Analysis
-
max time kernel
94s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-11-2024 20:48
General
-
Target
TalibanStealerInstaller.exe
-
Size
4.1MB
-
MD5
7531fbb7431039bda2b19160e0b9c2d4
-
SHA1
b7f4a971ebf8128ee1ea7cb764b9582fb73b8002
-
SHA256
6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8
-
SHA512
5b8b09d896e12f3da879939f3c925da58ba79c6c1f2559594b1eb11d8fd5f63d3afeb12484b8656e0ba929cb0bb7fbb67a566d3599769c955885ca21b4036487
-
SSDEEP
98304:51mCYY8UGo4x83fa1lyrd3qNz6VTDwgiLC/sE1:nmCWUUqi1s530+VohE
Malware Config
Extracted
xworm
lijaligibidu-35558.portmap.host:35558
-
Install_directory
%AppData%
-
install_file
Windows Security.exe
Signatures
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe"C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\TalibanStealerInstaller.exe"C:\Users\Admin\AppData\Roaming\TalibanStealerInstaller.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdAByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAYwBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAdwBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGsAdgBjACMAPgA="3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAbQBrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAYwB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAZgBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAdwBiACMAPgA="4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe"C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe"C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5cfaac099faa4f0fb899d2a76f99cbcd8
SHA176c3f39fd29986ae510b8d0f69550247371236c9
SHA25681b59bdb9e991889baab741d8edfd11f34314f52524263a0cc7609330ba9025c
SHA51265f2fbd0a4599ecd278096a612ba2f540ffb3275db1340f2736e3fc65f789a538a7633fe3bf6bdfd5b45285d079cbfe0006b3e9e0a8927512b4da1a1f379c99b
-
Filesize
2.5MB
MD5cdfcc41584dcd2a57da70353cb9955a8
SHA178b0a8cda3187d7ba842c9148446da5c628370b5
SHA256be453771400d21a320f759b3b99bd7cf07d9d8301db6bce115bafae1aff79fb3
SHA5124db311aac921a20b9be5c28e66b54912065ac5aeb56b45c20fe7383ff69aa50622e6da383f029a6291525457439cd2e6ac403860af4d82bd61a86df3aad9e7dc
-
Filesize
1018KB
MD5d8cdeec022d5fda0ab78a7ecc9efa3ae
SHA13cb31d1646d3f63019a0c3745d3f2c62bdaab243
SHA256e5b7e580db8476b8e4d2ae806288984df4eb0c5a061bed61c77157a2628ae1ea
SHA5124ddd191a8c352cef83ba3dee0a2ba15fcd95c397fc13af152c2ef9731ec66c7ee332c8079567ee03e77a38225a8453aee798f573d25c35cb98921d09597ed63e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
971KB
MD526efc684ddd0782b295a6ee4a76e3256
SHA108cc73ef5c1b02e09765181a5acee1a7018dcffc
SHA256bf832f28b8d9f2ff077f691bd7e8a2cf46f3a4ac0ee8ee2d2f2944089abd20ab
SHA51220ba9e73514148613943db974cf88874907f9fe19e1cf5d81d9bf83ffbd233be80e925c62a5430a7ef69099e603ae54d60680020e0de58e632897f8c4aecfb49
-
Filesize
3.7MB
MD50bd9c3971db333e1ccc5c327c4b06baa
SHA12e319ceb3f8fd1cd61d5e40002e493117ed9321d
SHA256651b7894bf375daa0ec4d1fe71ba43f5fd3fcf62363d4141a767f7c8abedb216
SHA512997b7356d55218f72e289b95b6170fb7c8998a2caedc19614d118f6566453301403339a3db6a0a9b8b9d73feb17947661571040a458e938c7db649b637bb39bb
-
Filesize
75KB
MD5cf219a189dae4a022f26dd58cd5367e6
SHA176c2e7b756e894afc4e5fd7267fce398d58c518f
SHA256725c0bcdb953e39e96a0192d2712b261541647259e494c583d19697a10d2ffbe
SHA51221dc7cdd5ea07be708a5c696708207a1760851d2fbb608969254a8f3e806bbb87b6b27a4d5f4cecf1b5d90f6fc81759fd9f6222ddafdb955d41b0333ea085f1f
-
Filesize
10.8MB
-
Filesize
96KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
6.5MB
-
Filesize
304KB
-
Filesize
40KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
3.3MB
-
Filesize
32KB
-
Filesize
120KB
-
Filesize
6.2MB
-
Filesize
304KB
-
Filesize
652KB
-
Filesize
120KB
-
Filesize
200KB
-
Filesize
68KB
-
Filesize
216KB
-
Filesize
104KB
-
Filesize
8KB
-
Filesize
4.1MB
-
Filesize
600KB
-
Filesize
304KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
80KB
-
Filesize
1.3MB
-
Filesize
2.5MB
-
Filesize
1000KB