Overview

overview

10

Static

static

3

5e5b808ed6...17.exe

windows7-x64

10

5e5b808ed6...17.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2024 11:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe

  • Size

    1.8MB

  • MD5

    58f824a8f6a71da8e9a1acc97fc26d52

  • SHA1

    b0e199e6f85626edebbecd13609a011cf953df69

  • SHA256

    5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17

  • SHA512

    7d6c752369ea83bad34873d8603c413e9372ff66adcaad11e7f23d3ce85827e057444b30eadf927329191825aef4dc37a1e68c30b71fae4ce6f53708102fb461

  • SSDEEP

    49152:OA12qngJy5Eptzh8wg9fmH5pKKMmDiuV:OHJyEptzh8n05QHwV

Score
10/10
stormkittyumbralxwormdiscoveryevasionexecutionpyinstallerratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:8080

101.99.92.189:8080
Mutex

d5gQ6Zf7Tzih1Pi1

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 3 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe
    "C:\Users\Admin\AppData\Local\Temp\5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3252
    • C:\Users\Admin\AppData\Local\Temp\iuuiuc.exe
      "C:\Users\Admin\AppData\Local\Temp\iuuiuc.exe"
      2⤵
      • Executes dropped EXE
      PID:3840
    • C:\Users\Admin\AppData\Local\Temp\ddwhqo.exe
      "C:\Users\Admin\AppData\Local\Temp\ddwhqo.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5100
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1476
      • C:\Windows\SYSTEM32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\ddwhqo.exe"
        3⤵
        • Views/modifies file attributes
        PID:3996
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ddwhqo.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2188
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2460
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2464
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:4404
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:1608
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:3392
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:3960
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\ddwhqo.exe" && pause
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:1468
            • C:\Windows\system32\PING.EXE
              ping localhost
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3036
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 3476
          2⤵
          • Program crash
          PID:4560
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3252 -ip 3252
        1⤵
          PID:3996

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Persistence

        Privilege Escalation

        Defense Evasion

        Hide Artifacts

        1
        T1564

        Hidden Files and Directories

        1
        T1564.001

        Virtualization/Sandbox Evasion

        2
        T1497

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Browser Information Discovery

        1
        T1217

        Query Registry

        4
        T1012

        Remote System Discovery

        1
        T1018

        System Information Discovery

        4
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Virtualization/Sandbox Evasion

        2
        T1497

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Web Service

        1
        T1102

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          4KB

          MD5

          bdb25c22d14ec917e30faf353826c5de

          SHA1

          6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

          SHA256

          e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

          SHA512

          b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
          Filesize

          53KB

          MD5

          124edf3ad57549a6e475f3bc4e6cfe51

          SHA1

          80f5187eeebb4a304e9caa0ce66fcd78c113d634

          SHA256

          638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

          SHA512

          b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          cd39f9323f55e90e1676c6ff3ae00245

          SHA1

          135fef9e97783b49d60618363d2b61db5f0c4e04

          SHA256

          0f22945ed958ba16bd71bc407b06eef3946038a9e42b90256d935e8d7e470728

          SHA512

          bd237012c0eca5f86e832b521db4a60436795c65032bf29da41984106c46d4685d6933b61df1e7934e4021b68ec9feb5de80c1ba4445c85982c856b947dc2453

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          948B

          MD5

          3c8a366519ecee9ebe2ece191eac12cc

          SHA1

          4e1f73acf0f809aaecf8f21829d83de6a6d999b5

          SHA256

          1e023a8562e2db778fc8bedf9bd7f9fe5a04b0758501255f685c835637731c1a

          SHA512

          1013cf15e31146bbfba3fdd1a95d5676792b8d69f6e8217f6c494c115e25c825fdd7aecd37c993879ac5a553457d7e3ffc8a2159a91bf83b1b66ca4180257270

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wrm0dvk2.2oo.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\ddwhqo.exe
          Filesize

          231KB

          MD5

          3ae3cf78d1b188ca228e6e0479acbced

          SHA1

          6aca115b369169f1992d08e5439d5a58b74b4e75

          SHA256

          99748fc0a0e244e2b6c1bbba4a2f8bf548011663d235a2a10b8c908a8128c18f

          SHA512

          3adfbbdfc2eee34bda5c16005a32381113c9d774fdb64ed1896ad736497ab0c4f5493802519c6031ad780e6a1d2e195ffd1b4c6822a89e4fafb2517b1eeff8b2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\iuuiuc.exe
          Filesize

          1.6MB

          MD5

          583d187384f6ffb863c6dceb99382413

          SHA1

          f8c93a13105eec96395e4cf0eb9b81d35fa85d5e

          SHA256

          1e568ef24328e5d91864810ada4e4b318ad147b626bc648507405e0e85feb322

          SHA512

          ec21559d0a9761a4464dbaf0c193fc0493367e287f96ccae63960b92604b2bba0435e6716f5c16de99603e7e4f8d6fe6fb117e543227b2ccecb980fa6c6a2005

          Download Submit

        • memory/2188-100-0x00000208DE310000-0x00000208DE31A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2188-101-0x00000208DE580000-0x00000208DE59A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2188-99-0x00000208DE540000-0x00000208DE55C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2188-98-0x00000208DE2E0000-0x00000208DE2EA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2188-102-0x00000208DE320000-0x00000208DE328000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2188-97-0x00000208DE340000-0x00000208DE3F5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/2188-96-0x00000208DE2F0000-0x00000208DE30C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2188-103-0x00000208DE560000-0x00000208DE566000-memory.dmp

          Filesize

          24KB

          Download

        • memory/2188-76-0x00000208DDF60000-0x00000208DDF82000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2188-104-0x00000208DE570000-0x00000208DE57A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3252-25-0x000000000A2A0000-0x000000000A2D6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/3252-0-0x0000000000A20000-0x0000000000E96000-memory.dmp

          Filesize

          4.5MB

          Download

        • memory/3252-31-0x000000000ABF0000-0x000000000AF44000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3252-32-0x000000000B050000-0x000000000B0B6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3252-33-0x000000000B0F0000-0x000000000B112000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3252-34-0x000000000B920000-0x000000000B96C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3252-44-0x000000000CA90000-0x000000000CAAE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3252-45-0x000000000CAB0000-0x000000000CB53000-memory.dmp

          Filesize

          652KB

          Download

        • memory/3252-46-0x000000000CBC0000-0x000000000CBCA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3252-47-0x000000000CBF0000-0x000000000CC01000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3252-48-0x000000000CDA0000-0x000000000CDAE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/3252-49-0x000000000CDB0000-0x000000000CDC4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/3252-50-0x000000000CDF0000-0x000000000CE0A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3252-51-0x000000000CE10000-0x000000000CE18000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3252-29-0x000000000A360000-0x000000000A37E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3252-28-0x000000000A310000-0x000000000A332000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3252-201-0x0000000000A20000-0x0000000000E96000-memory.dmp

          Filesize

          4.5MB

          Download

        • memory/3252-27-0x000000000A380000-0x000000000A416000-memory.dmp

          Filesize

          600KB

          Download

        • memory/3252-26-0x000000000B170000-0x000000000B7EA000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/3252-30-0x000000000A470000-0x000000000A4BA000-memory.dmp

          Filesize

          296KB

          Download

        • memory/3252-24-0x000000000A240000-0x000000000A25A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3252-14-0x000000000A4C0000-0x000000000AAE8000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/3252-13-0x0000000009E40000-0x0000000009E4E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/3252-11-0x00000000095D0000-0x0000000009636000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3252-9-0x0000000008120000-0x000000000812A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3252-8-0x0000000008080000-0x0000000008112000-memory.dmp

          Filesize

          584KB

          Download

        • memory/3252-7-0x0000000008280000-0x0000000008824000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3252-5-0x0000000000A20000-0x0000000000E96000-memory.dmp

          Filesize

          4.5MB

          Download

        • memory/3252-3-0x0000000007830000-0x00000000078CC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/3252-2-0x0000000000A20000-0x0000000000E96000-memory.dmp

          Filesize

          4.5MB

          Download

        • memory/3252-160-0x000000000BC70000-0x000000000BD90000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3252-1-0x0000000000A20000-0x0000000000E96000-memory.dmp

          Filesize

          4.5MB

          Download

        • memory/5100-123-0x00000272E5490000-0x00000272E54AE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/5100-138-0x00000272E5470000-0x00000272E547A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/5100-139-0x00000272FF400000-0x00000272FF412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/5100-122-0x00000272FF530000-0x00000272FF580000-memory.dmp

          Filesize

          320KB

          Download

        • memory/5100-121-0x00000272FF5B0000-0x00000272FF626000-memory.dmp

          Filesize

          472KB

          Download

        • memory/5100-75-0x00000272E4DF0000-0x00000272E4E30000-memory.dmp

          Filesize

          256KB

          Download