Resubmissions
31/10/2024, 05:43
241031-geqama1hmm 10Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 05:43
Static task
static1
Behavioral task
behavioral1
Sample
scvhost (4).rar
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
scvhost (4).rar
Resource
win10v2004-20241007-en
General
-
Target
scvhost (4).rar
-
Size
19KB
-
MD5
f49a4ffb43d6fb43880d56f0bf73838d
-
SHA1
6e22e3a2aebe0c7aa23669c57109f66e5407282f
-
SHA256
97434fda8fa6df00ada39c7c94f43e486509658567f875ae585f75f6e6a9f315
-
SHA512
a24781c0c3ea8522e6b261d72301e27506f8dae10a9b08d4302f07b7d6e85b7a9dfaddebafaebc26cb2770348c74c619bc9b3df28f449e22034a87aa99092b1d
-
SSDEEP
384:xIUTVfpWcml5lTxWQ+gO94wH+NPqEO2LoFffzuhLqse228vP1+tUp:y6n05lTxWQ+9NYqZWAfihLqsX281+tE
Malware Config
Extracted
xworm
5.0
38.156.214.168:4567
192.168.1.220:4567
buHNqt1P1TbTpE0p
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x000e000000016d6d-4.dat family_xworm behavioral1/memory/2676-11-0x0000000001050000-0x0000000001060000-memory.dmp family_xworm -
Xworm family
-
Executes dropped EXE 1 IoCs
pid Process 2676 scvhost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2232 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2232 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 2232 7zFM.exe Token: 35 2232 7zFM.exe Token: SeSecurityPrivilege 2232 7zFM.exe Token: SeDebugPrivilege 2676 scvhost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2232 7zFM.exe 2232 7zFM.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2676 2232 7zFM.exe 30 PID 2232 wrote to memory of 2676 2232 7zFM.exe 30 PID 2232 wrote to memory of 2676 2232 7zFM.exe 30
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\scvhost (4).rar"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\7zO8B8E2B27\scvhost.exe"C:\Users\Admin\AppData\Local\Temp\7zO8B8E2B27\scvhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD542bfab585488af752295a07316ff9bab
SHA1e967ee4fbbfe5216ed83d87c020e3e99b4e64dca
SHA2565f75590c3453c7992f39be1ab37031397ad660a5ebe8ba399b3fb30a29f816c8
SHA5120e44ad4d9a563a854fa2c6544a555b375b9604e4ba092987aa6f108fbc4ac57619fba99fdead3196c525ba12124907c6c151e01560e2ec159a57004ef5930623