Analysis
-
max time kernel
20s -
max time network
30s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
05/06/2025, 19:12
Static task
static1
Behavioral task
behavioral1
Sample
NewTextDocument.exe
Resource
win10v2004-20250502-en
General
-
Target
NewTextDocument.exe
-
Size
4KB
-
MD5
a239a27c2169af388d4f5be6b52f272c
-
SHA1
0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
-
SHA256
98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
-
SHA512
f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
-
SSDEEP
48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt
Malware Config
Extracted
lumma
https://t.me/vstalnasral555
https://runtnwq.run/gajh
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://stochalyqp.xyz/alfp
https://diecam.top/laur/api
https://citellcagt.top/gjtu
https://peppinqikp.xyz/xaow
Extracted
xworm
5.0
154.53.41.5:1144
tHwBSicFuDZAqRPQ
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x001900000002b112-150.dat family_xworm behavioral2/memory/4768-157-0x0000000000930000-0x000000000093E000-memory.dmp family_xworm -
Lumma family
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4588 powershell.exe -
Downloads MZ/PE file 5 IoCs
flow pid Process 3 5420 NewTextDocument.exe 3 5420 NewTextDocument.exe 3 5420 NewTextDocument.exe 8 5420 NewTextDocument.exe 9 5420 NewTextDocument.exe -
Executes dropped EXE 5 IoCs
pid Process 5492 1UGwDFF.exe 1792 t3u2Imz.exe 4108 hJ5bmFj.exe 684 94mG4Ak.exe 4768 XClient.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1792 set thread context of 5552 1792 t3u2Imz.exe 83 PID 684 set thread context of 4100 684 94mG4Ak.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hJ5bmFj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 5552 MSBuild.exe 5552 MSBuild.exe 5552 MSBuild.exe 5552 MSBuild.exe 4100 MSBuild.exe 4100 MSBuild.exe 4100 MSBuild.exe 4100 MSBuild.exe 5492 1UGwDFF.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5420 NewTextDocument.exe Token: SeDebugPrivilege 4108 hJ5bmFj.exe Token: SeDebugPrivilege 4768 XClient.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 5420 wrote to memory of 5492 5420 NewTextDocument.exe 79 PID 5420 wrote to memory of 5492 5420 NewTextDocument.exe 79 PID 5420 wrote to memory of 1792 5420 NewTextDocument.exe 80 PID 5420 wrote to memory of 1792 5420 NewTextDocument.exe 80 PID 1792 wrote to memory of 3472 1792 t3u2Imz.exe 82 PID 1792 wrote to memory of 3472 1792 t3u2Imz.exe 82 PID 1792 wrote to memory of 3472 1792 t3u2Imz.exe 82 PID 1792 wrote to memory of 5552 1792 t3u2Imz.exe 83 PID 1792 wrote to memory of 5552 1792 t3u2Imz.exe 83 PID 1792 wrote to memory of 5552 1792 t3u2Imz.exe 83 PID 1792 wrote to memory of 5552 1792 t3u2Imz.exe 83 PID 1792 wrote to memory of 5552 1792 t3u2Imz.exe 83 PID 1792 wrote to memory of 5552 1792 t3u2Imz.exe 83 PID 1792 wrote to memory of 5552 1792 t3u2Imz.exe 83 PID 1792 wrote to memory of 5552 1792 t3u2Imz.exe 83 PID 1792 wrote to memory of 5552 1792 t3u2Imz.exe 83 PID 5420 wrote to memory of 4108 5420 NewTextDocument.exe 85 PID 5420 wrote to memory of 4108 5420 NewTextDocument.exe 85 PID 5420 wrote to memory of 4108 5420 NewTextDocument.exe 85 PID 5420 wrote to memory of 684 5420 NewTextDocument.exe 86 PID 5420 wrote to memory of 684 5420 NewTextDocument.exe 86 PID 5420 wrote to memory of 4768 5420 NewTextDocument.exe 88 PID 5420 wrote to memory of 4768 5420 NewTextDocument.exe 88 PID 684 wrote to memory of 4100 684 94mG4Ak.exe 89 PID 684 wrote to memory of 4100 684 94mG4Ak.exe 89 PID 684 wrote to memory of 4100 684 94mG4Ak.exe 89 PID 684 wrote to memory of 4100 684 94mG4Ak.exe 89 PID 684 wrote to memory of 4100 684 94mG4Ak.exe 89 PID 684 wrote to memory of 4100 684 94mG4Ak.exe 89 PID 684 wrote to memory of 4100 684 94mG4Ak.exe 89 PID 684 wrote to memory of 4100 684 94mG4Ak.exe 89 PID 684 wrote to memory of 4100 684 94mG4Ak.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe"C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe"1⤵
- Downloads MZ/PE file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5420 -
C:\Users\Admin\AppData\Local\Temp\a\1UGwDFF.exe"C:\Users\Admin\AppData\Local\Temp\a\1UGwDFF.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5492 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:4588
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\t3u2Imz.exe"C:\Users\Admin\AppData\Local\Temp\a\t3u2Imz.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:3472
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5552
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4108
-
-
C:\Users\Admin\AppData\Local\Temp\a\94mG4Ak.exe"C:\Users\Admin\AppData\Local\Temp\a\94mG4Ak.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4100
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.8MB
MD5a4800db4a176fdba6d86bde9e21d7d4b
SHA1c927378fd0aff61a865860b81ea49182ad3fc896
SHA2564738fee480de92666fc5cb7e6c9a4b0d97cd3d3b7ff9d642288e0cc604d407ae
SHA512cbcecf64126f92844858213e7050942c63cbdf23522e1e8ac0887c655c615239bdf4111475a7ebffa4bf700ec59b6a8125fed46201ff2238eb9d8e4c8e4236c6
-
Filesize
946KB
MD5bee498bb6818e1eec3f96ed8c371e4c3
SHA15cd9f249cb2e4888b6ff488e2b3795ead65460f9
SHA2565dcd18a45f245b8f03ee330afd54014c3dcd6e96b0f9fa0d9b2c98498fd11306
SHA5120821397200c422f1c912a11babb17da7c0fad61ad7fd1e66950fdf80217d87e17b571713b83b66bdbc63996dd01637437296fd186bb205e5665f0965d599bca1
-
Filesize
32KB
MD5ae20c32d0b9e8699756e93f9372972fa
SHA10a80ba47f8175b177ff7f507906e376f0b1a3db3
SHA2565054d87f5429374c958f4ee191993b826be2568307c5b53067c0ee771690591d
SHA512a37cb8de74b593304985d896c1bf86cd6dd144f72d24cd3796308ea04c218c09dc3716a3e66fe3c1455b61a3b8a96e1c942c67ef291e9da15e4a662ac4669f1a
-
Filesize
4.2MB
MD5f7f9ed55e782f4d2d43fb0703dd1273f
SHA18bb98c59bb35055ccf1b52ef12db24cca50b58b0
SHA256ad044817d9a6c1b798001fbf0f769c0ac1d8486afb9dede03543b934be6df3c6
SHA5121126c63648b573b01bcffc1ac037c3ed29074834f1716e54352a1679a4c9d5d393068b22e3820c62e398ab81d127fc242f306e158bf393e58742995df7896ce7
-
Filesize
925KB
MD545445e04eeaaab44456e4296c25ddb1b
SHA175f242422d7329a0a3f9a1230cf694443601717e
SHA25682f77e79a0052160d388738a17a60e3733e439dd6beb53c88232e075ccef7d6e
SHA512ffde7a5727e67998e09cfa90b8db7ac11f17b815a3c846a0a52cf98962049bdb7da94aa0a74f26977a2797309835fd4638c636a6e9412ddc22746fe39af776a6