Analysis
-
max time kernel
93s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 20:35
Behavioral task
behavioral1
Sample
kdmapper.exe
Resource
win7-20241010-en
General
-
Target
kdmapper.exe
-
Size
69KB
-
MD5
3a84ecb6d7aa88b870c5c03c278568cf
-
SHA1
7b5b6d52a716fb1b7185d906eecf39dcdf598b53
-
SHA256
02f831b9005ec9d05ee53a84016aae91573bd25637929f944aadd8bae23e2bbc
-
SHA512
bcf062a89bf7e5c881fc1c03efdc60d8948f11b470160aaa695bc2985e129f3b24123a61611b5af587d4f3319342a32323891389cac3e5a24ece6aa04877790c
-
SSDEEP
1536:7ZbYYNTBdvla2CHJ8bW07vzN9AJqt0sOOTs:ph1laHp8bW0LPWLsOOI
Malware Config
Extracted
xworm
official-walks.gl.at.ply.gg:57776
-
Install_directory
%AppData%
-
install_file
Winsxcrv645.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/memory/1204-1-0x0000000000120000-0x0000000000138000-memory.dmp family_xworm behavioral2/files/0x000300000001e762-4.dat family_xworm -
Xworm family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation kdmapper.exe -
Executes dropped EXE 1 IoCs
pid Process 536 Winsxcrv645.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 3352 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5008 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1204 kdmapper.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1204 kdmapper.exe Token: SeDebugPrivilege 1204 kdmapper.exe Token: SeDebugPrivilege 536 Winsxcrv645.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1204 kdmapper.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1204 wrote to memory of 5008 1204 kdmapper.exe 88 PID 1204 wrote to memory of 5008 1204 kdmapper.exe 88 PID 1204 wrote to memory of 3684 1204 kdmapper.exe 105 PID 1204 wrote to memory of 3684 1204 kdmapper.exe 105 PID 1204 wrote to memory of 1036 1204 kdmapper.exe 107 PID 1204 wrote to memory of 1036 1204 kdmapper.exe 107 PID 1036 wrote to memory of 3352 1036 cmd.exe 109 PID 1036 wrote to memory of 3352 1036 cmd.exe 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\kdmapper.exe"C:\Users\Admin\AppData\Local\Temp\kdmapper.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Winsxcrv645" /tr "C:\Users\Admin\AppData\Roaming\Winsxcrv645.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:5008
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "Winsxcrv645"2⤵PID:3684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp54C2.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3352
-
-
-
C:\Users\Admin\AppData\Roaming\Winsxcrv645.exeC:\Users\Admin\AppData\Roaming\Winsxcrv645.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160B
MD5c5f252a62a27ee194261a83aa633633e
SHA1c1d9f278ec380ef9ed3d20b8c0e35887af82c618
SHA256ef4e71f980bd24060f4dcd75430fd0fbe3ac7f5302f10c38e2c2381dd63a977e
SHA512079c9b1e645db9c96667656a9cfb888df5657467b32ef87c708b75eedfaf9736859334755f989f5e6027ea0a0acafd7e66960bcf0d526fcdf30acd5bcdf5c19b
-
Filesize
69KB
MD53a84ecb6d7aa88b870c5c03c278568cf
SHA17b5b6d52a716fb1b7185d906eecf39dcdf598b53
SHA25602f831b9005ec9d05ee53a84016aae91573bd25637929f944aadd8bae23e2bbc
SHA512bcf062a89bf7e5c881fc1c03efdc60d8948f11b470160aaa695bc2985e129f3b24123a61611b5af587d4f3319342a32323891389cac3e5a24ece6aa04877790c