Analysis
-
max time kernel
138s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 01:22
Behavioral task
behavioral1
Sample
ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe
Resource
win10v2004-20240611-en
General
-
Target
ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe
-
Size
251KB
-
MD5
1fee5ce12cd61659dd46575a2e378361
-
SHA1
91722b8dcf5318c379e5ae96692928b22b055969
-
SHA256
ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce
-
SHA512
9e46fe97922c9c24c9ceb31201bb703ba47b73248c413633c097ec8b44ee026fb4ce2569a3f7578f753b3d8cd7f6ed5aa425bb308b49b7e0062a685468d38638
-
SSDEEP
3072:vfWp/2bS2/YnEtOryoW8SKfbzxcwg7es6/Vsb8VKTu549oJMfF/H9N3Ky9NzLnK:dbn/YnWUhcX7elbKTua9bfF/H9d9n
Malware Config
Extracted
xworm
156.225.129.202:7005
-
Install_directory
%AppData%
-
install_file
crss.exe
Signatures
-
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2344-1-0x0000000001320000-0x0000000001364000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\crss.exe family_xworm behavioral1/memory/1320-36-0x0000000000C20000-0x0000000000C64000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2588 powershell.exe 2156 powershell.exe 2676 powershell.exe 1240 powershell.exe -
Drops startup file 2 IoCs
Processes:
ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crss.lnk ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crss.lnk ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe -
Executes dropped EXE 2 IoCs
Processes:
crss.execrss.exepid process 1320 crss.exe 412 crss.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Users\\Admin\\AppData\\Roaming\\crss.exe" ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exepid process 2588 powershell.exe 2156 powershell.exe 2676 powershell.exe 1240 powershell.exe 2344 ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exepowershell.exepowershell.exepowershell.exepowershell.execrss.execrss.exedescription pid process Token: SeDebugPrivilege 2344 ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 2156 powershell.exe Token: SeDebugPrivilege 2676 powershell.exe Token: SeDebugPrivilege 1240 powershell.exe Token: SeDebugPrivilege 2344 ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe Token: SeDebugPrivilege 1320 crss.exe Token: SeDebugPrivilege 412 crss.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exepid process 2344 ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exetaskeng.exedescription pid process target process PID 2344 wrote to memory of 2588 2344 ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe powershell.exe PID 2344 wrote to memory of 2588 2344 ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe powershell.exe PID 2344 wrote to memory of 2588 2344 ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe powershell.exe PID 2344 wrote to memory of 2156 2344 ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe powershell.exe PID 2344 wrote to memory of 2156 2344 ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe powershell.exe PID 2344 wrote to memory of 2156 2344 ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe powershell.exe PID 2344 wrote to memory of 2676 2344 ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe powershell.exe PID 2344 wrote to memory of 2676 2344 ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe powershell.exe PID 2344 wrote to memory of 2676 2344 ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe powershell.exe PID 2344 wrote to memory of 1240 2344 ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe powershell.exe PID 2344 wrote to memory of 1240 2344 ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe powershell.exe PID 2344 wrote to memory of 1240 2344 ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe powershell.exe PID 2344 wrote to memory of 2852 2344 ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe schtasks.exe PID 2344 wrote to memory of 2852 2344 ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe schtasks.exe PID 2344 wrote to memory of 2852 2344 ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe schtasks.exe PID 860 wrote to memory of 1320 860 taskeng.exe crss.exe PID 860 wrote to memory of 1320 860 taskeng.exe crss.exe PID 860 wrote to memory of 1320 860 taskeng.exe crss.exe PID 860 wrote to memory of 412 860 taskeng.exe crss.exe PID 860 wrote to memory of 412 860 taskeng.exe crss.exe PID 860 wrote to memory of 412 860 taskeng.exe crss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe"C:\Users\Admin\AppData\Local\Temp\ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\crss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'crss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "crss" /tr "C:\Users\Admin\AppData\Roaming\crss.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\taskeng.exetaskeng.exe {E9902D0E-CE6A-49E5-8202-E0170F5394A5} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\crss.exeC:\Users\Admin\AppData\Roaming\crss.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\crss.exeC:\Users\Admin\AppData\Roaming\crss.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5d40d737fdd1b63b1fc7a1f7fdb74ce6c
SHA1a45a2d53941a658e16d05ddf567f272aabf29c6c
SHA25635525941698c0c2ab0c2a72f651cbc826f50b6d00b49163481900e8c7ebd3a22
SHA512551d9e049d744f484bb856884e629155616e63adaff6dec7c6851ddde5c96adbb7ec8c362eea6c9f7f10213cefee8ff71e44492d36d93baf372ffd6aec81396e
-
C:\Users\Admin\AppData\Roaming\crss.exeFilesize
251KB
MD51fee5ce12cd61659dd46575a2e378361
SHA191722b8dcf5318c379e5ae96692928b22b055969
SHA256ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce
SHA5129e46fe97922c9c24c9ceb31201bb703ba47b73248c413633c097ec8b44ee026fb4ce2569a3f7578f753b3d8cd7f6ed5aa425bb308b49b7e0062a685468d38638
-
memory/1320-36-0x0000000000C20000-0x0000000000C64000-memory.dmpFilesize
272KB
-
memory/2156-16-0x0000000002320000-0x0000000002328000-memory.dmpFilesize
32KB
-
memory/2156-15-0x000000001B7E0000-0x000000001BAC2000-memory.dmpFilesize
2.9MB
-
memory/2344-31-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmpFilesize
4KB
-
memory/2344-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmpFilesize
4KB
-
memory/2344-32-0x000007FEF5F80000-0x000007FEF696C000-memory.dmpFilesize
9.9MB
-
memory/2344-2-0x000007FEF5F80000-0x000007FEF696C000-memory.dmpFilesize
9.9MB
-
memory/2344-1-0x0000000001320000-0x0000000001364000-memory.dmpFilesize
272KB
-
memory/2588-9-0x0000000001E70000-0x0000000001E78000-memory.dmpFilesize
32KB
-
memory/2588-8-0x000000001B770000-0x000000001BA52000-memory.dmpFilesize
2.9MB
-
memory/2588-7-0x0000000002E20000-0x0000000002EA0000-memory.dmpFilesize
512KB