Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 23:23
Static task
static1
Behavioral task
behavioral1
Sample
invoice.exe
Resource
win7-20240611-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
invoice.exe
Resource
win10v2004-20240508-en
2 signatures
150 seconds
General
-
Target
invoice.exe
-
Size
2.3MB
-
MD5
5bc392a75e9f0c3b36f344096f0183cc
-
SHA1
a2f48b659efa913e5ed17d1621f517c21a9305a6
-
SHA256
81513a82573e2a72bf3b56b6b309ea2f73716f602e1f00d0ee957abd3408b6a3
-
SHA512
f9224d1f9818b2a4c93276467719e535f3f66c5f4a9d6f2287669307ecb276dfb9f202007cd9c801a0ea1ef63630eac4ca03ce9de4aab6086b9d941e54c017eb
-
SSDEEP
12288:z5DIexdM4iE+o+OKtDY2z1ZWtpMo4mSUvIZAg+GSsgHU:1DIexgo+OKtDYq12MqSUv8Ag+tY
Malware Config
Extracted
Family
xworm
Version
5.0
C2
127.0.0.1:7733
104.161.80.204:7733
Mutex
R4c17KU2odlSGK04
Attributes
-
Install_directory
%AppData%
-
install_file
System.exe
aes.plain
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2952-4-0x0000000000400000-0x0000000000422000-memory.dmp family_xworm -
Suspicious use of SetThreadContext 1 IoCs
Processes:
invoice.exedescription pid process target process PID 2416 set thread context of 2952 2416 invoice.exe iexplore.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
invoice.exedescription pid process Token: SeDebugPrivilege 2416 invoice.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
invoice.exedescription pid process target process PID 2416 wrote to memory of 2952 2416 invoice.exe iexplore.exe PID 2416 wrote to memory of 2952 2416 invoice.exe iexplore.exe PID 2416 wrote to memory of 2952 2416 invoice.exe iexplore.exe PID 2416 wrote to memory of 2952 2416 invoice.exe iexplore.exe PID 2416 wrote to memory of 2952 2416 invoice.exe iexplore.exe PID 2416 wrote to memory of 2952 2416 invoice.exe iexplore.exe PID 2416 wrote to memory of 2952 2416 invoice.exe iexplore.exe PID 2416 wrote to memory of 2952 2416 invoice.exe iexplore.exe PID 2416 wrote to memory of 2952 2416 invoice.exe iexplore.exe PID 2416 wrote to memory of 3044 2416 invoice.exe WerFault.exe PID 2416 wrote to memory of 3044 2416 invoice.exe WerFault.exe PID 2416 wrote to memory of 3044 2416 invoice.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice.exe"C:\Users\Admin\AppData\Local\Temp\invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2416 -s 6442⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2416-0-0x000007FEF5BF3000-0x000007FEF5BF4000-memory.dmpFilesize
4KB
-
memory/2416-1-0x0000000000B40000-0x0000000000B5E000-memory.dmpFilesize
120KB
-
memory/2416-2-0x0000000000AA0000-0x0000000000B14000-memory.dmpFilesize
464KB
-
memory/2416-3-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmpFilesize
9.9MB
-
memory/2416-5-0x000007FEF5BF3000-0x000007FEF5BF4000-memory.dmpFilesize
4KB
-
memory/2416-6-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmpFilesize
9.9MB
-
memory/2952-4-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB