Analysis
-
max time kernel
134s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:46
Behavioral task
behavioral1
Sample
FatalityCrack.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
FatalityCrack.exe
Resource
win10v2004-20241007-en
General
-
Target
FatalityCrack.exe
-
Size
74KB
-
MD5
44217b6e8f45f82ebffe92321639290b
-
SHA1
6bd7da4585d438bc28d5350b9415b6d73b32e807
-
SHA256
657dcc3378b3dbbd131926612fb00e67683ccbc64dc2d743fce213734804f427
-
SHA512
a68f7f194aadd63dcfad5af49dac4def19748e8fb657ab4cc06b514a1a7a2f5fb42424cb1a54a259987487558f2f2c950a1fd219a59f9b27ef826774ae27e7c8
-
SSDEEP
1536:FNhc3BhmLTzjuReXV2y+bo0QnRr6wDeTJPovOoRnaRxsZP:1cxEWRsV2y+boveoOoRN5
Malware Config
Extracted
xworm
userxmorma-27072.portmap.host:27072
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot8050356849:AAGkujkVbiAoFzC-JTeiZPs5sCb3sdrY2sU/sendMessage?chat_id=8050356849
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/2736-1-0x0000000000A30000-0x0000000000A48000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2740 powershell.exe 2212 powershell.exe 2808 powershell.exe 2776 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk FatalityCrack.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk FatalityCrack.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost.exe" FatalityCrack.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2776 powershell.exe 2740 powershell.exe 2212 powershell.exe 2808 powershell.exe 2736 FatalityCrack.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2736 FatalityCrack.exe Token: SeDebugPrivilege 2776 powershell.exe Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 2212 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2736 FatalityCrack.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2736 FatalityCrack.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2736 wrote to memory of 2776 2736 FatalityCrack.exe 30 PID 2736 wrote to memory of 2776 2736 FatalityCrack.exe 30 PID 2736 wrote to memory of 2776 2736 FatalityCrack.exe 30 PID 2736 wrote to memory of 2740 2736 FatalityCrack.exe 32 PID 2736 wrote to memory of 2740 2736 FatalityCrack.exe 32 PID 2736 wrote to memory of 2740 2736 FatalityCrack.exe 32 PID 2736 wrote to memory of 2212 2736 FatalityCrack.exe 34 PID 2736 wrote to memory of 2212 2736 FatalityCrack.exe 34 PID 2736 wrote to memory of 2212 2736 FatalityCrack.exe 34 PID 2736 wrote to memory of 2808 2736 FatalityCrack.exe 36 PID 2736 wrote to memory of 2808 2736 FatalityCrack.exe 36 PID 2736 wrote to memory of 2808 2736 FatalityCrack.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\FatalityCrack.exe"C:\Users\Admin\AppData\Local\Temp\FatalityCrack.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FatalityCrack.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FatalityCrack.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD59baefc4aa26fd23023e087a78289110e
SHA1bc28e8a45bb38479e5e83f97040792efcb7a5069
SHA256d892311ede2c1d2831c61b905c25b1b9229384a11dc5c5ba0f2cd6cad2975b96
SHA51293355a84948545f029d1157c4e62c74a602660e933be41c928cbafc279184fddf995f35d699d40279909e62c5b36bfa34e18069bfee9638739dce5523de3239a