Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
03-12-2024 16:31
Static task
static1
General
-
Target
change your map in 5s.exe
-
Size
103KB
-
MD5
8544b7a07ac964e9398db5ced02de51f
-
SHA1
9dd166931a20c364bf91726b19a8c66fc18495e0
-
SHA256
d75d921b14ef15d53625282a961bfe8815c076c250fc6d06a4d535f4256beecd
-
SHA512
3f2b24bf952b73954bbc2495423bebef7d44848a76a26a52bfd3521ef330389a81fddf963d3b2e5170a0381900fbc27a0aa900b1d8eea6009a94ec45f1e6c55d
-
SSDEEP
1536:G0H/ps0R8ZAfDjxRux8iPtCofEJSnknpHQINH+IIdRh8z9z1cQTnr45LpF/9:VRs0YyLasMEgnD8Ib6zRnALpH
Malware Config
Extracted
xworm
5.0
127.0.0.1:14333
previous-contests.gl.at.ply.gg:14333
GH9VJU0DztsBgWNu
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/3452-2-0x000001E8F2500000-0x000001E8F2510000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3824 powershell.exe 912 powershell.exe 4524 powershell.exe 2092 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation change your map in 5s.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk change your map in 5s.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk change your map in 5s.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 3824 powershell.exe 3824 powershell.exe 912 powershell.exe 912 powershell.exe 4524 powershell.exe 4524 powershell.exe 2092 powershell.exe 2092 powershell.exe 3452 change your map in 5s.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3452 change your map in 5s.exe Token: SeDebugPrivilege 3824 powershell.exe Token: SeIncreaseQuotaPrivilege 3824 powershell.exe Token: SeSecurityPrivilege 3824 powershell.exe Token: SeTakeOwnershipPrivilege 3824 powershell.exe Token: SeLoadDriverPrivilege 3824 powershell.exe Token: SeSystemProfilePrivilege 3824 powershell.exe Token: SeSystemtimePrivilege 3824 powershell.exe Token: SeProfSingleProcessPrivilege 3824 powershell.exe Token: SeIncBasePriorityPrivilege 3824 powershell.exe Token: SeCreatePagefilePrivilege 3824 powershell.exe Token: SeBackupPrivilege 3824 powershell.exe Token: SeRestorePrivilege 3824 powershell.exe Token: SeShutdownPrivilege 3824 powershell.exe Token: SeDebugPrivilege 3824 powershell.exe Token: SeSystemEnvironmentPrivilege 3824 powershell.exe Token: SeRemoteShutdownPrivilege 3824 powershell.exe Token: SeUndockPrivilege 3824 powershell.exe Token: SeManageVolumePrivilege 3824 powershell.exe Token: 33 3824 powershell.exe Token: 34 3824 powershell.exe Token: 35 3824 powershell.exe Token: 36 3824 powershell.exe Token: SeDebugPrivilege 912 powershell.exe Token: SeIncreaseQuotaPrivilege 912 powershell.exe Token: SeSecurityPrivilege 912 powershell.exe Token: SeTakeOwnershipPrivilege 912 powershell.exe Token: SeLoadDriverPrivilege 912 powershell.exe Token: SeSystemProfilePrivilege 912 powershell.exe Token: SeSystemtimePrivilege 912 powershell.exe Token: SeProfSingleProcessPrivilege 912 powershell.exe Token: SeIncBasePriorityPrivilege 912 powershell.exe Token: SeCreatePagefilePrivilege 912 powershell.exe Token: SeBackupPrivilege 912 powershell.exe Token: SeRestorePrivilege 912 powershell.exe Token: SeShutdownPrivilege 912 powershell.exe Token: SeDebugPrivilege 912 powershell.exe Token: SeSystemEnvironmentPrivilege 912 powershell.exe Token: SeRemoteShutdownPrivilege 912 powershell.exe Token: SeUndockPrivilege 912 powershell.exe Token: SeManageVolumePrivilege 912 powershell.exe Token: 33 912 powershell.exe Token: 34 912 powershell.exe Token: 35 912 powershell.exe Token: 36 912 powershell.exe Token: SeDebugPrivilege 4524 powershell.exe Token: SeIncreaseQuotaPrivilege 4524 powershell.exe Token: SeSecurityPrivilege 4524 powershell.exe Token: SeTakeOwnershipPrivilege 4524 powershell.exe Token: SeLoadDriverPrivilege 4524 powershell.exe Token: SeSystemProfilePrivilege 4524 powershell.exe Token: SeSystemtimePrivilege 4524 powershell.exe Token: SeProfSingleProcessPrivilege 4524 powershell.exe Token: SeIncBasePriorityPrivilege 4524 powershell.exe Token: SeCreatePagefilePrivilege 4524 powershell.exe Token: SeBackupPrivilege 4524 powershell.exe Token: SeRestorePrivilege 4524 powershell.exe Token: SeShutdownPrivilege 4524 powershell.exe Token: SeDebugPrivilege 4524 powershell.exe Token: SeSystemEnvironmentPrivilege 4524 powershell.exe Token: SeRemoteShutdownPrivilege 4524 powershell.exe Token: SeUndockPrivilege 4524 powershell.exe Token: SeManageVolumePrivilege 4524 powershell.exe Token: 33 4524 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3452 change your map in 5s.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3452 wrote to memory of 3824 3452 change your map in 5s.exe 81 PID 3452 wrote to memory of 3824 3452 change your map in 5s.exe 81 PID 3452 wrote to memory of 912 3452 change your map in 5s.exe 87 PID 3452 wrote to memory of 912 3452 change your map in 5s.exe 87 PID 3452 wrote to memory of 4524 3452 change your map in 5s.exe 89 PID 3452 wrote to memory of 4524 3452 change your map in 5s.exe 89 PID 3452 wrote to memory of 2092 3452 change your map in 5s.exe 92 PID 3452 wrote to memory of 2092 3452 change your map in 5s.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\change your map in 5s.exe"C:\Users\Admin\AppData\Local\Temp\change your map in 5s.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\change your map in 5s.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'change your map in 5s.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2092
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD5af1cc13f412ef37a00e668df293b1584
SHA18973b3e622f187fcf484a0eb9fa692bf3e2103cb
SHA256449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037
SHA51275d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3
-
Filesize
1KB
MD59a194f191956e9bf257c5b594e7a994a
SHA146dd61af2c025a8b3c74017d56d309154e6a1efc
SHA256fe8468f17b76f055c7f4fddf99d2ef65306cc96758f74aee40b7d483472fdf59
SHA5122134edf7e90fe0a3cb57ac79276ee1055f4050027f87481864cedeadeccee10b743f15bb4afed867bc9d23144b1c2e80ac8ca22effcc4bfc9d3aa8dfe4891d3b
-
Filesize
1KB
MD5e2e441208a8298347bd824130a479e5d
SHA18277105d8ac8c46ab73b148c1c3d28ed373edc5a
SHA256d5361c3fcb6650f42e891732b821e2a6cea4c51d1c45b8a5392a07456d98418e
SHA512d28fc3c85b97aaf172c506a548e0d23f528c1374a81d834160e2a90d5d045b131ebed5ec5571eaebdff7fa3a12b4e4287bfe1030003b5bf26493d1a141eb9022
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82