Overview

overview

10

Static

static

10

system.exe

windows7-x64

10

system.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    29-01-2025 17:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    system.exe

  • Size

    84KB

  • MD5

    6f4cef7f422bf580b1ee9a530f9f55c7

  • SHA1

    a78f1d5fd4357c8b9f1a4a25084f209bb7bed607

  • SHA256

    32d07422caae2a4ce6ddecdeb2fdf2b390cf1417b00f2c18c2133bd090ac5462

  • SHA512

    32459d17774caf1a4a653c7d2cda17694ed52a328bccb3e3c40e6d3d58f88451e457ede562a7ec92a2e0af1e9aa461f874258a133e2c024df5d2d2b3cb635f0a

  • SSDEEP

    1536:CGmlU4/wy79rSJ68Jf0gbYv+KYW0hbjPOk06rrSkOHre1AUdls:yyOSJ68Jf0gbYvkDPOkhSkOLeVs

Score
10/10
stormkittyxwormdiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

say-oops.gl.at.ply.gg:35818

Attributes
  • Install_directory

    %Temp%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 3 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\system.exe
    "C:\Users\Admin\AppData\Local\Temp\system.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\system.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2888
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2968
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1388
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2672
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1384
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {A618806F-76F2-4640-B990-F634CFBDD052} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2176
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\places.raw
    Filesize

    5.0MB

    MD5

    1ee19e2b7926f5fe3b2c669eafca762b

    SHA1

    ac6f86c58787c63572e9bf99dcdcdeecbf8b9aaa

    SHA256

    efbaa7354d994796d970a8034fac797a6c3bd5e978c15430639ea0e3ea30c857

    SHA512

    204672861e515dbf41268bb1f2413192cc55a758f3165294e122d7a978efdf074db3e4a695b729fad873fc668beb7aaf1814ef43ec98d3a5e719fd0a02507baf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    Filesize

    84KB

    MD5

    6f4cef7f422bf580b1ee9a530f9f55c7

    SHA1

    a78f1d5fd4357c8b9f1a4a25084f209bb7bed607

    SHA256

    32d07422caae2a4ce6ddecdeb2fdf2b390cf1417b00f2c18c2133bd090ac5462

    SHA512

    32459d17774caf1a4a653c7d2cda17694ed52a328bccb3e3c40e6d3d58f88451e457ede562a7ec92a2e0af1e9aa461f874258a133e2c024df5d2d2b3cb635f0a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp47B.tmp.dat
    Filesize

    92KB

    MD5

    6d9ead954a1d55a4b7b9a23d96bb545e

    SHA1

    b55a31428681654b9bc4f428fc4c07fa7244760f

    SHA256

    eab705a4e697fa8c54cdbe7df8d46c679df9878c327a003819bb2bf72d90919c

    SHA512

    b9422f770aa156c13f63399aae96d750f273a6db7c9177b725660aa236a04ca7c4e3bf64d394de3a1f1ec2ad49b60528023aee37b7c195ed70073c049980a322

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    819ae8f7885c0aac015298567959a3a4

    SHA1

    45339ba9a582b1757848c2c1defca1944e03b8eb

    SHA256

    7e5e796255bdc230ce81b6f7e57627814c8ccfac7cf393f164bb87f284d25877

    SHA512

    997a12c6bc0c46a9be23098a754574c1f62fb43ba92449a2782b47fcd32741798d9b665f9fb8b18f60d93a799ace0f66755147c0f6f6c104e476280799ed45b2

    Download Submit

  • memory/2176-37-0x0000000001140000-0x000000000115C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2268-8-0x000007FEF66E3000-0x000007FEF66E4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2268-22-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2268-0-0x000007FEF66E3000-0x000007FEF66E4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2268-38-0x000000001D6D0000-0x000000001DA20000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2268-39-0x000000001DA20000-0x000000001DB40000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2268-40-0x00000000022E0000-0x00000000022EC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2268-2-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2268-1-0x00000000003C0000-0x00000000003DC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2888-9-0x0000000002360000-0x0000000002368000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2888-7-0x000000001B270000-0x000000001B552000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2968-15-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2968-16-0x0000000002490000-0x0000000002498000-memory.dmp

    Filesize

    32KB

    Download