Analysis
-
max time kernel
107s -
max time network
112s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 01:48
Behavioral task
behavioral1
Sample
ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe
Resource
win10v2004-20241007-en
General
-
Target
ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe
-
Size
73KB
-
MD5
aacc73d0a647ab74ba2ad88bfe582ae0
-
SHA1
7beb364e023cdf3ac235123a42a338178f3bb418
-
SHA256
ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372
-
SHA512
20a20602c6ef314b9ed1c6df330bfa806e25c3ee63bfe35cd108fcef606ae2deb73691b00b46ae7274437b1b1b99a79e4872d15aaf79b506a5e13609d4960179
-
SSDEEP
1536:PsAOvLB0oKhtWIu+0PZbcYoOLykP26cNUOnkjGYWYVg:PHI9KhtWIuhPZbceBP4UOnkjBW6g
Malware Config
Extracted
xworm
3.0
production-loading.gl.at.ply.gg:48573
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/memory/2748-1-0x0000000000170000-0x0000000000188000-memory.dmp family_xworm behavioral1/files/0x000a000000004e76-27.dat family_xworm behavioral1/memory/2656-35-0x0000000001030000-0x0000000001048000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2628 powershell.exe 536 powershell.exe 2568 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.lnk ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.lnk ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe -
Executes dropped EXE 2 IoCs
pid Process 2656 ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe 1628 ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N = "C:\\Users\\Admin\\AppData\\Roaming\\ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe" ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1656 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2568 powershell.exe 2628 powershell.exe 536 powershell.exe 2748 ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2748 ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeDebugPrivilege 536 powershell.exe Token: SeDebugPrivilege 2748 ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe Token: SeDebugPrivilege 2656 ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe Token: SeDebugPrivilege 1628 ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2748 ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2568 2748 ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe 30 PID 2748 wrote to memory of 2568 2748 ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe 30 PID 2748 wrote to memory of 2568 2748 ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe 30 PID 2748 wrote to memory of 2628 2748 ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe 32 PID 2748 wrote to memory of 2628 2748 ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe 32 PID 2748 wrote to memory of 2628 2748 ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe 32 PID 2748 wrote to memory of 536 2748 ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe 34 PID 2748 wrote to memory of 536 2748 ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe 34 PID 2748 wrote to memory of 536 2748 ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe 34 PID 2748 wrote to memory of 1656 2748 ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe 36 PID 2748 wrote to memory of 1656 2748 ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe 36 PID 2748 wrote to memory of 1656 2748 ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe 36 PID 2944 wrote to memory of 2656 2944 taskeng.exe 40 PID 2944 wrote to memory of 2656 2944 taskeng.exe 40 PID 2944 wrote to memory of 2656 2944 taskeng.exe 40 PID 2944 wrote to memory of 1628 2944 taskeng.exe 41 PID 2944 wrote to memory of 1628 2944 taskeng.exe 41 PID 2944 wrote to memory of 1628 2944 taskeng.exe 41 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe"C:\Users\Admin\AppData\Local\Temp\ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N" /tr "C:\Users\Admin\AppData\Roaming\ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:1656
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {5DFB8D64-F8BD-4516-9E63-3BDD8927C1A9} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Roaming\ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exeC:\Users\Admin\AppData\Roaming\ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Users\Admin\AppData\Roaming\ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exeC:\Users\Admin\AppData\Roaming\ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5d303bb50d66f6036e40716954336e72b
SHA148cc940232594dc9b92953c5c97b99353c65bfb3
SHA256546154a71ff20811e16b164e7b3f4170ef04a321cbba6fdd0fdbf77b3a5a1c4c
SHA512ec7c4cd6f8500ccd16657269332b2b04c7854fbb7b07014f1b56656a867323cf493d2361f0a7ef0591f6714931d7a0b7f9a5b9f21b6a0760328c6eb944b125d6
-
C:\Users\Admin\AppData\Roaming\ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372N.exe
Filesize73KB
MD5aacc73d0a647ab74ba2ad88bfe582ae0
SHA17beb364e023cdf3ac235123a42a338178f3bb418
SHA256ee33e6da81e5abbb291bbbf3681ef6b48e17037500ffe4b90f60a5d078957372
SHA51220a20602c6ef314b9ed1c6df330bfa806e25c3ee63bfe35cd108fcef606ae2deb73691b00b46ae7274437b1b1b99a79e4872d15aaf79b506a5e13609d4960179