Analysis
-
max time kernel
30s -
max time network
36s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
04-11-2024 19:51
Static task
static1
Behavioral task
behavioral1
Sample
Luxury Sheild v7.1.exe
Resource
win7-20241010-en
General
-
Target
Luxury Sheild v7.1.exe
-
Size
7.6MB
-
MD5
f145671c3c65072a5a49f1d1d68a4a3a
-
SHA1
2453dddb4e6ebd48604fff3094f6a59dacdc3ad7
-
SHA256
d5dcde7ced43245641793538f847c55e3271f5ff8eb45fa5616a00634b7e64a1
-
SHA512
6f9bb2a1c9e4f90c22f7e0675c6d0ab06e0b7875c432d229739000c568a9a0fa5024cd36ec6b947b520704ad706b945371029c24766cac3fb2d509f478dc6902
-
SSDEEP
196608:ys/RzJU3wXjxqEVJsWEgVN0YdD1TpoSKpgrIMOC5S6F:ys/RzJU3wXjxqELsRmN0W1TUMOCU6
Malware Config
Extracted
xworm
3.1
society-painted.at.ply.gg:17251
-
Install_directory
%Public%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot5817418329:AAGYtFww9eAGl3ZTuqrCmSNxu_TJJiAWkzA/sendMessage?chat_id=1860651440
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0004000000018334-27.dat family_xworm behavioral1/memory/908-28-0x00000000003F0000-0x000000000042E000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2200 powershell.exe 2832 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.lnk WinRAR.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.lnk WinRAR.exe -
Executes dropped EXE 2 IoCs
pid Process 2112 Luxury Shield 7.1.exe 908 WinRAR.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Public\\WinRAR.exe" WinRAR.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2112 Luxury Shield 7.1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Luxury Shield 7.1.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2888 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2200 powershell.exe 2832 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 2832 powershell.exe Token: SeDebugPrivilege 908 WinRAR.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2112 Luxury Shield 7.1.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 844 wrote to memory of 2200 844 Luxury Sheild v7.1.exe 30 PID 844 wrote to memory of 2200 844 Luxury Sheild v7.1.exe 30 PID 844 wrote to memory of 2200 844 Luxury Sheild v7.1.exe 30 PID 844 wrote to memory of 2112 844 Luxury Sheild v7.1.exe 32 PID 844 wrote to memory of 2112 844 Luxury Sheild v7.1.exe 32 PID 844 wrote to memory of 2112 844 Luxury Sheild v7.1.exe 32 PID 844 wrote to memory of 2112 844 Luxury Sheild v7.1.exe 32 PID 844 wrote to memory of 2832 844 Luxury Sheild v7.1.exe 33 PID 844 wrote to memory of 2832 844 Luxury Sheild v7.1.exe 33 PID 844 wrote to memory of 2832 844 Luxury Sheild v7.1.exe 33 PID 844 wrote to memory of 908 844 Luxury Sheild v7.1.exe 35 PID 844 wrote to memory of 908 844 Luxury Sheild v7.1.exe 35 PID 844 wrote to memory of 908 844 Luxury Sheild v7.1.exe 35 PID 908 wrote to memory of 2888 908 WinRAR.exe 36 PID 908 wrote to memory of 2888 908 WinRAR.exe 36 PID 908 wrote to memory of 2888 908 WinRAR.exe 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Luxury Sheild v7.1.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Sheild v7.1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinRAR" /tr "C:\Users\Public\WinRAR.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2888
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.5MB
MD59502776952e6900ae1f98934004b4293
SHA13905f80a539d37c648a5da1cc6dace16d3516c2c
SHA256d8ca879cf734c21b84e3983a9245c4da2b38cfe23b1691e4ca265286c3782b1f
SHA512cbef89e577c883283ce3e9bb48e2ba9eda010e40e6cb1a383d99e32b728a9553cdb83e0831c0bff961fd271cee4eab921f53c97d9412e87bec4d0498400b5fbb
-
Filesize
226KB
MD560219035e32ad00d4c691a1bdc6455fb
SHA15f3740fcf89a95437ce184cfe22f23ed8b5b9254
SHA256e005f5c2e4fdd277ced1ae42272b864e47de334e0d2a1043f24c21253da18ae5
SHA512b98eb125f7812ac5d2243bd0d6ee07e918af5d0a46d86a6b242a7d8f91dbaaa48fabb562c316abbbf93db0c5ffc3a16184233000b379bafcdb3104c470055fc7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD597ef397d8c0187919b2e7c09ae749596
SHA11e74b4ea57d335055d7310de159dc5d19140de7b
SHA256361beb8132fc146129d0ca807b7e10567b3a3b6a36e02fe4ccd819604048e88f
SHA512e498ab260c8f4166fb69375e3fbc952b23f87b234de11a3543a5e733fdca538f3de7de31d5f080b355ee76f1bfeba9b63b6b38a490eed35d4ec9613ebb34ec82