Analysis
-
max time kernel
127s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 09:19
Static task
static1
Behavioral task
behavioral1
Sample
Your file name without extension goes here.exe
Resource
win7-20241023-en
General
-
Target
Your file name without extension goes here.exe
-
Size
378KB
-
MD5
fbf8e3dc8cbcf036474e0a43a27aa8bd
-
SHA1
ae8404bdaa3c6a8e115f208f4a63d971061045f9
-
SHA256
8d36854957eabf3fb5bc2f0021c00390ee3be13c6f2c1136e5235ef084af966e
-
SHA512
4ae7440769fa33110d60a9a1194a5b4d8d6b5b5bd0f0434e2d669c685113ee4c2791791b529ab626d47b954378459d14dbccb55b74df1dbdfdf623d00cfb1caa
-
SSDEEP
6144:XHmBiyDOQgsDHYlas0uVtudFt/St2QM8oEQk9rqOVKaohD+6WpR2JVmsS:WBiy6QgGeN0G+t6kAX9rKJ66gRH
Malware Config
Extracted
xworm
5.0
69.174.100.131:7000
MruG8tu9BvvVUsIA
-
install_file
USB.exe
Extracted
vipkeylogger
https://api.telegram.org/bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendMessage?chat_id=6236275763
Extracted
asyncrat
0.5.8
Default
69.174.100.131:6606
abkZfsCYRZhk
-
delay
10
-
install
false
-
install_file
order.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/376-6-0x0000000000400000-0x000000000040E000-memory.dmp family_xworm -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Your file name without extension goes here.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lwtofp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" kombhd.exe -
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths Your file name without extension goes here.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe = "0" Your file name without extension goes here.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\lwtofp.exe = "0" lwtofp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\kombhd.exe = "0" kombhd.exe -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4120 powershell.exe 1724 powershell.exe 4660 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation Your file name without extension goes here.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation lwtofp.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation kombhd.exe -
Executes dropped EXE 2 IoCs
pid Process 2540 lwtofp.exe 440 kombhd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\kombhd.exe = "0" kombhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths Your file name without extension goes here.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions Your file name without extension goes here.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe = "0" Your file name without extension goes here.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\lwtofp.exe = "0" lwtofp.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Your file name without extension goes here.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Your file name without extension goes here.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lwtofp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lwtofp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kombhd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" kombhd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 checkip.dyndns.org -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4960 set thread context of 376 4960 Your file name without extension goes here.exe 85 PID 2540 set thread context of 3684 2540 lwtofp.exe 103 PID 440 set thread context of 4172 440 kombhd.exe 111 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CasPol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CasPol.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4120 powershell.exe 4120 powershell.exe 3684 CasPol.exe 1724 powershell.exe 4660 powershell.exe 4660 powershell.exe 4660 powershell.exe 1724 powershell.exe 1724 powershell.exe 3684 CasPol.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4120 powershell.exe Token: SeDebugPrivilege 376 AddInProcess32.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeDebugPrivilege 3684 CasPol.exe Token: SeDebugPrivilege 4660 powershell.exe Token: SeDebugPrivilege 4172 CasPol.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 4960 wrote to memory of 4120 4960 Your file name without extension goes here.exe 83 PID 4960 wrote to memory of 4120 4960 Your file name without extension goes here.exe 83 PID 4960 wrote to memory of 376 4960 Your file name without extension goes here.exe 85 PID 4960 wrote to memory of 376 4960 Your file name without extension goes here.exe 85 PID 4960 wrote to memory of 376 4960 Your file name without extension goes here.exe 85 PID 4960 wrote to memory of 376 4960 Your file name without extension goes here.exe 85 PID 4960 wrote to memory of 376 4960 Your file name without extension goes here.exe 85 PID 4960 wrote to memory of 376 4960 Your file name without extension goes here.exe 85 PID 4960 wrote to memory of 376 4960 Your file name without extension goes here.exe 85 PID 4960 wrote to memory of 376 4960 Your file name without extension goes here.exe 85 PID 4960 wrote to memory of 1496 4960 Your file name without extension goes here.exe 86 PID 4960 wrote to memory of 1496 4960 Your file name without extension goes here.exe 86 PID 4960 wrote to memory of 1496 4960 Your file name without extension goes here.exe 86 PID 376 wrote to memory of 2540 376 AddInProcess32.exe 97 PID 376 wrote to memory of 2540 376 AddInProcess32.exe 97 PID 376 wrote to memory of 440 376 AddInProcess32.exe 99 PID 376 wrote to memory of 440 376 AddInProcess32.exe 99 PID 2540 wrote to memory of 1724 2540 lwtofp.exe 101 PID 2540 wrote to memory of 1724 2540 lwtofp.exe 101 PID 2540 wrote to memory of 3684 2540 lwtofp.exe 103 PID 2540 wrote to memory of 3684 2540 lwtofp.exe 103 PID 2540 wrote to memory of 3684 2540 lwtofp.exe 103 PID 2540 wrote to memory of 3684 2540 lwtofp.exe 103 PID 2540 wrote to memory of 3684 2540 lwtofp.exe 103 PID 2540 wrote to memory of 3684 2540 lwtofp.exe 103 PID 2540 wrote to memory of 3684 2540 lwtofp.exe 103 PID 2540 wrote to memory of 3684 2540 lwtofp.exe 103 PID 2540 wrote to memory of 4244 2540 lwtofp.exe 104 PID 2540 wrote to memory of 4244 2540 lwtofp.exe 104 PID 2540 wrote to memory of 4244 2540 lwtofp.exe 104 PID 440 wrote to memory of 4660 440 kombhd.exe 107 PID 440 wrote to memory of 4660 440 kombhd.exe 107 PID 440 wrote to memory of 316 440 kombhd.exe 109 PID 440 wrote to memory of 316 440 kombhd.exe 109 PID 440 wrote to memory of 316 440 kombhd.exe 109 PID 440 wrote to memory of 3300 440 kombhd.exe 110 PID 440 wrote to memory of 3300 440 kombhd.exe 110 PID 440 wrote to memory of 3300 440 kombhd.exe 110 PID 440 wrote to memory of 4172 440 kombhd.exe 111 PID 440 wrote to memory of 4172 440 kombhd.exe 111 PID 440 wrote to memory of 4172 440 kombhd.exe 111 PID 440 wrote to memory of 4172 440 kombhd.exe 111 PID 440 wrote to memory of 4172 440 kombhd.exe 111 PID 440 wrote to memory of 4172 440 kombhd.exe 111 PID 440 wrote to memory of 4172 440 kombhd.exe 111 PID 440 wrote to memory of 4172 440 kombhd.exe 111 PID 440 wrote to memory of 1036 440 kombhd.exe 112 PID 440 wrote to memory of 1036 440 kombhd.exe 112 PID 440 wrote to memory of 1036 440 kombhd.exe 112 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" kombhd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Your file name without extension goes here.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lwtofp.exe -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe"C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe"1⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4960 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4120
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Users\Admin\AppData\Local\Temp\lwtofp.exe"C:\Users\Admin\AppData\Local\Temp\lwtofp.exe"3⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2540 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\lwtofp.exe" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵PID:4244
-
-
-
C:\Users\Admin\AppData\Local\Temp\kombhd.exe"C:\Users\Admin\AppData\Local\Temp\kombhd.exe"3⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:440 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\kombhd.exe" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵PID:316
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"4⤵PID:3300
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4172
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵PID:1036
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵PID:1496
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
232B
MD55fb40c2d4e526e57f24d6bc2022a39e9
SHA1d7a6c5d08af0c2f5bf02e0943b79bc763d27b0f1
SHA2567678d3c0b4f13b796ebb344b3817741991d3ff815d01586e94120a890a97530a
SHA5127f26bb7a68c2723c0d9354584827476ea157ce2811e7b81fc28120bd7a186db4a84fdcdecfc8bf04b0b676e72b707c61c131d357f7c3aa84d332d7ca1fe29ba4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
411KB
MD56dd1839d773d8a3103d2f0fc787ddbbe
SHA1d22899d1ae01359e7c08fbda233d16b850da0a9e
SHA256ef8a0def4681e3cd0c7e17f942f6621d7bc2d5f10481f228dbdd1b03349b0fdd
SHA512a1a84832066080e37ec663b4e305ead319a74223f566c0a0a48d50dc4f10e8fc043bf185fe58f6e0e90a073641ed4a38656f3de5218744d084b6a89e73fc8514
-
Filesize
617KB
MD506b3d03afc084f00d61aa01e4f3fc80f
SHA1e7d831548c5ddf575ecc0d635b00186565f93650
SHA25679e062981eefa719b51f0be14bb9e86650e406e92b448ff40748b04244823e9b
SHA5127accc0b3836b29e3d0bccde1d3ea5b9437468ffe76d83f27af730b84fa87a38cca1258ced530aae96a0772b181f9cbd01c0504fad7c182f5fe7cf2c004bf1903