Analysis
-
max time kernel
101s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
04/03/2025, 01:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
build.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
General
-
Target
build.exe
-
Size
51KB
-
MD5
79cd45fb4ce03b7262bfca18f71f76df
-
SHA1
1cb7866b67768b8f15415cd33a4cbc1d284cb77e
-
SHA256
495c535f89ad9319b97b59b52eb5d690315c202f9add743061dc53b4b583b610
-
SHA512
370ff53c5f3648667c761c9d60f4f3ace99e2745b0253780c8dd0d87bca3c03e65c60f756bf8ea17a2f0790dbefa6ede6c0bcb7014f921cd51c945d53e4c8950
-
SSDEEP
1536:fwFIJ7n5Yptm6YCLgJwu4NFD0T5YKAYjZHgbyJ:pJ9Yptm6YCLgau4NGTJAYjZHWg
Malware Config
Extracted
Family
xworm
C2
links-recovered.at.ply.gg:32508
Mutex
XSLvYVsJZs3bsiZr
Attributes
-
install_file
USB.exe
aes.plain
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x001100000001ee75-6.dat family_xworm behavioral2/memory/216-15-0x0000000000B60000-0x0000000000B70000-memory.dmp family_xworm -
Xworm family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation build.exe Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation build.exe -
Executes dropped EXE 2 IoCs
pid Process 216 build.exe 4624 build.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 216 build.exe Token: SeDebugPrivilege 4624 build.exe Token: SeDebugPrivilege 220 taskmgr.exe Token: SeSystemProfilePrivilege 220 taskmgr.exe Token: SeCreateGlobalPrivilege 220 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe 220 taskmgr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2976 wrote to memory of 216 2976 build.exe 87 PID 2976 wrote to memory of 216 2976 build.exe 87 PID 3048 wrote to memory of 4624 3048 build.exe 100 PID 3048 wrote to memory of 4624 3048 build.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Roaming\build.exe"C:\Users\Admin\AppData\Roaming\build.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:216
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Roaming\build.exe"C:\Users\Admin\AppData\Roaming\build.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4624
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:220
-
C:\Windows\System32\toa7cl.exe"C:\Windows\System32\toa7cl.exe"1⤵PID:4688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
42KB
MD5522dcda6332f8fccbf277125a6b42b4a
SHA1de959fb7d34ec6c3849c330f41dd1a4bc593ce2b
SHA256de0330f6d59aa4d90c77af385145e5566c2d6dfec6e66a86d0c1d1f68e415d9d
SHA512c3d02dfd6d1ec759b989b2f0e96b79c263bbf97264378b8da4103b3166490cdf23969729060bda23a7f41b9e43a758f56435416dbd396ec7c2f579bd285d537c