Analysis
-
max time kernel
148s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 05:17
Behavioral task
behavioral1
Sample
b819fd21177ac66b9c645dcc82572b3eb774a14598dac95621edb06fb5e411fc.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
General
-
Target
b819fd21177ac66b9c645dcc82572b3eb774a14598dac95621edb06fb5e411fc.exe
-
Size
56KB
-
MD5
9bc57b0a4b416e360a8e20ed5dda6cd0
-
SHA1
7246f4cdcb19afa4de09a36972492aa067daac51
-
SHA256
b819fd21177ac66b9c645dcc82572b3eb774a14598dac95621edb06fb5e411fc
-
SHA512
dd306cd30727911a7c2335945721a85e8b65ece05efe3dd63e0fcb7b05033647fc881f0b78b8b6ac107ddf4f079107d51f835f5469fe4f3d6e787c620ff2fe82
-
SSDEEP
1536:2Nltt4OCTcQLe6WskbSjJ6EoBs2vWywOvu:2NltCTcQLepskbSjToIOvu
Malware Config
Extracted
Family
xworm
C2
join-ez.gl.at.ply.gg:55
Attributes
-
Install_directory
%AppData%
-
install_file
WindowsUpdate.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/2808-1-0x0000000000130000-0x0000000000144000-memory.dmp family_xworm -
Hawkeye family
-
Xworm family
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnk b819fd21177ac66b9c645dcc82572b3eb774a14598dac95621edb06fb5e411fc.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnk b819fd21177ac66b9c645dcc82572b3eb774a14598dac95621edb06fb5e411fc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2808 b819fd21177ac66b9c645dcc82572b3eb774a14598dac95621edb06fb5e411fc.exe