Analysis
-
max time kernel
135s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 07:54
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20241010-en
General
-
Target
file.exe
-
Size
16KB
-
MD5
54ec587044fdff4bfd0029946041a109
-
SHA1
242cc5fdd5c75a02776f1f5e526cc42cf138b313
-
SHA256
e666b2644c35f564041ad18c5125f1677255f05421ad18785aed42bfb3ac5adf
-
SHA512
6e2c9f3b3850c021b0db78af02f37e6fe1b32bd046ba5767b0499f2c4af11586e167c80235258b5536bcfece567a18f2e2eca6a107e60d5efb62a65175049046
-
SSDEEP
384:vQ/pw4zDzEe2PGVMN0kc/aw9BsjGpATcQC:vj4EebD+a26
Malware Config
Extracted
xworm
5.0
127.0.0.1:8895
162.230.48.189:8895
ZRGtN7NDh24Vx89x
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/1400-2209-0x0000000000720000-0x0000000000730000-memory.dmp family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/1400-3312-0x00000000075D0000-0x00000000076EE000-memory.dmp family_stormkitty -
Stormkitty family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
description pid Process procid_target PID 2180 created 3476 2180 tmpA45E.tmp.exe 56 PID 1776 created 3476 1776 aspnet_compiler.exe 56 PID 3224 created 3476 3224 tmp13AD.tmp.exe 56 -
Xworm family
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation tmpA45E.tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation cohmwy.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation tmp13AD.tmp.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ContextID.vbs tmpA45E.tmp.exe -
Executes dropped EXE 3 IoCs
pid Process 2180 tmpA45E.tmp.exe 3636 cohmwy.exe 3224 tmp13AD.tmp.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2180 set thread context of 4244 2180 tmpA45E.tmp.exe 98 PID 4244 set thread context of 1776 4244 InstallUtil.exe 108 PID 1776 set thread context of 1400 1776 aspnet_compiler.exe 113 PID 3224 set thread context of 5276 3224 tmp13AD.tmp.exe 132 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5444 1400 WerFault.exe 113 -
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp13AD.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpA45E.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_compiler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cohmwy.exe -
Gathers network information 2 TTPs 6 IoCs
Uses commandline utility to view network configuration.
pid Process 4968 ipconfig.exe 5116 ipconfig.exe 2004 ipconfig.exe 3340 ipconfig.exe 704 ipconfig.exe 1500 ipconfig.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4244 InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2180 tmpA45E.tmp.exe 2180 tmpA45E.tmp.exe 2180 tmpA45E.tmp.exe 2180 tmpA45E.tmp.exe 1776 aspnet_compiler.exe 1776 aspnet_compiler.exe 3224 tmp13AD.tmp.exe 3224 tmp13AD.tmp.exe 3224 tmp13AD.tmp.exe 3224 tmp13AD.tmp.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 4508 file.exe Token: SeDebugPrivilege 2180 tmpA45E.tmp.exe Token: SeDebugPrivilege 2180 tmpA45E.tmp.exe Token: SeDebugPrivilege 4244 InstallUtil.exe Token: SeDebugPrivilege 1776 aspnet_compiler.exe Token: SeDebugPrivilege 1776 aspnet_compiler.exe Token: SeDebugPrivilege 1400 InstallUtil.exe Token: SeDebugPrivilege 3636 cohmwy.exe Token: SeDebugPrivilege 3224 tmp13AD.tmp.exe Token: SeDebugPrivilege 3224 tmp13AD.tmp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4508 wrote to memory of 2180 4508 file.exe 87 PID 4508 wrote to memory of 2180 4508 file.exe 87 PID 4508 wrote to memory of 2180 4508 file.exe 87 PID 2180 wrote to memory of 5044 2180 tmpA45E.tmp.exe 93 PID 2180 wrote to memory of 5044 2180 tmpA45E.tmp.exe 93 PID 2180 wrote to memory of 5044 2180 tmpA45E.tmp.exe 93 PID 5044 wrote to memory of 4968 5044 cmd.exe 95 PID 5044 wrote to memory of 4968 5044 cmd.exe 95 PID 5044 wrote to memory of 4968 5044 cmd.exe 95 PID 2180 wrote to memory of 4244 2180 tmpA45E.tmp.exe 98 PID 2180 wrote to memory of 4244 2180 tmpA45E.tmp.exe 98 PID 2180 wrote to memory of 4244 2180 tmpA45E.tmp.exe 98 PID 2180 wrote to memory of 4244 2180 tmpA45E.tmp.exe 98 PID 2180 wrote to memory of 4244 2180 tmpA45E.tmp.exe 98 PID 2180 wrote to memory of 4244 2180 tmpA45E.tmp.exe 98 PID 2180 wrote to memory of 4244 2180 tmpA45E.tmp.exe 98 PID 2180 wrote to memory of 4244 2180 tmpA45E.tmp.exe 98 PID 2180 wrote to memory of 1404 2180 tmpA45E.tmp.exe 99 PID 2180 wrote to memory of 1404 2180 tmpA45E.tmp.exe 99 PID 2180 wrote to memory of 1404 2180 tmpA45E.tmp.exe 99 PID 1404 wrote to memory of 5116 1404 cmd.exe 101 PID 1404 wrote to memory of 5116 1404 cmd.exe 101 PID 1404 wrote to memory of 5116 1404 cmd.exe 101 PID 4244 wrote to memory of 1776 4244 InstallUtil.exe 108 PID 4244 wrote to memory of 1776 4244 InstallUtil.exe 108 PID 4244 wrote to memory of 1776 4244 InstallUtil.exe 108 PID 4244 wrote to memory of 1776 4244 InstallUtil.exe 108 PID 4244 wrote to memory of 1776 4244 InstallUtil.exe 108 PID 4244 wrote to memory of 1776 4244 InstallUtil.exe 108 PID 4244 wrote to memory of 1776 4244 InstallUtil.exe 108 PID 4244 wrote to memory of 1776 4244 InstallUtil.exe 108 PID 1776 wrote to memory of 3852 1776 aspnet_compiler.exe 109 PID 1776 wrote to memory of 3852 1776 aspnet_compiler.exe 109 PID 1776 wrote to memory of 3852 1776 aspnet_compiler.exe 109 PID 3852 wrote to memory of 2004 3852 cmd.exe 111 PID 3852 wrote to memory of 2004 3852 cmd.exe 111 PID 3852 wrote to memory of 2004 3852 cmd.exe 111 PID 1776 wrote to memory of 1400 1776 aspnet_compiler.exe 113 PID 1776 wrote to memory of 1400 1776 aspnet_compiler.exe 113 PID 1776 wrote to memory of 1400 1776 aspnet_compiler.exe 113 PID 1776 wrote to memory of 1400 1776 aspnet_compiler.exe 113 PID 1776 wrote to memory of 1400 1776 aspnet_compiler.exe 113 PID 1776 wrote to memory of 1400 1776 aspnet_compiler.exe 113 PID 1776 wrote to memory of 1400 1776 aspnet_compiler.exe 113 PID 1776 wrote to memory of 1400 1776 aspnet_compiler.exe 113 PID 1776 wrote to memory of 856 1776 aspnet_compiler.exe 114 PID 1776 wrote to memory of 856 1776 aspnet_compiler.exe 114 PID 1776 wrote to memory of 856 1776 aspnet_compiler.exe 114 PID 856 wrote to memory of 3340 856 cmd.exe 116 PID 856 wrote to memory of 3340 856 cmd.exe 116 PID 856 wrote to memory of 3340 856 cmd.exe 116 PID 1400 wrote to memory of 3636 1400 InstallUtil.exe 118 PID 1400 wrote to memory of 3636 1400 InstallUtil.exe 118 PID 1400 wrote to memory of 3636 1400 InstallUtil.exe 118 PID 3636 wrote to memory of 3224 3636 cohmwy.exe 120 PID 3636 wrote to memory of 3224 3636 cohmwy.exe 120 PID 3636 wrote to memory of 3224 3636 cohmwy.exe 120 PID 3224 wrote to memory of 2068 3224 tmp13AD.tmp.exe 122 PID 3224 wrote to memory of 2068 3224 tmp13AD.tmp.exe 122 PID 3224 wrote to memory of 2068 3224 tmp13AD.tmp.exe 122 PID 2068 wrote to memory of 704 2068 cmd.exe 124 PID 2068 wrote to memory of 704 2068 cmd.exe 124 PID 2068 wrote to memory of 704 2068 cmd.exe 124 PID 3224 wrote to memory of 5276 3224 tmp13AD.tmp.exe 132
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Users\Admin\AppData\Local\Temp\tmpA45E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA45E.tmp.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release5⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:4968
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew5⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:5116
-
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release5⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2004
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew5⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:3340
-
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\cohmwy.exe"C:\Users\Admin\AppData\Local\Temp\cohmwy.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\tmp13AD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp13AD.tmp.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release6⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:704
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew5⤵
- System Location Discovery: System Language Discovery
PID:5628 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew6⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:1500
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 27763⤵
- Program crash
PID:5444
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
PID:5276
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1400 -ip 14001⤵PID:2724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD554ec587044fdff4bfd0029946041a109
SHA1242cc5fdd5c75a02776f1f5e526cc42cf138b313
SHA256e666b2644c35f564041ad18c5125f1677255f05421ad18785aed42bfb3ac5adf
SHA5126e2c9f3b3850c021b0db78af02f37e6fe1b32bd046ba5767b0499f2c4af11586e167c80235258b5536bcfece567a18f2e2eca6a107e60d5efb62a65175049046
-
Filesize
1.4MB
MD53d3459b0630ce9dc45b177b697ca23a0
SHA10245c62e5155dd121bd3b31af02e5bf62bb01e71
SHA25640d07a9b787d52381da6ce75c088f62eb009baffd98858660670715976ad7cc5
SHA5122016ada15909d95c7518cf8f803f1ecd05c8f1d1325be1e8c2ac3c7e5b24e9da58dccef9ac7e978e660bbe4f93096d2e483f84ac8b088d72e119b76f2f4d56b9