Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/03/2025, 20:51
Static task
static1
Behavioral task
behavioral1
Sample
resthiemailmatrix.hub.exe
Resource
win7-20240903-en
General
-
Target
resthiemailmatrix.hub.exe
-
Size
118KB
-
MD5
7fc47d0f79e8bbb131e947beb67538ef
-
SHA1
b374cf5bfa41740e6a541e1f558a9e400720493a
-
SHA256
70fdf77f0aaca97b95c87bd9f31b0dda0f5c552b156e3788c9768dace10837f1
-
SHA512
9d5b848d0c9075b2240d7fbda92346a5a9506e9a0689f47e185be4998442fba14f2854dfe4f794dc6bb8dbdad66927ae3fe20a3e92945b81367ddc8c9661ecb2
-
SSDEEP
1536:cQowDILgxGY+lzyUF5g/PE3CfLSFUdo+e/erRMRsI0PiCxdm6fueNWa/FFr2DYi:1pGY+l1OUaLSFR+nsm5r+F
Malware Config
Extracted
xworm
5.0
paul-nw.gl.at.ply.gg:3111
F4I7I2sWyinFgipq
-
Install_directory
%AppData%
-
install_file
kev.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000012029-5.dat family_xworm behavioral1/memory/2752-9-0x0000000000C70000-0x0000000000C80000-memory.dmp family_xworm -
Xworm family
-
Executes dropped EXE 1 IoCs
pid Process 2752 .exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2752 .exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2552 wrote to memory of 2752 2552 resthiemailmatrix.hub.exe 28 PID 2552 wrote to memory of 2752 2552 resthiemailmatrix.hub.exe 28 PID 2552 wrote to memory of 2752 2552 resthiemailmatrix.hub.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\resthiemailmatrix.hub.exe"C:\Users\Admin\AppData\Local\Temp\resthiemailmatrix.hub.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\.exe"C:\Users\Admin\AppData\Local\Temp\.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5db139c53ad9a95a2e5069e4bb9ee0bc5
SHA196bf971116c728ac130d456d080982108c440cbd
SHA256617b0d7883b08e1f1e09dd6279661bb161bb6d29a0126527dbabae36183e4de0
SHA512a1a235a88a0f68af07963a2629b68db1b03d26caaab5afcf03c288fbb6f4f49683d295375921831ce0a48a64fbe1e0ba2f94871ab030080b1f995ef1a9f5cff4