Analysis
-
max time kernel
102s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2025, 10:46
Static task
static1
1 signatures
General
-
Target
2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe
-
Size
6.6MB
-
MD5
12778dfad55cfadd9a32f3f4b0f83d32
-
SHA1
dc40d26edd670ee5d87633349381da36f7c7bf34
-
SHA256
0a3bcc2d1ab0ff3c46f3ada8a6e904a91815875e3775897a1ac93e74c64fc86a
-
SHA512
f94db534ee3b5f4b368ca620312363799e25f37ed11be8f3e54347340356e0372b1ec5dde0deb188e95ee5da56804565ef8e4db0779caf0f51b4759ea7812d47
-
SSDEEP
49152:7QrUu2sJBe6tT5QS02AowPFCF6j5QGbpY/vlvRf3uElo03Nbo3AWg4VAT4s4Pqo8:KUvsJBjTOGgP8JGbIxx93S317VATd
Malware Config
Extracted
Family
xworm
Version
5.0
C2
127.0.0.1:9000
45.134.39.20:9000
Mutex
oV8zKY7m1pKloRzQ
Attributes
-
install_file
USB.exe
aes.plain
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/744-1-0x00000000003C0000-0x00000000003CE000-memory.dmp family_xworm -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3032 created 3588 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 56 -
Xworm family
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3648 tasklist.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3032 set thread context of 744 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 99 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe -
Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1924 wmic.exe 1848 wmic.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1652 reg.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2404 wmic.exe Token: SeSecurityPrivilege 2404 wmic.exe Token: SeTakeOwnershipPrivilege 2404 wmic.exe Token: SeLoadDriverPrivilege 2404 wmic.exe Token: SeSystemProfilePrivilege 2404 wmic.exe Token: SeSystemtimePrivilege 2404 wmic.exe Token: SeProfSingleProcessPrivilege 2404 wmic.exe Token: SeIncBasePriorityPrivilege 2404 wmic.exe Token: SeCreatePagefilePrivilege 2404 wmic.exe Token: SeBackupPrivilege 2404 wmic.exe Token: SeRestorePrivilege 2404 wmic.exe Token: SeShutdownPrivilege 2404 wmic.exe Token: SeDebugPrivilege 2404 wmic.exe Token: SeSystemEnvironmentPrivilege 2404 wmic.exe Token: SeRemoteShutdownPrivilege 2404 wmic.exe Token: SeUndockPrivilege 2404 wmic.exe Token: SeManageVolumePrivilege 2404 wmic.exe Token: 33 2404 wmic.exe Token: 34 2404 wmic.exe Token: 35 2404 wmic.exe Token: 36 2404 wmic.exe Token: SeIncreaseQuotaPrivilege 2404 wmic.exe Token: SeSecurityPrivilege 2404 wmic.exe Token: SeTakeOwnershipPrivilege 2404 wmic.exe Token: SeLoadDriverPrivilege 2404 wmic.exe Token: SeSystemProfilePrivilege 2404 wmic.exe Token: SeSystemtimePrivilege 2404 wmic.exe Token: SeProfSingleProcessPrivilege 2404 wmic.exe Token: SeIncBasePriorityPrivilege 2404 wmic.exe Token: SeCreatePagefilePrivilege 2404 wmic.exe Token: SeBackupPrivilege 2404 wmic.exe Token: SeRestorePrivilege 2404 wmic.exe Token: SeShutdownPrivilege 2404 wmic.exe Token: SeDebugPrivilege 2404 wmic.exe Token: SeSystemEnvironmentPrivilege 2404 wmic.exe Token: SeRemoteShutdownPrivilege 2404 wmic.exe Token: SeUndockPrivilege 2404 wmic.exe Token: SeManageVolumePrivilege 2404 wmic.exe Token: 33 2404 wmic.exe Token: 34 2404 wmic.exe Token: 35 2404 wmic.exe Token: 36 2404 wmic.exe Token: SeDebugPrivilege 3648 tasklist.exe Token: SeIncreaseQuotaPrivilege 1924 wmic.exe Token: SeSecurityPrivilege 1924 wmic.exe Token: SeTakeOwnershipPrivilege 1924 wmic.exe Token: SeLoadDriverPrivilege 1924 wmic.exe Token: SeSystemProfilePrivilege 1924 wmic.exe Token: SeSystemtimePrivilege 1924 wmic.exe Token: SeProfSingleProcessPrivilege 1924 wmic.exe Token: SeIncBasePriorityPrivilege 1924 wmic.exe Token: SeCreatePagefilePrivilege 1924 wmic.exe Token: SeBackupPrivilege 1924 wmic.exe Token: SeRestorePrivilege 1924 wmic.exe Token: SeShutdownPrivilege 1924 wmic.exe Token: SeDebugPrivilege 1924 wmic.exe Token: SeSystemEnvironmentPrivilege 1924 wmic.exe Token: SeRemoteShutdownPrivilege 1924 wmic.exe Token: SeUndockPrivilege 1924 wmic.exe Token: SeManageVolumePrivilege 1924 wmic.exe Token: 33 1924 wmic.exe Token: 34 1924 wmic.exe Token: 35 1924 wmic.exe Token: 36 1924 wmic.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3032 wrote to memory of 2404 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 88 PID 3032 wrote to memory of 2404 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 88 PID 3032 wrote to memory of 2404 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 88 PID 3032 wrote to memory of 1652 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 92 PID 3032 wrote to memory of 1652 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 92 PID 3032 wrote to memory of 1652 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 92 PID 3032 wrote to memory of 3648 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 93 PID 3032 wrote to memory of 3648 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 93 PID 3032 wrote to memory of 3648 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 93 PID 3032 wrote to memory of 1924 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 94 PID 3032 wrote to memory of 1924 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 94 PID 3032 wrote to memory of 1924 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 94 PID 3032 wrote to memory of 1848 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 95 PID 3032 wrote to memory of 1848 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 95 PID 3032 wrote to memory of 1848 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 95 PID 3032 wrote to memory of 744 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 99 PID 3032 wrote to memory of 744 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 99 PID 3032 wrote to memory of 744 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 99 PID 3032 wrote to memory of 744 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 99 PID 3032 wrote to memory of 744 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 99 PID 3032 wrote to memory of 744 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 99 PID 3032 wrote to memory of 744 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 99 PID 3032 wrote to memory of 744 3032 2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe 99
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic diskdrive get model3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Windows\SysWOW64\reg.exereg query HKLM\SYSTEM\ControlSet001\Services\USBSTOR3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1652
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3648
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path win32_VideoController get name3⤵
- System Location Discovery: System Language Discovery
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path win32_VideoController get name3⤵
- System Location Discovery: System Language Discovery
- Detects videocard installed
PID:1848
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
PID:744
-