Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2024 05:32
Behavioral task
behavioral1
Sample
YL81L_file.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
YL81L_file.exe
Resource
win10v2004-20241007-en
General
-
Target
YL81L_file.exe
-
Size
35KB
-
MD5
1b76c0d5d1d6a5197d055223b134dcca
-
SHA1
b8092605ecbb529a7372e42b7cbcda4b55e78ef1
-
SHA256
024d5a39a58cae8343c5ee34629868c6440ea7a3dce8a2f226c8161d5005d196
-
SHA512
27dad7330d431d48744d8aa348c6377deb51917a4f2ed6510ec6f9bbda55ea386ef3fd5e5039b921163d9d3c81f5423c6648062c0925d86cf05c63ca978805e3
-
SSDEEP
384:vSBqVEqKykkTwusE+E33Rz3UXmbXLZoWR27vHsJQcXT/G58pkFyHBLTIZwgG+Vv1:EQDb3QIXDh7GVFy79evOjh2yED
Malware Config
Extracted
xworm
5.0
didjmdk3nindi3nd.zapto.org:7000
70.241.39.14:7000
Q6QXs3CM0drEuir0
-
Install_directory
%Userprofile%
-
install_file
XC.exe
Extracted
phemedrone
https://api.telegram.org/bot6217988193:AAFiJwdcFHDuCM08fAA_dnBQZGLDPSVjUQY/sendDocument
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/2156-1-0x0000000000A70000-0x0000000000A80000-memory.dmp family_xworm -
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Xworm family
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation YL81L_file.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XC.lnk YL81L_file.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XC.lnk YL81L_file.exe -
Executes dropped EXE 1 IoCs
pid Process 2184 smidtp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XC = "C:\\Users\\Admin\\XC.exe" YL81L_file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2156 YL81L_file.exe Token: SeDebugPrivilege 2156 YL81L_file.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2184 2156 YL81L_file.exe 100 PID 2156 wrote to memory of 2184 2156 YL81L_file.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\YL81L_file.exe"C:\Users\Admin\AppData\Local\Temp\YL81L_file.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\smidtp.exe"C:\Users\Admin\AppData\Local\Temp\smidtp.exe"2⤵
- Executes dropped EXE
PID:2184
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138KB
MD5cae3f7ae06655eb93f5dfb028ddd3d6d
SHA154821b16fab00ec529f0b99e1d49de8d291eb492
SHA2561fc74fb83aebbe5a37b41e7a4e900a83288618ca696d76a717e2d6a51fad343f
SHA512e2226e3ba2c9bd079db74dcc0cb87f8d6449c99dfe3d2ccae0dda40b7c1a1ca3b77341e49c72bbb183aca86fd29960a70836bfb758f42c3bf83605b3f808dad8