Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 02:33
Behavioral task
behavioral1
Sample
0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe
Resource
win10v2004-20240508-en
General
-
Target
0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe
-
Size
248KB
-
MD5
7b20c6c1ae8a7fb30666a20540ed992a
-
SHA1
c4c615789b1cd6afa7fb48a6916ca5e8de838eda
-
SHA256
0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1
-
SHA512
c8f0ada254ed44e07fc1593e084b14644f80dd36c98a25cb8ff1a7674d27da6559c56e96db7abcfff1de4a2ef5e6333878a890dc361a031a85809f6b7be4d8a9
-
SSDEEP
6144:BV4/b1Gx1MVvUhcX7elbKTua9bfF/H9d9n:4JcEv3X3u+
Malware Config
Extracted
xworm
156.225.129.202:7001
-
Install_directory
%AppData%
-
install_file
crss.exe
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2184-1-0x00000000001F0000-0x0000000000234000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\crss.exe family_xworm behavioral1/memory/2880-37-0x00000000001D0000-0x0000000000214000-memory.dmp family_xworm behavioral1/memory/448-40-0x0000000000AD0000-0x0000000000B14000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1516 powershell.exe 2652 powershell.exe 2576 powershell.exe 2416 powershell.exe -
Drops startup file 2 IoCs
Processes:
0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crss.lnk 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crss.lnk 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe -
Executes dropped EXE 2 IoCs
Processes:
crss.execrss.exepid process 2880 crss.exe 448 crss.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Users\\Admin\\AppData\\Roaming\\crss.exe" 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exe0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exepid process 2652 powershell.exe 2576 powershell.exe 2416 powershell.exe 1516 powershell.exe 2184 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exepowershell.exepowershell.exepowershell.exepowershell.execrss.execrss.exedescription pid process Token: SeDebugPrivilege 2184 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 1516 powershell.exe Token: SeDebugPrivilege 2184 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe Token: SeDebugPrivilege 2880 crss.exe Token: SeDebugPrivilege 448 crss.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exepid process 2184 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exetaskeng.exedescription pid process target process PID 2184 wrote to memory of 2652 2184 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe powershell.exe PID 2184 wrote to memory of 2652 2184 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe powershell.exe PID 2184 wrote to memory of 2652 2184 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe powershell.exe PID 2184 wrote to memory of 2576 2184 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe powershell.exe PID 2184 wrote to memory of 2576 2184 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe powershell.exe PID 2184 wrote to memory of 2576 2184 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe powershell.exe PID 2184 wrote to memory of 2416 2184 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe powershell.exe PID 2184 wrote to memory of 2416 2184 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe powershell.exe PID 2184 wrote to memory of 2416 2184 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe powershell.exe PID 2184 wrote to memory of 1516 2184 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe powershell.exe PID 2184 wrote to memory of 1516 2184 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe powershell.exe PID 2184 wrote to memory of 1516 2184 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe powershell.exe PID 2184 wrote to memory of 2820 2184 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe schtasks.exe PID 2184 wrote to memory of 2820 2184 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe schtasks.exe PID 2184 wrote to memory of 2820 2184 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe schtasks.exe PID 2424 wrote to memory of 2880 2424 taskeng.exe crss.exe PID 2424 wrote to memory of 2880 2424 taskeng.exe crss.exe PID 2424 wrote to memory of 2880 2424 taskeng.exe crss.exe PID 2424 wrote to memory of 448 2424 taskeng.exe crss.exe PID 2424 wrote to memory of 448 2424 taskeng.exe crss.exe PID 2424 wrote to memory of 448 2424 taskeng.exe crss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe"C:\Users\Admin\AppData\Local\Temp\0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\crss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'crss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "crss" /tr "C:\Users\Admin\AppData\Roaming\crss.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\taskeng.exetaskeng.exe {98F656C1-5761-4410-90B5-EC4ACA683893} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\crss.exeC:\Users\Admin\AppData\Roaming\crss.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\crss.exeC:\Users\Admin\AppData\Roaming\crss.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD588d05de6d10c03402b0013eaf67aa767
SHA10d636d66d551e3a45351aa237d46d9d8d2f762cb
SHA256bf2d9750f20e6351962b02f90dd2122d8a7b114e6726bce26c1a54aee0513b4d
SHA51226130f446307717b5ccf596afd0beaa77eb49c74716f66795ff2c8c4df6bb313b92b9f7f07ae35ed095e642827cce2e19f62002357f38499f6ae00de42975b05
-
C:\Users\Admin\AppData\Roaming\crss.exeFilesize
248KB
MD57b20c6c1ae8a7fb30666a20540ed992a
SHA1c4c615789b1cd6afa7fb48a6916ca5e8de838eda
SHA2560a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1
SHA512c8f0ada254ed44e07fc1593e084b14644f80dd36c98a25cb8ff1a7674d27da6559c56e96db7abcfff1de4a2ef5e6333878a890dc361a031a85809f6b7be4d8a9
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/448-40-0x0000000000AD0000-0x0000000000B14000-memory.dmpFilesize
272KB
-
memory/2184-2-0x000007FEF5800000-0x000007FEF61EC000-memory.dmpFilesize
9.9MB
-
memory/2184-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmpFilesize
4KB
-
memory/2184-32-0x000007FEF5803000-0x000007FEF5804000-memory.dmpFilesize
4KB
-
memory/2184-33-0x000007FEF5800000-0x000007FEF61EC000-memory.dmpFilesize
9.9MB
-
memory/2184-1-0x00000000001F0000-0x0000000000234000-memory.dmpFilesize
272KB
-
memory/2576-15-0x000000001B7D0000-0x000000001BAB2000-memory.dmpFilesize
2.9MB
-
memory/2576-16-0x0000000002680000-0x0000000002688000-memory.dmpFilesize
32KB
-
memory/2652-7-0x0000000002C30000-0x0000000002CB0000-memory.dmpFilesize
512KB
-
memory/2652-8-0x000000001B680000-0x000000001B962000-memory.dmpFilesize
2.9MB
-
memory/2652-9-0x00000000023C0000-0x00000000023C8000-memory.dmpFilesize
32KB
-
memory/2880-37-0x00000000001D0000-0x0000000000214000-memory.dmpFilesize
272KB