Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-01-2025 01:03
Behavioral task
behavioral1
Sample
это вирус точно 100%.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
это вирус точно 100%.exe
Resource
win10v2004-20241007-en
General
-
Target
это вирус точно 100%.exe
-
Size
40KB
-
MD5
1b5eb77c95028f1f0a037cdf922e59d7
-
SHA1
50acd4ca6a89d06ff90e2535ce61b9ed590839e6
-
SHA256
149acfe76687a7b65baca4ffefc576ca1baa7eb54113212622831049da88d994
-
SHA512
801a611fcbcdedec916e731e39a3ba84e12810ef9ac1ecd4737cd561a7ba3e3b37f5ffd4783520494dae5beb55c6066468882a69e3ca56382e72e84e2aec4c22
-
SSDEEP
768:qa7krH8jlOMW88A4NVlwXDUDX+WcvQzFPc9YHLOphbQ4Z:f7krHGlOVYe5SEFk9YHLOp24Z
Malware Config
Extracted
xworm
5.0
g-submit.gl.at.ply.gg:54103
22.ip.gl.ply.gg:54103
43Ou45H2oyqWjrvD
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/memory/2556-1-0x0000000000EB0000-0x0000000000EC0000-memory.dmp family_xworm behavioral1/files/0x00070000000120fe-10.dat family_xworm behavioral1/memory/2840-12-0x0000000001120000-0x0000000001130000-memory.dmp family_xworm -
Xworm family
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk это вирус точно 100%.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk это вирус точно 100%.exe -
Executes dropped EXE 2 IoCs
pid Process 2840 svchost.exe 2116 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost.exe" это вирус точно 100%.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2388 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2556 это вирус точно 100%.exe Token: SeDebugPrivilege 2556 это вирус точно 100%.exe Token: SeDebugPrivilege 2840 svchost.exe Token: SeDebugPrivilege 2116 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2556 wrote to memory of 2388 2556 это вирус точно 100%.exe 30 PID 2556 wrote to memory of 2388 2556 это вирус точно 100%.exe 30 PID 2556 wrote to memory of 2388 2556 это вирус точно 100%.exe 30 PID 2788 wrote to memory of 2840 2788 taskeng.exe 34 PID 2788 wrote to memory of 2840 2788 taskeng.exe 34 PID 2788 wrote to memory of 2840 2788 taskeng.exe 34 PID 2788 wrote to memory of 2116 2788 taskeng.exe 35 PID 2788 wrote to memory of 2116 2788 taskeng.exe 35 PID 2788 wrote to memory of 2116 2788 taskeng.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\это вирус точно 100%.exe"C:\Users\Admin\AppData\Local\Temp\это вирус точно 100%.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2388
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {1FD0A1DA-B722-4180-B156-28E5AC80BBB9} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\ProgramData\svchost.exeC:\ProgramData\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\ProgramData\svchost.exeC:\ProgramData\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD51b5eb77c95028f1f0a037cdf922e59d7
SHA150acd4ca6a89d06ff90e2535ce61b9ed590839e6
SHA256149acfe76687a7b65baca4ffefc576ca1baa7eb54113212622831049da88d994
SHA512801a611fcbcdedec916e731e39a3ba84e12810ef9ac1ecd4737cd561a7ba3e3b37f5ffd4783520494dae5beb55c6066468882a69e3ca56382e72e84e2aec4c22