Analysis
-
max time kernel
345s -
max time network
348s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
30-06-2024 21:53
Errors
General
-
Target
sv.exe
-
Size
63KB
-
MD5
c095a62b525e62244cad230e696028cf
-
SHA1
67232c186d3efe248b540f1f2fe3382770b5074a
-
SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
-
SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
-
SSDEEP
1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM
Malware Config
Extracted
xworm
amount-acceptance.gl.at.ply.gg:7420
-
Install_directory
%ProgramData%
-
install_file
svhost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 5 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 15 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sv.exe"C:\Users\Admin\AppData\Local\Temp\sv.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SYSTEM32\shutdown.exeshutdown.exe /f /s /t 02⤵
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ae5055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\svhost.exeFilesize
63KB
MD5c095a62b525e62244cad230e696028cf
SHA167232c186d3efe248b540f1f2fe3382770b5074a
SHA256a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA5125ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.logFilesize
654B
MD516c5fce5f7230eea11598ec11ed42862
SHA175392d4824706090f5e8907eee1059349c927600
SHA25687ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5a7d53514906a1105baf27d3bf52fb059
SHA1af129da6fc4826ef2ca729bc48e18a6759489cbb
SHA2566c4dad46efd4d773cffa7de25deca7881800ca5f7a959ee665001742abe5f12c
SHA5121aea6010174e105eda6c325fe28eb07962b363776b9111ca879eac587a0a4d035c39169d2676f859b74d8581ca4c5c0a44fbe4afcdda49ae3fb9829f115b3ebc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD529cab0be6ed68f483bd9c6c938ed6823
SHA1939a89e650a625f202196b1c28901dbe2b05f97a
SHA25631da0740a88332eba42a3fb8095eb41a199e6f27108c01c68c9e2a27a58ac31d
SHA512e830593a7a1e8cbb502405550f8b0a185d66f38b7a1f92dba6e85afdf469d04923f72d39692e298ee8c5b11cd0ed2fa52b82cf484ebf98c8cc6df19828225bf3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f4cebace363955b5fb79b606d1252b9e
SHA1f57eb08ca60074896c6d65c98e2f8b99450f7aee
SHA256ba0bf3227005c611f8d0d8ad6c73089c086e94019641f0fc14a303c760b6928a
SHA5125d63af7b9754546535b86504494ffc6eb0ad79653f148ce4a2e9199badbdf582fac30c31dfeecf79b9d67b21b779d5e4132da8884e1d365c1ca380c719f1a52f
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sxkcg4tk.qfj.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
memory/4236-52-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmpFilesize
9.9MB
-
memory/4236-9-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmpFilesize
9.9MB
-
memory/4236-48-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmpFilesize
9.9MB
-
memory/4236-6-0x0000019E45600000-0x0000019E45622000-memory.dmpFilesize
136KB
-
memory/4236-20-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmpFilesize
9.9MB
-
memory/4236-11-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmpFilesize
9.9MB
-
memory/4236-10-0x0000019E457B0000-0x0000019E45826000-memory.dmpFilesize
472KB
-
memory/4236-41-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmpFilesize
9.9MB
-
memory/5036-187-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmpFilesize
9.9MB
-
memory/5036-188-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmpFilesize
9.9MB
-
memory/5036-0-0x00007FFDC0CF3000-0x00007FFDC0CF4000-memory.dmpFilesize
4KB
-
memory/5036-1-0x0000000000AC0000-0x0000000000AD6000-memory.dmpFilesize
88KB
-
memory/5036-195-0x00000000012F0000-0x00000000012FA000-memory.dmpFilesize
40KB
-
memory/5036-199-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmpFilesize
9.9MB