Analysis
-
max time kernel
120s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 01:33
Static task
static1
Behavioral task
behavioral1
Sample
ORDER_DATA_SHEET#PO8738763.scr
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
ORDER_DATA_SHEET#PO8738763.scr
Resource
win10v2004-20240508-en
General
-
Target
ORDER_DATA_SHEET#PO8738763.scr
-
Size
2.2MB
-
MD5
31cbb0ad4fbff526978c68212a36fb90
-
SHA1
d5cbdd8f03037a73dd40c0819498c969ae5b9102
-
SHA256
1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b
-
SHA512
3f8e80aa86d486eacf4336b6a0a8f9c997de33a7ae1da5a1637e99fc168e0c4c8c1a9324b3c9bb69ce74d3529a881931234f45764d8f46810d820fb5629414a5
-
SSDEEP
49152:eF50a6aPVOFMx3SmroCZscivbS6mqxEWoKmqZJffp3vSsqPUCeaw1GANOmJA:croA7P/YJ
Malware Config
Extracted
xworm
5.0
195.10.205.94:7725
rliv2fMggtmcxYMM
-
Install_directory
%AppData%
-
install_file
XClient.exe
Extracted
agenttesla
Protocol: smtp- Host:
s82.gocheapweb.com - Port:
587 - Username:
[email protected] - Password:
london@1759 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2968-1-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm behavioral1/memory/2968-5-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm behavioral1/memory/2968-3-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2604 powershell.exe 2488 powershell.exe 2980 powershell.exe 2568 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
AddInProcess32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" AddInProcess32.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 api.ipify.org 9 api.ipify.org 10 ip-api.com 6 api.ipify.org 7 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ORDER_DATA_SHEET#PO8738763.scrdescription pid process target process PID 2228 set thread context of 2968 2228 ORDER_DATA_SHEET#PO8738763.scr AddInProcess32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
AddInProcess32.exepid process 2968 AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeAddInProcess32.exepid process 2488 powershell.exe 2980 powershell.exe 2568 powershell.exe 2604 powershell.exe 2968 AddInProcess32.exe 2968 AddInProcess32.exe 2968 AddInProcess32.exe 2968 AddInProcess32.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
AddInProcess32.exepid process 2968 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
AddInProcess32.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2968 AddInProcess32.exe Token: SeDebugPrivilege 2488 powershell.exe Token: SeDebugPrivilege 2980 powershell.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AddInProcess32.exepid process 2968 AddInProcess32.exe 2968 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
ORDER_DATA_SHEET#PO8738763.scrAddInProcess32.exedescription pid process target process PID 2228 wrote to memory of 2968 2228 ORDER_DATA_SHEET#PO8738763.scr AddInProcess32.exe PID 2228 wrote to memory of 2968 2228 ORDER_DATA_SHEET#PO8738763.scr AddInProcess32.exe PID 2228 wrote to memory of 2968 2228 ORDER_DATA_SHEET#PO8738763.scr AddInProcess32.exe PID 2228 wrote to memory of 2968 2228 ORDER_DATA_SHEET#PO8738763.scr AddInProcess32.exe PID 2228 wrote to memory of 2968 2228 ORDER_DATA_SHEET#PO8738763.scr AddInProcess32.exe PID 2228 wrote to memory of 2968 2228 ORDER_DATA_SHEET#PO8738763.scr AddInProcess32.exe PID 2228 wrote to memory of 2968 2228 ORDER_DATA_SHEET#PO8738763.scr AddInProcess32.exe PID 2228 wrote to memory of 2968 2228 ORDER_DATA_SHEET#PO8738763.scr AddInProcess32.exe PID 2228 wrote to memory of 2968 2228 ORDER_DATA_SHEET#PO8738763.scr AddInProcess32.exe PID 2968 wrote to memory of 2488 2968 AddInProcess32.exe powershell.exe PID 2968 wrote to memory of 2488 2968 AddInProcess32.exe powershell.exe PID 2968 wrote to memory of 2488 2968 AddInProcess32.exe powershell.exe PID 2968 wrote to memory of 2488 2968 AddInProcess32.exe powershell.exe PID 2968 wrote to memory of 2980 2968 AddInProcess32.exe powershell.exe PID 2968 wrote to memory of 2980 2968 AddInProcess32.exe powershell.exe PID 2968 wrote to memory of 2980 2968 AddInProcess32.exe powershell.exe PID 2968 wrote to memory of 2980 2968 AddInProcess32.exe powershell.exe PID 2968 wrote to memory of 2568 2968 AddInProcess32.exe powershell.exe PID 2968 wrote to memory of 2568 2968 AddInProcess32.exe powershell.exe PID 2968 wrote to memory of 2568 2968 AddInProcess32.exe powershell.exe PID 2968 wrote to memory of 2568 2968 AddInProcess32.exe powershell.exe PID 2968 wrote to memory of 2604 2968 AddInProcess32.exe powershell.exe PID 2968 wrote to memory of 2604 2968 AddInProcess32.exe powershell.exe PID 2968 wrote to memory of 2604 2968 AddInProcess32.exe powershell.exe PID 2968 wrote to memory of 2604 2968 AddInProcess32.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDER_DATA_SHEET#PO8738763.scr"C:\Users\Admin\AppData\Local\Temp\ORDER_DATA_SHEET#PO8738763.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AddInProcess32.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD59c4929bb4e32ae40d1ef3cc71d06d602
SHA1b08e3fb176b42cbe43b55e816134ccf889355a2c
SHA256dd0c03493133c09f7e2788dc1a3634517597535e7bd7c2c2ec5a51ab8cf729f2
SHA5122002192aef9655e5aaa6cf60d2979817b4f2c7ba69e02befe469cd4a044e825637b8782e099c2979528bc765dcd025616d14407b076eb43fc309cc03e45fba4c
-
memory/2968-1-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2968-5-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2968-3-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2968-6-0x000000007475E000-0x000000007475F000-memory.dmpFilesize
4KB
-
memory/2968-25-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/2968-26-0x0000000000660000-0x00000000006A4000-memory.dmpFilesize
272KB
-
memory/2968-27-0x0000000002150000-0x0000000002192000-memory.dmpFilesize
264KB
-
memory/2968-28-0x0000000000600000-0x000000000060E000-memory.dmpFilesize
56KB
-
memory/2968-29-0x000000007475E000-0x000000007475F000-memory.dmpFilesize
4KB
-
memory/2968-30-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB