40a185d04c9e4a02a3d1b10b4bd684c579a45a0d1e8f49f8dee9018ed7bc8875cbf21f98632f93ead667214a41904226ce54817b85caeeb4b0de54a743

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    2d06ce10e4e5b9e174b5ebbdad300fad

    SHA1

    bcc1c231e22238cef02ae25331320060ada2f131

    SHA256

    87d1dd56f12a88907ba5aebca8d555443d6f77ed214497277cc8bcd31c669f2c

    SHA512

    38cfbeb59605854ae4fcfae8619a6b26bd916148acfb5636383672a3960b45ca41fed5c241f97465129e92eaf78c4c85dcf258f1ab501a2bf771287ce04f76a7

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    cadef9abd087803c630df65264a6c81c

    SHA1

    babbf3636c347c8727c35f3eef2ee643dbcc4bd2

    SHA256

    cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

    SHA512

    7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    e3161f4edbc9b963debe22e29658050b

    SHA1

    45dbf88dadafe5dd1cfee1e987c8a219d3208cdb

    SHA256

    1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a

    SHA512

    006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    1de9e2252e7a01131b4e7f2960efeb41

    SHA1

    39b84bd90c13c97185ab20b9fa973e113d2053d3

    SHA256

    e1e8f346075003d30042c8eba065f3c27585d12a31ecccae84c9e94385d077ab

    SHA512

    0726b3f4a20726344f9b29a77a49c5274603b3db411544da56cd716c3524b9e4d8679e2e09da01e34a34d6d9f117b943d2188e2a8e799af7ea66cc384185135b

  • C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe

    Filesize

    602KB

    MD5

    347d21e54202cc42486f1be0f38ebea1

    SHA1

    f3a17fd7d1581928d8bf773c0f99433da64253db

    SHA256

    80e06ccb6370aca19137d47b6ecf3256d6a34b67a3d4bf0b7c3190a1c5feacad

    SHA512

    620f6318b95253cee873b21b90bdc8f75fb32c30bc42032b9eed5773890a700e66ca3f27f2418bb6b39c8a33f2dea718c2215852e64063e0187131be841950b9

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kbf1cfd4.dnd.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\tmpF433.tmp.cmd

    Filesize

    147B

    MD5

    7c3732eade5a9768df84737eacf39032

    SHA1

    69b33dcf08fba35bdc904408701c6b1d78585a41

    SHA256

    ff51d0e40d13ca40aa491284ebe3c9e87f6d64e6deec3112981fe2054bfa4714

    SHA512

    0df239352b726fc28f9e7e47a24aece835e3dfae0fefceeff7494a68aff33aac0aa832b968abe7bbf4ffe965f619b76b3986707c1e161a037cd64548ee436d81

  • C:\Users\Admin\AppData\Roaming\svchost.exe

    Filesize

    65KB

    MD5

    36dde308d5e09405a94dad6844ca0c44

    SHA1

    c585d502f48206f767f97ac7f7acd4112c314ccc

    SHA256

    c901ffc47365a32dcb7e1981386cc0d60833bab6addfc88b813a5a8cdc4fb11b

    SHA512

    5964d137c5b510ae978b331161bc20c7ecfd4a35aa6c65c4d95a13c8568f774a483807c4ca555e3559a83712421c811d1af18f7aa2981367129244c1bfc74923

  • memory/3152-4-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

    Filesize

    10.8MB

  • memory/3152-1-0x0000000000C60000-0x0000000000DF6000-memory.dmp

    Filesize

    1.6MB

  • memory/3152-87-0x00007FFD78113000-0x00007FFD78115000-memory.dmp

    Filesize

    8KB

  • memory/3152-88-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

    Filesize

    10.8MB

  • memory/3152-0-0x00007FFD78113000-0x00007FFD78115000-memory.dmp

    Filesize

    8KB

  • memory/3152-94-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

    Filesize

    10.8MB

  • memory/4236-40-0x000001FDD2860000-0x000001FDD2882000-memory.dmp

    Filesize

    136KB

  • memory/4428-93-0x000001AC46490000-0x000001AC464D2000-memory.dmp

    Filesize

    264KB

  • memory/4872-95-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

    Filesize

    10.8MB

  • memory/4872-30-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

    Filesize

    10.8MB

  • memory/4872-29-0x0000000000090000-0x00000000000A6000-memory.dmp

    Filesize

    88KB