Analysis
-
max time kernel
289s -
max time network
302s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-de -
resource tags
arch:x64arch:x86image:win10v2004-20241007-delocale:de-deos:windows10-2004-x64systemwindows -
submitted
31-10-2024 02:21
General
-
Target
XRCleaner2.exe
-
Size
56KB
-
MD5
9bc57b0a4b416e360a8e20ed5dda6cd0
-
SHA1
7246f4cdcb19afa4de09a36972492aa067daac51
-
SHA256
b819fd21177ac66b9c645dcc82572b3eb774a14598dac95621edb06fb5e411fc
-
SHA512
dd306cd30727911a7c2335945721a85e8b65ece05efe3dd63e0fcb7b05033647fc881f0b78b8b6ac107ddf4f079107d51f835f5469fe4f3d6e787c620ff2fe82
-
SSDEEP
1536:2Nltt4OCTcQLe6WskbSjJ6EoBs2vWywOvu:2NltCTcQLepskbSjToIOvu
Malware Config
Extracted
xworm
join-ez.gl.at.ply.gg:55
-
Install_directory
%AppData%
-
install_file
WindowsUpdate.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/4208-1-0x0000000000CD0000-0x0000000000CE4000-memory.dmp family_xworm -
Hawkeye family
-
Xworm family
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnk XRCleaner2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnk XRCleaner2.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 468 740 WerFault.exe 118 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unregmp2.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4208 XRCleaner2.exe Token: SeDebugPrivilege 2852 XRCleaner2.exe Token: SeShutdownPrivilege 740 wmplayer.exe Token: SeCreatePagefilePrivilege 740 wmplayer.exe Token: SeShutdownPrivilege 3752 unregmp2.exe Token: SeCreatePagefilePrivilege 3752 unregmp2.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 740 wmplayer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 740 wrote to memory of 1500 740 wmplayer.exe 119 PID 740 wrote to memory of 1500 740 wmplayer.exe 119 PID 740 wrote to memory of 1500 740 wmplayer.exe 119 PID 1500 wrote to memory of 3752 1500 unregmp2.exe 120 PID 1500 wrote to memory of 3752 1500 unregmp2.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\XRCleaner2.exe"C:\Users\Admin\AppData\Local\Temp\XRCleaner2.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:4208
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3752
-
C:\Users\Admin\AppData\Local\Temp\XRCleaner2.exe"C:\Users\Admin\AppData\Local\Temp\XRCleaner2.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3752
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 29322⤵
- Program crash
PID:468
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:3316
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 740 -ip 7401⤵PID:1116
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\RestartPublish.js"1⤵PID:1392
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\SelectJoin.vbe"1⤵PID:2052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD562d6a3c45b9f3e975039ad72df8d1c6f
SHA1313c8384e6429c213d336f6ad4b162932ea52137
SHA2562acf6bdeedfed7082b44fbf81258be577750c03dbe0d250350edc973257dbab4
SHA512c054d3c2d4d26cbdffd4e11e95c2332827754462f75ea1801b5d905848b0f14da9093abd524df999a54962835214f7e7daaac2c4b8eee1eef0d4fee391e505d8
-
Filesize
1024KB
MD50c368542ff20607ff6f571e8aac87fc1
SHA1dbabe869fea1dac54e0f9a9833cc5f8845998d5a
SHA256118f2011b2b96a38c924cb151cf9bf5949bf4b8f531a4d11f8b95782a286485f
SHA512b8b6a8a6a7e58ecb68a2384bd5bc5cab18f4ec70af350fb35e7c6db119bc11753f0cc31b147e8c62872f318a15a54396eb6c105bb7656f629f95c41517532940
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD55433eab10c6b5c6d55b7cbd302426a39
SHA1c5b1604b3350dab290d081eecd5389a895c58de5
SHA25623dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131
SHA512207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD5c3522974e93e0b13ed981ed988eace9d
SHA1f71a6171628b59fa051cb2dae24920b03300000b
SHA256a096f7760dc94d8385f8d73efe012683828a34d1615b20d2791a4ba599b9cb39
SHA5127fd17be9fd7b961cbf3e566bd8927d7537ec3480876535a28896392f8dae40828894521e603b361b2f3c14e6e4d417ea0cf35eb4cf546f3f47a83b9dd06d2ada
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize3KB
MD562cb9e874a4a61fbc27841591b4ba31f
SHA18fff59c42b9c9bc7807bdb01dc5e741a3ab52f19
SHA256c683a6fc2e75e1585157405a509461cb0982a4bae11ee57b64cc9503451d3053
SHA512c74f8fdea098ea8b8b9b6d6efcff72a49dbbf852aec8677745f7786674745f4c5d46e5e5a7d93f547d46bbc6aca50d9e2d75a5059475f68c793e443dd4fc3381
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize1KB
MD50ba80421a2031ff6b0c7446783b18cdb
SHA13df097e7c572e58d1617ef4953948ee43f937a96
SHA256de50f5c8aca74a7bd6c3870d8f634daace2db4469d3f02956d6f82f2612dc070
SHA5128185e6b535ae11011d39fd935158a75619dd86c15973e6a61e33ada35129aad18a142bd7405609e7b1867d7ffe2b4f92afa1291da59f5a3f008d7bd101dd35c7