Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 17:13
Behavioral task
behavioral1
Sample
Versal Client Beta.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Versal Client Beta.exe
Resource
win10v2004-20241007-en
General
-
Target
Versal Client Beta.exe
-
Size
68KB
-
MD5
3e7d64259b363be8f8d3ad5ce94943f4
-
SHA1
7e2fa2fb30069c3a7ce3f523440497d30ff6164f
-
SHA256
992fa7f194c76a9e6155a13ef849ae3fe55c3bd7954d3a08cff1719fdd16ae1b
-
SHA512
cadd51b55ad4ee21ed3c21bc462d034122fb5068c5bd8b82e61f2019c72d70c01f7c3892c916da6b89c39ba73ff9e65e6f52115fac3abc929796194008f0fca4
-
SSDEEP
1536:SDhdopFOmcMwSlUHbHzMiwO7EsxNbqFDAkIhQ+pnOhZ46+2dTR1:7OMjYbYiwv6NbqDXQnOPx+Y1
Malware Config
Extracted
xworm
slipprz.duckdns.org:7214
-
Install_directory
%LocalAppData%
-
install_file
win32services.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/memory/3220-1-0x00000000007D0000-0x00000000007E8000-memory.dmp family_xworm behavioral2/files/0x0007000000023cc5-10.dat family_xworm -
Xworm family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation Versal Client Beta.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win32services.lnk Versal Client Beta.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win32services.lnk Versal Client Beta.exe -
Executes dropped EXE 2 IoCs
pid Process 3664 win32services.exe 3056 win32services.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win32services = "C:\\Users\\Admin\\AppData\\Local\\win32services.exe" Versal Client Beta.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4744 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3220 Versal Client Beta.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3220 Versal Client Beta.exe Token: SeDebugPrivilege 3220 Versal Client Beta.exe Token: SeDebugPrivilege 3664 win32services.exe Token: SeDebugPrivilege 3056 win32services.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3220 Versal Client Beta.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3220 wrote to memory of 4744 3220 Versal Client Beta.exe 89 PID 3220 wrote to memory of 4744 3220 Versal Client Beta.exe 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Versal Client Beta.exe"C:\Users\Admin\AppData\Local\Temp\Versal Client Beta.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "win32services" /tr "C:\Users\Admin\AppData\Local\win32services.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4744
-
-
C:\Users\Admin\AppData\Local\win32services.exeC:\Users\Admin\AppData\Local\win32services.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3664
-
C:\Users\Admin\AppData\Local\win32services.exeC:\Users\Admin\AppData\Local\win32services.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3056
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
68KB
MD53e7d64259b363be8f8d3ad5ce94943f4
SHA17e2fa2fb30069c3a7ce3f523440497d30ff6164f
SHA256992fa7f194c76a9e6155a13ef849ae3fe55c3bd7954d3a08cff1719fdd16ae1b
SHA512cadd51b55ad4ee21ed3c21bc462d034122fb5068c5bd8b82e61f2019c72d70c01f7c3892c916da6b89c39ba73ff9e65e6f52115fac3abc929796194008f0fca4