Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-01-2025 17:41
General
-
Target
kilo12.exe
-
Size
63KB
-
MD5
7c230bf9d6b4fdd637e769e6055f1367
-
SHA1
70452f3119f632fa09e33726f1e21c7f05d5dec1
-
SHA256
b7f5b8932e874af2b5a0ff68db80e18a78e21262c2cb73646e6417fbe01ce03f
-
SHA512
79e708194e8898816a88de16d770b5c277991b5da3da0ae734dfb5dc0ab74377c7ddf650eefa25b5dc86aaa0ef1deaa03c0d204ec3cebeeade577a252bd2900a
-
SSDEEP
1536:sNiauVU185/NdrSM/2FoQGbvlXNA0ALOHgp:sgLVU1QKGQGbv1ONLOHQ
Malware Config
Extracted
Family
xworm
C2
daily-sexually.gl.at.ply:25670
Attributes
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/2992-1-0x00000000004D0000-0x00000000004E6000-memory.dmp family_xworm -
Xworm family
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ip-api.com -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2992 kilo12.exe 2992 kilo12.exe 2992 kilo12.exe 2992 kilo12.exe 2992 kilo12.exe 2992 kilo12.exe 2992 kilo12.exe 2992 kilo12.exe 2992 kilo12.exe 2992 kilo12.exe 2992 kilo12.exe 2992 kilo12.exe 2992 kilo12.exe 2992 kilo12.exe 2992 kilo12.exe 2992 kilo12.exe 2992 kilo12.exe 2992 kilo12.exe 2992 kilo12.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3136 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2992 kilo12.exe Token: SeDebugPrivilege 2992 kilo12.exe Token: SeDebugPrivilege 3136 taskmgr.exe Token: SeSystemProfilePrivilege 3136 taskmgr.exe Token: SeCreateGlobalPrivilege 3136 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2992 kilo12.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\kilo12.exe"C:\Users\Admin\AppData\Local\Temp\kilo12.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2992
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3136