Analysis
-
max time kernel
128s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 02:20
Behavioral task
behavioral1
Sample
4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe
Resource
win10v2004-20241007-en
General
-
Target
4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe
-
Size
163KB
-
MD5
72f5f19b35b22d82d8459f5e0739c248
-
SHA1
0218dd2b354dcfdff2a11d06b6cf57f53987e9eb
-
SHA256
4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1
-
SHA512
ae5fb16700e76a79049b9b92f13ead1d611b490a1e447adcc1a6da35be611e2c1e2fc618d17cc4f3a2052fd9b4cf261e12c1464474590c30647a40580e9e2d07
-
SSDEEP
1536:9QJaAtooQh0elU0qT9rbRCKGOjEkb2yMnx8Xb627dOnZzWEU:eJaNp9lVYoKGNkb2ymxMhOnZSEU
Malware Config
Extracted
xworm
vehicle-temp.gl.at.ply.gg:1930
-
Install_directory
%LocalAppData%
-
install_file
MicrosoftClient.exe
-
telegram
https://api.telegram.org/bot7754858173:AAGHhysa0geGaNnoiGNJaE5p14tWFWtQDWs/sendMessage?chat_id=7247076886
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/2060-1-0x00000000002D0000-0x00000000002FE000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2144 powershell.exe 2892 powershell.exe 2940 powershell.exe 2864 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftClient = "C:\\Users\\Admin\\AppData\\Local\\MicrosoftClient.exe" 4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2144 powershell.exe 2892 powershell.exe 2940 powershell.exe 2864 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2060 4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 2060 4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2144 2060 4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe 29 PID 2060 wrote to memory of 2144 2060 4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe 29 PID 2060 wrote to memory of 2144 2060 4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe 29 PID 2060 wrote to memory of 2892 2060 4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe 31 PID 2060 wrote to memory of 2892 2060 4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe 31 PID 2060 wrote to memory of 2892 2060 4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe 31 PID 2060 wrote to memory of 2940 2060 4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe 33 PID 2060 wrote to memory of 2940 2060 4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe 33 PID 2060 wrote to memory of 2940 2060 4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe 33 PID 2060 wrote to memory of 2864 2060 4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe 35 PID 2060 wrote to memory of 2864 2060 4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe 35 PID 2060 wrote to memory of 2864 2060 4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe"C:\Users\Admin\AppData\Local\Temp\4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\MicrosoftClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5e07434875f4889ec4046e5541317b9b5
SHA1e36b889d5456e6deecfdc5296b6bc156e6bc012a
SHA25631af0ec31f412d19211aa04a41353766800801c8593bf461fd2e4ca59ef96e8b
SHA5126bb95584dff550c769d4fd16022cee8e312d8b98fac047055e5534b5b1e56e5bbf62ed95cbb04a228dbed4d5933b019c2814b7f62ea2f06e09c9a438c7e0bdcc