Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/05/2025, 11:09
Behavioral task
behavioral1
Sample
250502-m7emgssrs4.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
250502-m7emgssrs4.exe
Resource
win11-20250410-en
General
-
Target
250502-m7emgssrs4.exe
-
Size
94KB
-
MD5
9703ca1aa7b76a5cbcbc44f1e88ab0da
-
SHA1
527a3bea16ca6cbd11daafa04478274878660d3f
-
SHA256
beb15b54dc5b31d30e4a950db36dcc33b8fe1f29c6567c5cf9ca93bee7c17fce
-
SHA512
0d8add3c5c56e9a56112f7283aee201d77d0336963dca561cc7ff041f970da410c21d2d099c4e30bded52da85093f37e681bf3d57f461c32208bd92277763e20
-
SSDEEP
1536:00A1Vii3CCFVAmJOvSHyz0oiWuGTf+b6HPKmQ76xK+OMFS9hBKUEF:07XNHSz0ow8f+b6XHK+OMsOl
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/2Q991bze
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/memory/1680-99-0x000000001EBB0000-0x000000001EBBE000-memory.dmp disable_win_def -
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/memory/1680-1-0x0000000000370000-0x000000000038C000-memory.dmp family_xworm behavioral2/files/0x001e00000002b245-53.dat family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/1680-59-0x000000001CDC0000-0x000000001CEE0000-memory.dmp family_stormkitty -
Stormkitty family
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1080 powershell.exe 4232 powershell.exe 6056 powershell.exe 2396 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk 250502-m7emgssrs4.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk 250502-m7emgssrs4.exe -
Executes dropped EXE 3 IoCs
pid Process 1892 svchost.exe 6108 svchost.exe 6072 svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" 250502-m7emgssrs4.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 2 pastebin.com 1 pastebin.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" 250502-m7emgssrs4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2316 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1080 powershell.exe 1080 powershell.exe 4232 powershell.exe 4232 powershell.exe 6056 powershell.exe 6056 powershell.exe 2396 powershell.exe 2396 powershell.exe 1680 250502-m7emgssrs4.exe 1680 250502-m7emgssrs4.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 1680 250502-m7emgssrs4.exe Token: SeDebugPrivilege 1080 powershell.exe Token: SeDebugPrivilege 4232 powershell.exe Token: SeDebugPrivilege 6056 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 1892 svchost.exe Token: SeDebugPrivilege 1680 250502-m7emgssrs4.exe Token: SeDebugPrivilege 6108 svchost.exe Token: SeDebugPrivilege 6072 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1680 250502-m7emgssrs4.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1680 wrote to memory of 1080 1680 250502-m7emgssrs4.exe 78 PID 1680 wrote to memory of 1080 1680 250502-m7emgssrs4.exe 78 PID 1680 wrote to memory of 4232 1680 250502-m7emgssrs4.exe 80 PID 1680 wrote to memory of 4232 1680 250502-m7emgssrs4.exe 80 PID 1680 wrote to memory of 6056 1680 250502-m7emgssrs4.exe 82 PID 1680 wrote to memory of 6056 1680 250502-m7emgssrs4.exe 82 PID 1680 wrote to memory of 2396 1680 250502-m7emgssrs4.exe 84 PID 1680 wrote to memory of 2396 1680 250502-m7emgssrs4.exe 84 PID 1680 wrote to memory of 2316 1680 250502-m7emgssrs4.exe 86 PID 1680 wrote to memory of 2316 1680 250502-m7emgssrs4.exe 86 PID 4444 wrote to memory of 1892 4444 cmd.exe 90 PID 4444 wrote to memory of 1892 4444 cmd.exe 90 PID 1680 wrote to memory of 3140 1680 250502-m7emgssrs4.exe 94 PID 1680 wrote to memory of 3140 1680 250502-m7emgssrs4.exe 94 PID 3140 wrote to memory of 2156 3140 msedge.exe 95 PID 3140 wrote to memory of 2156 3140 msedge.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe"C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '250502-m7emgssrs4.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html2⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2e4,0x2c0,0x7fff16b9f208,0x7fff16b9f214,0x7fff16b9f2203⤵PID:2156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2396,i,17018170877463122208,17441542760907747160,262144 --variations-seed-version --mojo-platform-channel-handle=2392 /prefetch:23⤵PID:6108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1824,i,17018170877463122208,17441542760907747160,262144 --variations-seed-version --mojo-platform-channel-handle=2440 /prefetch:113⤵PID:2820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2448,i,17018170877463122208,17441542760907747160,262144 --variations-seed-version --mojo-platform-channel-handle=2776 /prefetch:133⤵PID:4744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3396,i,17018170877463122208,17441542760907747160,262144 --variations-seed-version --mojo-platform-channel-handle=3444 /prefetch:13⤵PID:2076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3420,i,17018170877463122208,17441542760907747160,262144 --variations-seed-version --mojo-platform-channel-handle=3452 /prefetch:13⤵PID:2768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6108
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6072
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:3872
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
280B
MD534d09b852bf4a5ef1d936591501926ca
SHA188ff0b1c2a5664765e11e47843a5ac8e1782ed0c
SHA25652bd897dfdfca849d627b36a49b976eef861b1a7af075527c8f247adb862dc20
SHA512dc63eebf94384dc9580f5e3c9291047e8d410f8fc1f746d180673f445a9bbe746608c01cbf10a38f2f935cfa5c8bb89864f87cabd8fece809dcaa1fa137f71d3
-
Filesize
40KB
MD5a063c8bfa731eae7358972026ce1f729
SHA12e396b76a9125d61963bc86667e2369a1b63a808
SHA25626e5a7143fa7b0addc7b4c3fc93f738869ffe19538d3c8c9f2ada6ad7f797ac3
SHA5121728b791447af365dcac3a7418085c8f19ed6eaf7cf0b42c2490b03fc3aacf37f2e2325ffb727709a9da2a57e510ada229213196327f0bc6f70b3d097d77d73d
-
Filesize
944B
MD5e3840d9bcedfe7017e49ee5d05bd1c46
SHA1272620fb2605bd196df471d62db4b2d280a363c6
SHA2563ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f
SHA51276adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376
-
Filesize
944B
MD5e62cbb0b8541e4911f2a3cb671abda88
SHA1eff5320b981d6068e277270f02e7194d7c21bc37
SHA2569248c96a06934dc65557e6dfeecce2f95263053276c21f3c69bedf7322a0bbee
SHA5125a7c6f00c08f709601175ac27122611175ea9501cf397fedd809c8701bb32d2f1ed8591d9046a24f51082403038c2384a752be809df8a221bd2f5c6b3003de9e
-
Filesize
944B
MD5052b734e3d0b49bccde40def527c10df
SHA12ac7c9bd7dc7bd54699fd06252a89a963e1c1ec0
SHA256d51b94b595a5bee567d89011dc8d97f6210a7911828e5a24172708d5a177f65f
SHA512bbe94350f51a4029f44631e5bb6658d9583d46011db3ca3159a21b179ab7dc7b200a27ccdf34897fdcba890acec2cdb84a2c1ba0cd95360478e38e911f56f4ba
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
94KB
MD59703ca1aa7b76a5cbcbc44f1e88ab0da
SHA1527a3bea16ca6cbd11daafa04478274878660d3f
SHA256beb15b54dc5b31d30e4a950db36dcc33b8fe1f29c6567c5cf9ca93bee7c17fce
SHA5120d8add3c5c56e9a56112f7283aee201d77d0336963dca561cc7ff041f970da410c21d2d099c4e30bded52da85093f37e681bf3d57f461c32208bd92277763e20
-
Filesize
610B
MD55bb9a9c59168ad061f927e89523b1fa9
SHA1ad70db9f329376ff1fa02dd420bf3c3b40626081
SHA2566beb9e0af938e4200f50bcd5b65c29555a63d251cd7bc8f1ac216b333717169d
SHA512035885de328f917ca6f0d603aa414e6e9accbe6dcd21c22835802a8c9eb8d93d863c213abfbf7b0ddc8e8f1fae01cdb04e8155ca4e9d2ae35bd53ea9f8c7738e
-
C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC
Filesize16B
MD5513a0bb8032eb3630af0d95eca2a559b
SHA14737718496ce3e521e7c33d5244dbbbd862f1cf0
SHA256e50637eadc7a6b38fb593766fc10ce6d7a830c0f1d125196c4b886c78ca55942
SHA512fcf107b2190626389bb549caaa36a7dc15f891fc0d9b985147228ad39e93b84b2283ada37ed97bcdeada9fb34fe5e7d10ed5f3d105ac104b2616fec800b747b7