Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 12:48
Static task
static1
Behavioral task
behavioral1
Sample
24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe
Resource
win7-20240903-en
General
-
Target
24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe
-
Size
152KB
-
MD5
772e609529a67bd0524c583acf8259dd
-
SHA1
895f2ecf2945796cf20414d63bfeebd6a89d5039
-
SHA256
24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e
-
SHA512
4eccbac440cb2c64d3ec9c284748030e0ab247f2bd48d47e0b5e90caa74a8bf31f867f2505bdceca1f5feffabd0b1a39bd50db323850de33f8315de64fa5b3c1
-
SSDEEP
3072:uWhBzZGqJ1ueo/S11SF1I+sRES/W0KwHVOy0VjHBaeV+jLcTpyq9J:uuBzVJ1upSe/W/4wArBaeVcLcD9
Malware Config
Extracted
xworm
127.0.0.1:46987
germany-equally.gl.at.ply.gg:46987
-
Install_directory
%Userprofile%
-
install_file
svchost.exe
Extracted
umbral
https://discord.com/api/webhooks/1304758791119573022/NvFMMmX_pxtti9SmarYx57UbyGiz6U-OIecbcV9_MeGQ9b2_1tu63kv3ZlsU6P8xgPYv
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x000a0000000167dc-17.dat family_umbral behavioral1/memory/2924-20-0x0000000000ED0000-0x0000000000F10000-memory.dmp family_umbral -
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000004e74-12.dat family_xworm behavioral1/memory/2096-19-0x0000000000D00000-0x0000000000D1A000-memory.dmp family_xworm -
Umbral family
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2376 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 2096 XClient.exe 2924 Umbral.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XClient.exe" 24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2376 powershell.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 2096 XClient.exe Token: SeDebugPrivilege 2924 Umbral.exe Token: SeIncreaseQuotaPrivilege 2744 wmic.exe Token: SeSecurityPrivilege 2744 wmic.exe Token: SeTakeOwnershipPrivilege 2744 wmic.exe Token: SeLoadDriverPrivilege 2744 wmic.exe Token: SeSystemProfilePrivilege 2744 wmic.exe Token: SeSystemtimePrivilege 2744 wmic.exe Token: SeProfSingleProcessPrivilege 2744 wmic.exe Token: SeIncBasePriorityPrivilege 2744 wmic.exe Token: SeCreatePagefilePrivilege 2744 wmic.exe Token: SeBackupPrivilege 2744 wmic.exe Token: SeRestorePrivilege 2744 wmic.exe Token: SeShutdownPrivilege 2744 wmic.exe Token: SeDebugPrivilege 2744 wmic.exe Token: SeSystemEnvironmentPrivilege 2744 wmic.exe Token: SeRemoteShutdownPrivilege 2744 wmic.exe Token: SeUndockPrivilege 2744 wmic.exe Token: SeManageVolumePrivilege 2744 wmic.exe Token: 33 2744 wmic.exe Token: 34 2744 wmic.exe Token: 35 2744 wmic.exe Token: SeIncreaseQuotaPrivilege 2744 wmic.exe Token: SeSecurityPrivilege 2744 wmic.exe Token: SeTakeOwnershipPrivilege 2744 wmic.exe Token: SeLoadDriverPrivilege 2744 wmic.exe Token: SeSystemProfilePrivilege 2744 wmic.exe Token: SeSystemtimePrivilege 2744 wmic.exe Token: SeProfSingleProcessPrivilege 2744 wmic.exe Token: SeIncBasePriorityPrivilege 2744 wmic.exe Token: SeCreatePagefilePrivilege 2744 wmic.exe Token: SeBackupPrivilege 2744 wmic.exe Token: SeRestorePrivilege 2744 wmic.exe Token: SeShutdownPrivilege 2744 wmic.exe Token: SeDebugPrivilege 2744 wmic.exe Token: SeSystemEnvironmentPrivilege 2744 wmic.exe Token: SeRemoteShutdownPrivilege 2744 wmic.exe Token: SeUndockPrivilege 2744 wmic.exe Token: SeManageVolumePrivilege 2744 wmic.exe Token: 33 2744 wmic.exe Token: 34 2744 wmic.exe Token: 35 2744 wmic.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2376 2408 24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe 31 PID 2408 wrote to memory of 2376 2408 24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe 31 PID 2408 wrote to memory of 2376 2408 24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe 31 PID 2408 wrote to memory of 2096 2408 24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe 33 PID 2408 wrote to memory of 2096 2408 24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe 33 PID 2408 wrote to memory of 2096 2408 24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe 33 PID 2408 wrote to memory of 2924 2408 24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe 34 PID 2408 wrote to memory of 2924 2408 24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe 34 PID 2408 wrote to memory of 2924 2408 24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe 34 PID 2924 wrote to memory of 2744 2924 Umbral.exe 35 PID 2924 wrote to memory of 2744 2924 Umbral.exe 35 PID 2924 wrote to memory of 2744 2924 Umbral.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe"C:\Users\Admin\AppData\Local\Temp\24e67548df5a641935f0c8334190ac289a50b02a140a0f2a2f9897581a5e9d7e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
233KB
MD568cc8b6cb62ccafd2164688aa9079c38
SHA100a7ff14c1d6aaaa7921377381973248cf22f45a
SHA256cda8731bc2db15706f12e31ef88936ba9fcb89c8196240d4edf219fa66d9392c
SHA5128e357507ff583f66f6b8df5803753d1c902071799b65b3a14dedd27e3096f70c2ba990a859e1616704f88cd50c74342403142e8fde20eb674c803fa895d04336
-
Filesize
76KB
MD597924f4b04d2862e64dc337305b35b90
SHA15b334f61445cdfb81e4e555f5efbd5e04f69b300
SHA2561c4f098217b53793dd2d0a3881ce37de2132a6a6bdae54c007a97506296b26de
SHA51244e66200a4dfb0f504abf033a4a8dd883ef5582c4d569e2f3b1c128bdf826fec854ccc6760a7e45e217c4a5c495c08898f32ac3cf0da623a5938459677157085