Analysis
-
max time kernel
6s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
30-06-2024 22:01
Behavioral task
behavioral1
Sample
sv.exe
Resource
win10-20240611-en
Behavioral task
behavioral2
Sample
sv.exe
Resource
win7-20240508-en
Behavioral task
behavioral3
Sample
sv.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral4
Sample
sv.exe
Resource
win11-20240508-en
General
-
Target
sv.exe
-
Size
63KB
-
MD5
c095a62b525e62244cad230e696028cf
-
SHA1
67232c186d3efe248b540f1f2fe3382770b5074a
-
SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
-
SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
-
SSDEEP
1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM
Malware Config
Extracted
xworm
amount-acceptance.gl.at.ply.gg:7420
-
Install_directory
%ProgramData%
-
install_file
svhost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2372-1-0x0000000000410000-0x0000000000426000-memory.dmp family_xworm C:\ProgramData\svhost.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4372 powershell.exe 2780 powershell.exe 3728 powershell.exe 4200 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 4372 powershell.exe 4372 powershell.exe 4372 powershell.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
sv.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2372 sv.exe Token: SeDebugPrivilege 4372 powershell.exe Token: SeIncreaseQuotaPrivilege 4372 powershell.exe Token: SeSecurityPrivilege 4372 powershell.exe Token: SeTakeOwnershipPrivilege 4372 powershell.exe Token: SeLoadDriverPrivilege 4372 powershell.exe Token: SeSystemProfilePrivilege 4372 powershell.exe Token: SeSystemtimePrivilege 4372 powershell.exe Token: SeProfSingleProcessPrivilege 4372 powershell.exe Token: SeIncBasePriorityPrivilege 4372 powershell.exe Token: SeCreatePagefilePrivilege 4372 powershell.exe Token: SeBackupPrivilege 4372 powershell.exe Token: SeRestorePrivilege 4372 powershell.exe Token: SeShutdownPrivilege 4372 powershell.exe Token: SeDebugPrivilege 4372 powershell.exe Token: SeSystemEnvironmentPrivilege 4372 powershell.exe Token: SeRemoteShutdownPrivilege 4372 powershell.exe Token: SeUndockPrivilege 4372 powershell.exe Token: SeManageVolumePrivilege 4372 powershell.exe Token: 33 4372 powershell.exe Token: 34 4372 powershell.exe Token: 35 4372 powershell.exe Token: 36 4372 powershell.exe Token: SeDebugPrivilege 2780 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
sv.exedescription pid process target process PID 2372 wrote to memory of 4372 2372 sv.exe powershell.exe PID 2372 wrote to memory of 4372 2372 sv.exe powershell.exe PID 2372 wrote to memory of 2780 2372 sv.exe powershell.exe PID 2372 wrote to memory of 2780 2372 sv.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sv.exe"C:\Users\Admin\AppData\Local\Temp\sv.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\svhost.exeFilesize
63KB
MD5c095a62b525e62244cad230e696028cf
SHA167232c186d3efe248b540f1f2fe3382770b5074a
SHA256a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA5125ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.logFilesize
654B
MD516c5fce5f7230eea11598ec11ed42862
SHA175392d4824706090f5e8907eee1059349c927600
SHA25687ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ae352a26dd1891a604949dc8f6d619dd
SHA1ac4ae2bd5ad621215249eafe3309eadb49b00fee
SHA2566fa1c3c7ba6ab86be0b7a278d5788c0fed5994e1da22e303327b93c4c4c4c767
SHA512fdfd56b4c55d28772c158405557718a306a2ce4e2f637db33dd8aaea687054818db9db9adf10f5fd2184a91f5f1bc7c7baf5b563dfc90073aabab96fe74d50ae
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5a75621c0b20e43cd46145ddb40981049
SHA116c60bbcb07b27511a6282a737b01a52685c705a
SHA256984bd869c5ed652f42ffdd407e70e2db769f3278fe6fefbc6857e778139f594b
SHA512455306f5cb45f7722921fe34b649f784911af00d9f8d6d712b963230d22e16777b4eb4b437419acdf9f186c28446a5deedb4e9f19fa5ba8fba27bec1b1db64a4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD505f6fc5efc3f11dff3aa125a3d0c6ca5
SHA19174b2fb95da61ae5ca1d7c5b95ff7d61eeaab5b
SHA256f248030da392584f5dae89ddaa0b82c834f2c0323fff31d788cd26b43ee5c98d
SHA51219f1657404273ee5d2609ca45580ed983f53dfc729aadf1f65b1aeb759cbcb50733ca16b2bfe105db2f9e54aa2d0da4295cadb5e4d2c4d25679f44aa2ce499aa
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jxjgdvdz.get.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
memory/2372-187-0x00007FF862F10000-0x00007FF8638FC000-memory.dmpFilesize
9.9MB
-
memory/2372-1-0x0000000000410000-0x0000000000426000-memory.dmpFilesize
88KB
-
memory/2372-0-0x00007FF862F13000-0x00007FF862F14000-memory.dmpFilesize
4KB
-
memory/2372-190-0x00007FF862F10000-0x00007FF8638FC000-memory.dmpFilesize
9.9MB
-
memory/2372-189-0x00000000027C0000-0x00000000027CA000-memory.dmpFilesize
40KB
-
memory/2372-188-0x00007FF862F13000-0x00007FF862F14000-memory.dmpFilesize
4KB
-
memory/4372-10-0x00007FF862F10000-0x00007FF8638FC000-memory.dmpFilesize
9.9MB
-
memory/4372-9-0x000001F79C9A0000-0x000001F79CA16000-memory.dmpFilesize
472KB
-
memory/4372-11-0x00007FF862F10000-0x00007FF8638FC000-memory.dmpFilesize
9.9MB
-
memory/4372-20-0x00007FF862F10000-0x00007FF8638FC000-memory.dmpFilesize
9.9MB
-
memory/4372-41-0x00007FF862F10000-0x00007FF8638FC000-memory.dmpFilesize
9.9MB
-
memory/4372-51-0x00007FF862F10000-0x00007FF8638FC000-memory.dmpFilesize
9.9MB
-
memory/4372-6-0x000001F79C7F0000-0x000001F79C812000-memory.dmpFilesize
136KB
-
memory/4372-52-0x00007FF862F10000-0x00007FF8638FC000-memory.dmpFilesize
9.9MB