Analysis
-
max time kernel
98s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
03/03/2025, 00:29
Behavioral task
behavioral1
Sample
config.exe
Resource
win7-20250207-en
windows7-x64
5 signatures
150 seconds
General
-
Target
config.exe
-
Size
83KB
-
MD5
676d43ca821b871113829fe4f4aef2d3
-
SHA1
1a3f4fedd5a621707778be0a01eb6ceea1d353e4
-
SHA256
e2a6cfcbdf54e388e2e4cf7bb7819bd8cf9afcad0be756d3d9b51045b0912ddb
-
SHA512
ad6a914de317ff963aa6f731baceda573b1386c06f0d178f792263e28e71f8af51702dae9e28d0e7ef22d4e4e40a0d0bd52aef8d7a17f9d40ce03d96380f64bb
-
SSDEEP
1536:xzKkCZ8ryPVw52HDRFJzUQgNVWLbKpLlrwFGGA6l5hOPiVqNfkglUKdar:xzKk5IpPqQbKfPkhO8qNfkQUDr
Malware Config
Extracted
Family
xworm
Attributes
-
Install_directory
%Temp%
-
install_file
safemode.exe
-
pastebin_url
https://pastebin.com/raw/HNgp7VTj
-
telegram
https://api.telegram.org/bot7566882471:AAEsmeKHRV49kbZ72snynbsQH5x-Bnw1zK4/sendMessage?chat_id=1850507924
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/1896-1-0x0000000000A80000-0x0000000000A9C000-memory.dmp family_xworm -
Xworm family
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 ip-api.com -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1896 config.exe Token: SeDebugPrivilege 1696 taskmgr.exe Token: SeSystemProfilePrivilege 1696 taskmgr.exe Token: SeCreateGlobalPrivilege 1696 taskmgr.exe Token: 33 1696 taskmgr.exe Token: SeIncBasePriorityPrivilege 1696 taskmgr.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
pid Process 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe -
Suspicious use of SendNotifyMessage 42 IoCs
pid Process 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe 1696 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\config.exe"C:\Users\Admin\AppData\Local\Temp\config.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1696
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5016