Analysis
-
max time kernel
132s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:43
Behavioral task
behavioral1
Sample
FatalityCrack.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
FatalityCrack.exe
Resource
win10v2004-20241007-en
General
-
Target
FatalityCrack.exe
-
Size
74KB
-
MD5
44217b6e8f45f82ebffe92321639290b
-
SHA1
6bd7da4585d438bc28d5350b9415b6d73b32e807
-
SHA256
657dcc3378b3dbbd131926612fb00e67683ccbc64dc2d743fce213734804f427
-
SHA512
a68f7f194aadd63dcfad5af49dac4def19748e8fb657ab4cc06b514a1a7a2f5fb42424cb1a54a259987487558f2f2c950a1fd219a59f9b27ef826774ae27e7c8
-
SSDEEP
1536:FNhc3BhmLTzjuReXV2y+bo0QnRr6wDeTJPovOoRnaRxsZP:1cxEWRsV2y+boveoOoRN5
Malware Config
Extracted
xworm
userxmorma-27072.portmap.host:27072
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot8050356849:AAGkujkVbiAoFzC-JTeiZPs5sCb3sdrY2sU/sendMessage?chat_id=8050356849
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/2304-1-0x00000000000B0000-0x00000000000C8000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2868 powershell.exe 2696 powershell.exe 2172 powershell.exe 2512 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk FatalityCrack.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk FatalityCrack.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost.exe" FatalityCrack.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2172 powershell.exe 2512 powershell.exe 2868 powershell.exe 2696 powershell.exe 2304 FatalityCrack.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2304 FatalityCrack.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 2512 powershell.exe Token: SeDebugPrivilege 2868 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 2304 FatalityCrack.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2304 FatalityCrack.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2172 2304 FatalityCrack.exe 29 PID 2304 wrote to memory of 2172 2304 FatalityCrack.exe 29 PID 2304 wrote to memory of 2172 2304 FatalityCrack.exe 29 PID 2304 wrote to memory of 2512 2304 FatalityCrack.exe 31 PID 2304 wrote to memory of 2512 2304 FatalityCrack.exe 31 PID 2304 wrote to memory of 2512 2304 FatalityCrack.exe 31 PID 2304 wrote to memory of 2868 2304 FatalityCrack.exe 33 PID 2304 wrote to memory of 2868 2304 FatalityCrack.exe 33 PID 2304 wrote to memory of 2868 2304 FatalityCrack.exe 33 PID 2304 wrote to memory of 2696 2304 FatalityCrack.exe 35 PID 2304 wrote to memory of 2696 2304 FatalityCrack.exe 35 PID 2304 wrote to memory of 2696 2304 FatalityCrack.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\FatalityCrack.exe"C:\Users\Admin\AppData\Local\Temp\FatalityCrack.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FatalityCrack.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FatalityCrack.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD58e840721ec9d0989f41306bb1f7bb46f
SHA1a9603b6606978355ac9a7d672e68f02c07a8b86d
SHA25627a6c8f3ce6e558dba7b32ca59b8ee5e759e96ae6eb0172fa8e2a3396a4b6955
SHA51272c63931172431619edcca7b056f3ebb12717deabe2ee50595053ce3122794ecc1f857d5262b9fc7bcdffcd423b71beed4ec61c7615fce6d70fb652900c0e139