Analysis
-
max time kernel
133s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2024, 21:43
Static task
static1
Behavioral task
behavioral1
Sample
jjjçtepad.exe
Resource
win7-20240903-en
windows7-x64
General
-
Target
jjjçtepad.exe
-
Size
879KB
-
MD5
ba63790213ee68adc6333242a703cdd3
-
SHA1
07e578b9206de65de0ffa19b01e59127bad21072
-
SHA256
ea7c3fd6786b6374e94f001d75ad9ddc53ee8316cc20cd0d6978eba6fb6caaa7
-
SHA512
6d365291e5ade1e7047528637b079458933e9eed726f2d79c5f806414c445a8da2a4adee40fe1e2f32a65936975ab79ba6ef22ed57ec933ad1a5dce880f5ba2e
-
SSDEEP
12288:TlVYSjCSUFFIn2qH+Pc4w1dltLNe7ZfF5IrQ2NYpxfrOLi6820Y5GpX:ZVYs+Fc9ePlw1dltIb2EUi68PY5GJ
Malware Config
Extracted
xworm
83.38.24.1:1603
-
Install_directory
%Public%
-
install_file
WmiPrvSE.exe
Signatures
-
Detect Xworm Payload 10 IoCs
resource yara_rule behavioral2/files/0x0010000000023ba3-6.dat family_xworm behavioral2/files/0x0008000000023c85-84.dat family_xworm behavioral2/files/0x0007000000023c8a-92.dat family_xworm behavioral2/files/0x0007000000023c89-143.dat family_xworm behavioral2/memory/1608-86-0x0000000000580000-0x00000000005C4000-memory.dmp family_xworm behavioral2/memory/1984-148-0x0000000000300000-0x0000000000324000-memory.dmp family_xworm behavioral2/files/0x0007000000023c8b-119.dat family_xworm behavioral2/memory/1572-151-0x00000000000B0000-0x00000000000E2000-memory.dmp family_xworm behavioral2/memory/552-153-0x00000000006D0000-0x00000000006E4000-memory.dmp family_xworm behavioral2/memory/2044-152-0x0000000000110000-0x000000000013C000-memory.dmp family_xworm -
Xworm family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation jjjçtepad.exe -
Executes dropped EXE 5 IoCs
pid Process 1608 SecurityHealthSystray.exe 1984 WmiPrvSE.exe 1572 OneDrive.exe 2044 SearchFilterHost.exe 552 svhost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 1608 SecurityHealthSystray.exe Token: SeDebugPrivilege 1984 WmiPrvSE.exe Token: SeDebugPrivilege 1572 OneDrive.exe Token: SeDebugPrivilege 2044 SearchFilterHost.exe Token: SeDebugPrivilege 552 svhost.exe Token: SeDebugPrivilege 2072 taskmgr.exe Token: SeSystemProfilePrivilege 2072 taskmgr.exe Token: SeCreateGlobalPrivilege 2072 taskmgr.exe Token: 33 2072 taskmgr.exe Token: SeIncBasePriorityPrivilege 2072 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3984 wrote to memory of 1608 3984 jjjçtepad.exe 84 PID 3984 wrote to memory of 1608 3984 jjjçtepad.exe 84 PID 3984 wrote to memory of 1984 3984 jjjçtepad.exe 85 PID 3984 wrote to memory of 1984 3984 jjjçtepad.exe 85 PID 3984 wrote to memory of 1572 3984 jjjçtepad.exe 86 PID 3984 wrote to memory of 1572 3984 jjjçtepad.exe 86 PID 3984 wrote to memory of 2044 3984 jjjçtepad.exe 87 PID 3984 wrote to memory of 2044 3984 jjjçtepad.exe 87 PID 3984 wrote to memory of 552 3984 jjjçtepad.exe 88 PID 3984 wrote to memory of 552 3984 jjjçtepad.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\jjjçtepad.exe"C:\Users\Admin\AppData\Local\Temp\jjjçtepad.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Users\Admin\SecurityHealthSystray.exe"C:\Users\Admin\SecurityHealthSystray.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Users\Admin\WmiPrvSE.exe"C:\Users\Admin\WmiPrvSE.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Users\Admin\OneDrive.exe"C:\Users\Admin\OneDrive.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
-
C:\Users\Admin\SearchFilterHost.exe"C:\Users\Admin\SearchFilterHost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Users\Admin\svhost.exe"C:\Users\Admin\svhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:552
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2072
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
177KB
MD5321e9bcf67cbbbc238c123f42a2a6e62
SHA101346677f67ae5df7df9cd2cab70fa342b3a4c32
SHA2568e88ef60280096bc438183cdd0ff866e23412c319a0ce7b41ffade3f55425002
SHA512c83f5ecb5e88a11853f9a2a07b39fdce3e14cc03c0366f020d74cd75aae406f9347c4a6b81e830e974fc290efdf444b30d8cf1316ee8777b4f2501ef3bcb2555
-
Filesize
154KB
MD5e83d7a2812b8b9fc0b168baef465c8ab
SHA1d708a9b78001ab9e4708091e241c64dc5b3b6a9e
SHA256c0666c0fad2ce0cca691b9a6b9f8bc59e8e5319e8a79961d7aa4eabba3b3cd0d
SHA512b49c0d14769c4aa949329b76b92f913746949887343c6567077ddc4d40e5613c1887d76bd0fcca7bdf4b59e1fa37c3184fd897d87210e8dce6c88bab60b1484b
-
Filesize
251KB
MD5a7209832f2c21ce4c6e351b1f1d4749c
SHA15849477602755a1a2be4fc2a8a395dc8f523fc07
SHA256b5ed60d7bda3cfe44a7397c5378ed4bce4f8a700508835a4b58169a74e355ea8
SHA512912f4355fa7c64d5da527d7b7ed3389690c39a6fa89192efc5a8093d4425f00f47c2ecd182f86df720d9c3b471a34ec659235ad35780a794cfa2ebe065220ea1
-
Filesize
122KB
MD57d9b4554f40cff6fd14f88a1d962aa18
SHA17e2b4a48208cb5a16ad28e28b8deff672b39f91c
SHA256af1a768786ee5fbc4ee20de4d7ac56fc22b88e37382579e007b68ffba53a91a2
SHA512b5d892c3f495442680f6fa10b556085b051a72a258781619442ae8f4afd483511f4b634375c62d75bb0d99d39a80f4e936360b2df4454685f74aef7305b684ba
-
Filesize
58KB
MD59a363c5e7413fdc762f6999441cfe0d3
SHA1536de532e5e06e64ecf0692da96fa704bbfaa88c
SHA2565bbd989946339b7a649afc76fdc1f724880a04449ad7cf8cba2cc191384dc0f5
SHA51200732d099d7a78e7010ba4beebdaa6f3a3c4439a47f52bf641f1f206d828e7f82c862c39ab6995131e841880c9c6a05f41b1cce3f476c760664534c8b46248f5