Analysis
-
max time kernel
104s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2025, 10:57
Static task
static1
1 signatures
General
-
Target
2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe
-
Size
6.6MB
-
MD5
12778dfad55cfadd9a32f3f4b0f83d32
-
SHA1
dc40d26edd670ee5d87633349381da36f7c7bf34
-
SHA256
0a3bcc2d1ab0ff3c46f3ada8a6e904a91815875e3775897a1ac93e74c64fc86a
-
SHA512
f94db534ee3b5f4b368ca620312363799e25f37ed11be8f3e54347340356e0372b1ec5dde0deb188e95ee5da56804565ef8e4db0779caf0f51b4759ea7812d47
-
SSDEEP
49152:7QrUu2sJBe6tT5QS02AowPFCF6j5QGbpY/vlvRf3uElo03Nbo3AWg4VAT4s4Pqo8:KUvsJBjTOGgP8JGbIxx93S317VATd
Malware Config
Extracted
Family
xworm
Version
5.0
C2
127.0.0.1:9000
45.134.39.20:9000
Mutex
oV8zKY7m1pKloRzQ
Attributes
-
install_file
USB.exe
aes.plain
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/5996-1-0x0000000000400000-0x000000000040E000-memory.dmp family_xworm -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3004 created 3420 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 55 -
Xworm family
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 5000 tasklist.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3004 set thread context of 5996 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 98 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 5568 wmic.exe 5388 wmic.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2484 reg.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 5568 wmic.exe Token: SeSecurityPrivilege 5568 wmic.exe Token: SeTakeOwnershipPrivilege 5568 wmic.exe Token: SeLoadDriverPrivilege 5568 wmic.exe Token: SeSystemProfilePrivilege 5568 wmic.exe Token: SeSystemtimePrivilege 5568 wmic.exe Token: SeProfSingleProcessPrivilege 5568 wmic.exe Token: SeIncBasePriorityPrivilege 5568 wmic.exe Token: SeCreatePagefilePrivilege 5568 wmic.exe Token: SeBackupPrivilege 5568 wmic.exe Token: SeRestorePrivilege 5568 wmic.exe Token: SeShutdownPrivilege 5568 wmic.exe Token: SeDebugPrivilege 5568 wmic.exe Token: SeSystemEnvironmentPrivilege 5568 wmic.exe Token: SeRemoteShutdownPrivilege 5568 wmic.exe Token: SeUndockPrivilege 5568 wmic.exe Token: SeManageVolumePrivilege 5568 wmic.exe Token: 33 5568 wmic.exe Token: 34 5568 wmic.exe Token: 35 5568 wmic.exe Token: 36 5568 wmic.exe Token: SeIncreaseQuotaPrivilege 5568 wmic.exe Token: SeSecurityPrivilege 5568 wmic.exe Token: SeTakeOwnershipPrivilege 5568 wmic.exe Token: SeLoadDriverPrivilege 5568 wmic.exe Token: SeSystemProfilePrivilege 5568 wmic.exe Token: SeSystemtimePrivilege 5568 wmic.exe Token: SeProfSingleProcessPrivilege 5568 wmic.exe Token: SeIncBasePriorityPrivilege 5568 wmic.exe Token: SeCreatePagefilePrivilege 5568 wmic.exe Token: SeBackupPrivilege 5568 wmic.exe Token: SeRestorePrivilege 5568 wmic.exe Token: SeShutdownPrivilege 5568 wmic.exe Token: SeDebugPrivilege 5568 wmic.exe Token: SeSystemEnvironmentPrivilege 5568 wmic.exe Token: SeRemoteShutdownPrivilege 5568 wmic.exe Token: SeUndockPrivilege 5568 wmic.exe Token: SeManageVolumePrivilege 5568 wmic.exe Token: 33 5568 wmic.exe Token: 34 5568 wmic.exe Token: 35 5568 wmic.exe Token: 36 5568 wmic.exe Token: SeIncreaseQuotaPrivilege 5388 wmic.exe Token: SeSecurityPrivilege 5388 wmic.exe Token: SeTakeOwnershipPrivilege 5388 wmic.exe Token: SeLoadDriverPrivilege 5388 wmic.exe Token: SeSystemProfilePrivilege 5388 wmic.exe Token: SeSystemtimePrivilege 5388 wmic.exe Token: SeProfSingleProcessPrivilege 5388 wmic.exe Token: SeIncBasePriorityPrivilege 5388 wmic.exe Token: SeCreatePagefilePrivilege 5388 wmic.exe Token: SeBackupPrivilege 5388 wmic.exe Token: SeRestorePrivilege 5388 wmic.exe Token: SeShutdownPrivilege 5388 wmic.exe Token: SeDebugPrivilege 5388 wmic.exe Token: SeSystemEnvironmentPrivilege 5388 wmic.exe Token: SeRemoteShutdownPrivilege 5388 wmic.exe Token: SeUndockPrivilege 5388 wmic.exe Token: SeManageVolumePrivilege 5388 wmic.exe Token: 33 5388 wmic.exe Token: 34 5388 wmic.exe Token: 35 5388 wmic.exe Token: 36 5388 wmic.exe Token: SeIncreaseQuotaPrivilege 5388 wmic.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3004 wrote to memory of 2484 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 87 PID 3004 wrote to memory of 2484 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 87 PID 3004 wrote to memory of 2484 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 87 PID 3004 wrote to memory of 5568 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 90 PID 3004 wrote to memory of 5568 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 90 PID 3004 wrote to memory of 5568 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 90 PID 3004 wrote to memory of 5388 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 93 PID 3004 wrote to memory of 5388 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 93 PID 3004 wrote to memory of 5388 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 93 PID 3004 wrote to memory of 4808 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 94 PID 3004 wrote to memory of 4808 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 94 PID 3004 wrote to memory of 4808 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 94 PID 3004 wrote to memory of 5000 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 95 PID 3004 wrote to memory of 5000 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 95 PID 3004 wrote to memory of 5000 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 95 PID 3004 wrote to memory of 5996 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 98 PID 3004 wrote to memory of 5996 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 98 PID 3004 wrote to memory of 5996 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 98 PID 3004 wrote to memory of 5996 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 98 PID 3004 wrote to memory of 5996 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 98 PID 3004 wrote to memory of 5996 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 98 PID 3004 wrote to memory of 5996 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 98 PID 3004 wrote to memory of 5996 3004 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 98
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\reg.exereg query HKLM\SYSTEM\ControlSet001\Services\USBSTOR3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2484
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path win32_VideoController get name3⤵
- System Location Discovery: System Language Discovery
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:5568
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path win32_VideoController get name3⤵
- System Location Discovery: System Language Discovery
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:5388
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic diskdrive get model3⤵
- System Location Discovery: System Language Discovery
PID:4808
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:5000
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
PID:5996
-