Analysis
-
max time kernel
135s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 17:38
Behavioral task
behavioral1
Sample
FatalityCrack.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
FatalityCrack.exe
Resource
win10v2004-20241007-en
General
-
Target
FatalityCrack.exe
-
Size
74KB
-
MD5
44217b6e8f45f82ebffe92321639290b
-
SHA1
6bd7da4585d438bc28d5350b9415b6d73b32e807
-
SHA256
657dcc3378b3dbbd131926612fb00e67683ccbc64dc2d743fce213734804f427
-
SHA512
a68f7f194aadd63dcfad5af49dac4def19748e8fb657ab4cc06b514a1a7a2f5fb42424cb1a54a259987487558f2f2c950a1fd219a59f9b27ef826774ae27e7c8
-
SSDEEP
1536:FNhc3BhmLTzjuReXV2y+bo0QnRr6wDeTJPovOoRnaRxsZP:1cxEWRsV2y+boveoOoRN5
Malware Config
Extracted
xworm
userxmorma-27072.portmap.host:27072
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot8050356849:AAGkujkVbiAoFzC-JTeiZPs5sCb3sdrY2sU/sendMessage?chat_id=8050356849
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/4932-1-0x0000000000CA0000-0x0000000000CB8000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2648 powershell.exe 3728 powershell.exe 428 powershell.exe 2308 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation FatalityCrack.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk FatalityCrack.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk FatalityCrack.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost.exe" FatalityCrack.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2648 powershell.exe 2648 powershell.exe 3728 powershell.exe 3728 powershell.exe 428 powershell.exe 428 powershell.exe 2308 powershell.exe 2308 powershell.exe 4932 FatalityCrack.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4932 FatalityCrack.exe Token: SeDebugPrivilege 2648 powershell.exe Token: SeDebugPrivilege 3728 powershell.exe Token: SeDebugPrivilege 428 powershell.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 4932 FatalityCrack.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4932 FatalityCrack.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4932 wrote to memory of 2648 4932 FatalityCrack.exe 84 PID 4932 wrote to memory of 2648 4932 FatalityCrack.exe 84 PID 4932 wrote to memory of 3728 4932 FatalityCrack.exe 86 PID 4932 wrote to memory of 3728 4932 FatalityCrack.exe 86 PID 4932 wrote to memory of 428 4932 FatalityCrack.exe 88 PID 4932 wrote to memory of 428 4932 FatalityCrack.exe 88 PID 4932 wrote to memory of 2308 4932 FatalityCrack.exe 90 PID 4932 wrote to memory of 2308 4932 FatalityCrack.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\FatalityCrack.exe"C:\Users\Admin\AppData\Local\Temp\FatalityCrack.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FatalityCrack.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FatalityCrack.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD509c38bf09493920e93b25f37f1ae4efe
SHA142e5d800056f08481870c4ca2d0d48181ca8edc8
SHA25637874b332a80efcccee52825b3d71d1faaae3820e09b47c3f161628bf35cc255
SHA51291eacaafc2cd9f80338302d6b3cc3a1aa957752f63a449fb2c1ebcac2bcc59fd8624d4e042c488b5fbe73b881da86c9de819d500de8c7eb6bc0d3951a2bf9123
-
Filesize
944B
MD528ca58288d3b7a6216f69a56b0f34fbe
SHA1802089360b715e7c22cccd7b95ab4325ee389d87
SHA25628033c0eddc6226e5f1d6f4362eff8407ce196e97821bc63ab260f2af929482a
SHA512af4099c677d0122bc40599314ead2c4c69d254b4670baa42cf74906f28a16ac1e93bfa11e76ae9b23840f24decb4cdde82bfc039bda5297a07e5f2949b48b001
-
Filesize
944B
MD501fff31a70e26012f37789b179059e32
SHA1555b6f05cce7daf46920df1c01eb5c55dc62c9e6
SHA256adf65afaf1c83572f05a99bf2ede8eb7be1aab0717d5254f501d5e09ba6f587b
SHA512ac310c9bc5c1effc45e1e425972b09d1f961af216b50e1a504caa046b7f1a5f3179760e0b29591d83756ecb686d17a24770cf06fcea57e6f287ca5bbf6b6971b
-
Filesize
944B
MD5fd98baf5a9c30d41317663898985593b
SHA1ea300b99f723d2429d75a6c40e0838bf60f17aad
SHA2569d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96
SHA512bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82