Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250410-en
  • resource tags

    arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02/05/2025, 11:09

General

  • Target

    250502-m7emgssrs4.exe

  • Size

    94KB

  • MD5

    9703ca1aa7b76a5cbcbc44f1e88ab0da

  • SHA1

    527a3bea16ca6cbd11daafa04478274878660d3f

  • SHA256

    beb15b54dc5b31d30e4a950db36dcc33b8fe1f29c6567c5cf9ca93bee7c17fce

  • SHA512

    0d8add3c5c56e9a56112f7283aee201d77d0336963dca561cc7ff041f970da410c21d2d099c4e30bded52da85093f37e681bf3d57f461c32208bd92277763e20

  • SSDEEP

    1536:00A1Vii3CCFVAmJOvSHyz0oiWuGTf+b6HPKmQ76xK+OMFS9hBKUEF:07XNHSz0ow8f+b6XHK+OMsOl

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/2Q991bze

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 2 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Stormkitty family
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe
    "C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1080
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '250502-m7emgssrs4.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4232
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:6056
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2396
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2316
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
      2⤵
      • Enumerates system info in registry
      • Suspicious use of WriteProcessMemory
      PID:3140
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2e4,0x2c0,0x7fff16b9f208,0x7fff16b9f214,0x7fff16b9f220
        3⤵
          PID:2156
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2396,i,17018170877463122208,17441542760907747160,262144 --variations-seed-version --mojo-platform-channel-handle=2392 /prefetch:2
          3⤵
            PID:6108
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1824,i,17018170877463122208,17441542760907747160,262144 --variations-seed-version --mojo-platform-channel-handle=2440 /prefetch:11
            3⤵
              PID:2820
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2448,i,17018170877463122208,17441542760907747160,262144 --variations-seed-version --mojo-platform-channel-handle=2776 /prefetch:13
              3⤵
                PID:4744
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3396,i,17018170877463122208,17441542760907747160,262144 --variations-seed-version --mojo-platform-channel-handle=3444 /prefetch:1
                3⤵
                  PID:2076
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3420,i,17018170877463122208,17441542760907747160,262144 --variations-seed-version --mojo-platform-channel-handle=3452 /prefetch:1
                  3⤵
                    PID:2768
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:4444
                • C:\Users\Admin\AppData\Roaming\svchost.exe
                  C:\Users\Admin\AppData\Roaming\svchost.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1892
              • C:\Users\Admin\AppData\Roaming\svchost.exe
                C:\Users\Admin\AppData\Roaming\svchost.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:6108
              • C:\Users\Admin\AppData\Roaming\svchost.exe
                C:\Users\Admin\AppData\Roaming\svchost.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:6072
              • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                1⤵
                  PID:3872

                Network

                      MITRE ATT&CK Enterprise v16

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                        Filesize

                        2KB

                        MD5

                        627073ee3ca9676911bee35548eff2b8

                        SHA1

                        4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                        SHA256

                        85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                        SHA512

                        3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

                        Filesize

                        654B

                        MD5

                        2cbbb74b7da1f720b48ed31085cbd5b8

                        SHA1

                        79caa9a3ea8abe1b9c4326c3633da64a5f724964

                        SHA256

                        e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

                        SHA512

                        ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                        Filesize

                        280B

                        MD5

                        34d09b852bf4a5ef1d936591501926ca

                        SHA1

                        88ff0b1c2a5664765e11e47843a5ac8e1782ed0c

                        SHA256

                        52bd897dfdfca849d627b36a49b976eef861b1a7af075527c8f247adb862dc20

                        SHA512

                        dc63eebf94384dc9580f5e3c9291047e8d410f8fc1f746d180673f445a9bbe746608c01cbf10a38f2f935cfa5c8bb89864f87cabd8fece809dcaa1fa137f71d3

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                        Filesize

                        40KB

                        MD5

                        a063c8bfa731eae7358972026ce1f729

                        SHA1

                        2e396b76a9125d61963bc86667e2369a1b63a808

                        SHA256

                        26e5a7143fa7b0addc7b4c3fc93f738869ffe19538d3c8c9f2ada6ad7f797ac3

                        SHA512

                        1728b791447af365dcac3a7418085c8f19ed6eaf7cf0b42c2490b03fc3aacf37f2e2325ffb727709a9da2a57e510ada229213196327f0bc6f70b3d097d77d73d

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        944B

                        MD5

                        e3840d9bcedfe7017e49ee5d05bd1c46

                        SHA1

                        272620fb2605bd196df471d62db4b2d280a363c6

                        SHA256

                        3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

                        SHA512

                        76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        944B

                        MD5

                        e62cbb0b8541e4911f2a3cb671abda88

                        SHA1

                        eff5320b981d6068e277270f02e7194d7c21bc37

                        SHA256

                        9248c96a06934dc65557e6dfeecce2f95263053276c21f3c69bedf7322a0bbee

                        SHA512

                        5a7c6f00c08f709601175ac27122611175ea9501cf397fedd809c8701bb32d2f1ed8591d9046a24f51082403038c2384a752be809df8a221bd2f5c6b3003de9e

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        944B

                        MD5

                        052b734e3d0b49bccde40def527c10df

                        SHA1

                        2ac7c9bd7dc7bd54699fd06252a89a963e1c1ec0

                        SHA256

                        d51b94b595a5bee567d89011dc8d97f6210a7911828e5a24172708d5a177f65f

                        SHA512

                        bbe94350f51a4029f44631e5bb6658d9583d46011db3ca3159a21b179ab7dc7b200a27ccdf34897fdcba890acec2cdb84a2c1ba0cd95360478e38e911f56f4ba

                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a1zghhqq.qtk.ps1

                        Filesize

                        60B

                        MD5

                        d17fe0a3f47be24a6453e9ef58c94641

                        SHA1

                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                        SHA256

                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                        SHA512

                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      • C:\Users\Admin\AppData\Roaming\svchost.exe

                        Filesize

                        94KB

                        MD5

                        9703ca1aa7b76a5cbcbc44f1e88ab0da

                        SHA1

                        527a3bea16ca6cbd11daafa04478274878660d3f

                        SHA256

                        beb15b54dc5b31d30e4a950db36dcc33b8fe1f29c6567c5cf9ca93bee7c17fce

                        SHA512

                        0d8add3c5c56e9a56112f7283aee201d77d0336963dca561cc7ff041f970da410c21d2d099c4e30bded52da85093f37e681bf3d57f461c32208bd92277763e20

                      • C:\Users\Admin\Desktop\How To Decrypt My Files.html

                        Filesize

                        610B

                        MD5

                        5bb9a9c59168ad061f927e89523b1fa9

                        SHA1

                        ad70db9f329376ff1fa02dd420bf3c3b40626081

                        SHA256

                        6beb9e0af938e4200f50bcd5b65c29555a63d251cd7bc8f1ac216b333717169d

                        SHA512

                        035885de328f917ca6f0d603aa414e6e9accbe6dcd21c22835802a8c9eb8d93d863c213abfbf7b0ddc8e8f1fae01cdb04e8155ca4e9d2ae35bd53ea9f8c7738e

                      • C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC

                        Filesize

                        16B

                        MD5

                        513a0bb8032eb3630af0d95eca2a559b

                        SHA1

                        4737718496ce3e521e7c33d5244dbbbd862f1cf0

                        SHA256

                        e50637eadc7a6b38fb593766fc10ce6d7a830c0f1d125196c4b886c78ca55942

                        SHA512

                        fcf107b2190626389bb549caaa36a7dc15f891fc0d9b985147228ad39e93b84b2283ada37ed97bcdeada9fb34fe5e7d10ed5f3d105ac104b2616fec800b747b7

                      • memory/1080-16-0x00007FFF1F830000-0x00007FFF202F2000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/1080-15-0x00007FFF1F830000-0x00007FFF202F2000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/1080-12-0x00007FFF1F830000-0x00007FFF202F2000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/1080-11-0x00007FFF1F830000-0x00007FFF202F2000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/1080-5-0x000001F630E80000-0x000001F630EA2000-memory.dmp

                        Filesize

                        136KB

                      • memory/1680-56-0x00007FFF1F833000-0x00007FFF1F835000-memory.dmp

                        Filesize

                        8KB

                      • memory/1680-95-0x000000001DA60000-0x000000001DDB0000-memory.dmp

                        Filesize

                        3.3MB

                      • memory/1680-98-0x00000000025C0000-0x00000000025CE000-memory.dmp

                        Filesize

                        56KB

                      • memory/1680-99-0x000000001EBB0000-0x000000001EBBE000-memory.dmp

                        Filesize

                        56KB

                      • memory/1680-108-0x000000001C7F0000-0x000000001C7FC000-memory.dmp

                        Filesize

                        48KB

                      • memory/1680-109-0x000000001C900000-0x000000001C98E000-memory.dmp

                        Filesize

                        568KB

                      • memory/1680-111-0x00000000009F0000-0x00000000009FC000-memory.dmp

                        Filesize

                        48KB

                      • memory/1680-59-0x000000001CDC0000-0x000000001CEE0000-memory.dmp

                        Filesize

                        1.1MB

                      • memory/1680-58-0x00007FFF1F830000-0x00007FFF202F2000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/1680-0-0x00007FFF1F833000-0x00007FFF1F835000-memory.dmp

                        Filesize

                        8KB

                      • memory/1680-55-0x00007FFF1F830000-0x00007FFF202F2000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/1680-1-0x0000000000370000-0x000000000038C000-memory.dmp

                        Filesize

                        112KB