Analysis
-
max time kernel
81s -
max time network
85s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250218-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250218-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
05/03/2025, 20:37
General
-
Target
CS2 chit.exe
-
Size
38KB
-
MD5
a41bab9ece639b508a1da93605375bf0
-
SHA1
a1a9a42a2eda376da5e3b7fdbd97f92961332a0b
-
SHA256
14844195a11de498d4a6588656b14ec5c324ffd4d09e5e2f90d7e73231b0ad36
-
SHA512
ca3be66c63600ba37ff761540b15a0366d7443f466f91a8a97c3b51901221bc3cb609bd78c30073a6c81a38602f62ce7bf9787a78e24cbe54c24935afcd44fd3
-
SSDEEP
768:nXtP96PSVAWhtaxX+KNEAZFh911Ohh1FZ:NeSWWhcxX+KSOFh911OhvD
Malware Config
Extracted
Family
xworm
Version
5.0
C2
availability-billing.gl.at.ply.gg:43831
Mutex
jN0qPAFBa0wIzGHr
Attributes
-
Install_directory
%AppData%
-
install_file
Sandello.exe
aes.plain
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/memory/4764-1-0x0000000000200000-0x0000000000210000-memory.dmp family_xworm behavioral1/files/0x0007000000027f0a-21.dat family_xworm -
Xworm family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Control Panel\International\Geo\Nation CS2 chit.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sandello.lnk CS2 chit.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sandello.lnk CS2 chit.exe -
Executes dropped EXE 1 IoCs
pid Process 1496 Sandello.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings taskmgr.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1332 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4764 CS2 chit.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 4764 CS2 chit.exe Token: SeDebugPrivilege 476 taskmgr.exe Token: SeSystemProfilePrivilege 476 taskmgr.exe Token: SeCreateGlobalPrivilege 476 taskmgr.exe Token: 33 476 taskmgr.exe Token: SeIncBasePriorityPrivilege 476 taskmgr.exe Token: SeDebugPrivilege 1496 Sandello.exe -
Suspicious use of FindShellTrayWindow 57 IoCs
pid Process 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe -
Suspicious use of SendNotifyMessage 56 IoCs
pid Process 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4764 wrote to memory of 1332 4764 CS2 chit.exe 86 PID 4764 wrote to memory of 1332 4764 CS2 chit.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CS2 chit.exe"C:\Users\Admin\AppData\Local\Temp\CS2 chit.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Sandello" /tr "C:\Users\Admin\AppData\Roaming\Sandello.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:1332
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:476
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1960
-
C:\Users\Admin\AppData\Roaming\Sandello.exe"C:\Users\Admin\AppData\Roaming\Sandello.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
778B
MD52f8a5efb44de0985c5bd6bf4b7138711
SHA1139f795ffa0892fbfc76e8550c813a798be9a275
SHA256616ec2c5b61b37b16f4bdb5d60c5057317fd89e19596d196beaa56049e1aebb3
SHA51221303d6080a6c2b647181d8aa5ca13314ab686ebc2f9f09a69a7f724fda62fe9b2bb15ea2a7558825224f71caf9a4d6a94ceb03eaaee16c757547ed5fb86363f
-
Filesize
38KB
MD5a41bab9ece639b508a1da93605375bf0
SHA1a1a9a42a2eda376da5e3b7fdbd97f92961332a0b
SHA25614844195a11de498d4a6588656b14ec5c324ffd4d09e5e2f90d7e73231b0ad36
SHA512ca3be66c63600ba37ff761540b15a0366d7443f466f91a8a97c3b51901221bc3cb609bd78c30073a6c81a38602f62ce7bf9787a78e24cbe54c24935afcd44fd3