Analysis
-
max time kernel
131s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-11-2024 08:07
Behavioral task
behavioral1
Sample
1730880366c949f41b4c54cbed7fce25b8de844efb0a6612e8e8891129b97fcd02d628c162662.dat-decoded.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
General
-
Target
1730880366c949f41b4c54cbed7fce25b8de844efb0a6612e8e8891129b97fcd02d628c162662.dat-decoded.exe
-
Size
33KB
-
MD5
394720df88d390d4a063f25afac9a951
-
SHA1
66e406ca76432ce19f38e0c600aaf568795e3bb4
-
SHA256
c77b61a7cf2a51edcdba31fdb826171fb37b24ff34b77ca9d782cbd66b6c04e2
-
SHA512
1e230188f90a69d80eaa58801bc68dbe03623076cd6a5c6a89df49430408e2a861f5d9eb39d41f083e1f489442efe375d0d34886b0f68b8e1a57ac5e767db1df
-
SSDEEP
768:+4fK1pDGkptwyZScCBSUapNgqlGU/fZl+BcgxeAlTF59iKO9hmSURp:ODGkptwyZScCkU4rAUXZcB5xeQF59iKD
Malware Config
Extracted
Family
xworm
Version
3.1
C2
momentmoney79.duckdns.org:8895
Mutex
TA5i5eNovARcDNUK
Attributes
-
install_file
USB.exe
aes.plain
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/1800-1-0x00000000011E0000-0x00000000011EE000-memory.dmp family_xworm -
Xworm family
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1800 1730880366c949f41b4c54cbed7fce25b8de844efb0a6612e8e8891129b97fcd02d628c162662.dat-decoded.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1800 1730880366c949f41b4c54cbed7fce25b8de844efb0a6612e8e8891129b97fcd02d628c162662.dat-decoded.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1800 1730880366c949f41b4c54cbed7fce25b8de844efb0a6612e8e8891129b97fcd02d628c162662.dat-decoded.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1730880366c949f41b4c54cbed7fce25b8de844efb0a6612e8e8891129b97fcd02d628c162662.dat-decoded.exe"C:\Users\Admin\AppData\Local\Temp\1730880366c949f41b4c54cbed7fce25b8de844efb0a6612e8e8891129b97fcd02d628c162662.dat-decoded.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1800