Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 03:55
Static task
static1
Behavioral task
behavioral1
Sample
d3c5e789d12756e34a5461e809640b52.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
d3c5e789d12756e34a5461e809640b52.exe
Resource
win10v2004-20240226-en
General
-
Target
d3c5e789d12756e34a5461e809640b52.exe
-
Size
15.2MB
-
MD5
d3c5e789d12756e34a5461e809640b52
-
SHA1
d8b9710872f0c3ba3e75e3bcd56071625cf4592e
-
SHA256
b1c30897a9ce11448790b40a820dd26571c9815b277b229715fadf0199870ac2
-
SHA512
267624b56bb7901fa66d7f8cd9fb5e0602a9054649b15738f84eafd06b56997f552310228a01087e5558725b43c38af87e224570e0e3a4ec570d8f6e0159481e
-
SSDEEP
393216:AlAEncAYaYUCwkm0r0McGg9p+aBfdRG1itJLr:SnOUCwL/2mpLf/G1YLr
Malware Config
Extracted
xworm
5.0
5.tcp.eu.ngrok.io:14831
tGWGfcswkH2xASVw
-
Install_directory
%AppData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\XClient.exe family_xworm behavioral1/memory/3068-7-0x00000000010D0000-0x00000000010E2000-memory.dmp family_xworm behavioral1/memory/2384-164-0x00000000011D0000-0x00000000011E2000-memory.dmp family_xworm behavioral1/memory/2516-167-0x0000000000100000-0x0000000000112000-memory.dmp family_xworm -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk XClient.exe -
Executes dropped EXE 7 IoCs
Processes:
XClient.execstealer.exeXWorm V3.1.execstealer.exesvchost.exesvchost.exepid process 3068 XClient.exe 2696 cstealer.exe 1500 XWorm V3.1.exe 264 cstealer.exe 1260 2384 svchost.exe 2516 svchost.exe -
Loads dropped DLL 3 IoCs
Processes:
d3c5e789d12756e34a5461e809640b52.execstealer.execstealer.exepid process 2204 d3c5e789d12756e34a5461e809640b52.exe 2696 cstealer.exe 264 cstealer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" XClient.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule \Users\Admin\cstealer.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
XClient.exepid process 3068 XClient.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
XClient.exeXWorm V3.1.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 3068 XClient.exe Token: SeDebugPrivilege 1500 XWorm V3.1.exe Token: SeDebugPrivilege 3068 XClient.exe Token: SeDebugPrivilege 2384 svchost.exe Token: SeDebugPrivilege 2516 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 3068 XClient.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
d3c5e789d12756e34a5461e809640b52.execstealer.exeXClient.exetaskeng.exedescription pid process target process PID 2204 wrote to memory of 3068 2204 d3c5e789d12756e34a5461e809640b52.exe XClient.exe PID 2204 wrote to memory of 3068 2204 d3c5e789d12756e34a5461e809640b52.exe XClient.exe PID 2204 wrote to memory of 3068 2204 d3c5e789d12756e34a5461e809640b52.exe XClient.exe PID 2204 wrote to memory of 2696 2204 d3c5e789d12756e34a5461e809640b52.exe cstealer.exe PID 2204 wrote to memory of 2696 2204 d3c5e789d12756e34a5461e809640b52.exe cstealer.exe PID 2204 wrote to memory of 2696 2204 d3c5e789d12756e34a5461e809640b52.exe cstealer.exe PID 2204 wrote to memory of 1500 2204 d3c5e789d12756e34a5461e809640b52.exe XWorm V3.1.exe PID 2204 wrote to memory of 1500 2204 d3c5e789d12756e34a5461e809640b52.exe XWorm V3.1.exe PID 2204 wrote to memory of 1500 2204 d3c5e789d12756e34a5461e809640b52.exe XWorm V3.1.exe PID 2696 wrote to memory of 264 2696 cstealer.exe cstealer.exe PID 2696 wrote to memory of 264 2696 cstealer.exe cstealer.exe PID 2696 wrote to memory of 264 2696 cstealer.exe cstealer.exe PID 3068 wrote to memory of 2900 3068 XClient.exe schtasks.exe PID 3068 wrote to memory of 2900 3068 XClient.exe schtasks.exe PID 3068 wrote to memory of 2900 3068 XClient.exe schtasks.exe PID 2316 wrote to memory of 2384 2316 taskeng.exe svchost.exe PID 2316 wrote to memory of 2384 2316 taskeng.exe svchost.exe PID 2316 wrote to memory of 2384 2316 taskeng.exe svchost.exe PID 2316 wrote to memory of 2516 2316 taskeng.exe svchost.exe PID 2316 wrote to memory of 2516 2316 taskeng.exe svchost.exe PID 2316 wrote to memory of 2516 2316 taskeng.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3c5e789d12756e34a5461e809640b52.exe"C:\Users\Admin\AppData\Local\Temp\d3c5e789d12756e34a5461e809640b52.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\XClient.exe"C:\Users\Admin\XClient.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\cstealer.exe"C:\Users\Admin\cstealer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\cstealer.exe"C:\Users\Admin\cstealer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\XWorm V3.1.exe"C:\Users\Admin\XWorm V3.1.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {FE502E2D-48DA-4458-818E-3657D2CF37E9} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI26962\python310.dllFilesize
4.3MB
MD5deaf0c0cc3369363b800d2e8e756a402
SHA13085778735dd8badad4e39df688139f4eed5f954
SHA256156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d
SHA5125cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989
-
C:\Users\Admin\XClient.exeFilesize
44KB
MD5cb6f9a73c242da249935950cbb0d4768
SHA1f3562339911c4783e1957e6f87abbcff9ec989dc
SHA256fe0b5c8df242e03f89a6fcebbc23611ec3bd59fe082659eaf67adf0444879a4b
SHA51246280158482f0a73fff728317c2d9413d25bbcce9827af5393696cab9978d4b507975519c87ba175b4064a0db5fc1881b905f3af82acf5ee29be3d371ee71bc5
-
C:\Users\Admin\XWorm V3.1.exeFilesize
6.9MB
MD537a9fdc56e605d2342da88a6e6182b4b
SHA120bc3df33bbbb676d2a3c572cff4c1d58c79055d
SHA256422ba689937e3748a4b6bd3c5af2dce0211e8a48eb25767e6d1d2192d27f1f58
SHA512f556805142b77b549845c0fa2206a4cb29d54752dc5650d9db58c1bbe1f7d0fc15ce04551853fb6454873877dbb88bebd15d81b875b405cdcc2fd21a515820d3
-
\Users\Admin\cstealer.exeFilesize
8.2MB
MD5772fd94b8537d5e9390c9d3ae39fedba
SHA11be9196b05f9134a60a9b8e96c7c2c35db6e0430
SHA256bf4cf925cbe3a7e1e55c35f153a08dbaec5f873629a4e8fd78a1c645d6dfc520
SHA51298a90466b56bf088926b7b24b36f155e6f008eb0236f090241798d97c411899c9a9587f28c4cfb7fd4cd4e3eef89f6e42e456bfd013da34b1c239a3c1dd3c780
-
memory/1500-91-0x000000001EB10000-0x000000001F67A000-memory.dmpFilesize
11.4MB
-
memory/1500-86-0x0000000000370000-0x0000000000A66000-memory.dmpFilesize
7.0MB
-
memory/2204-1-0x0000000000920000-0x000000000185C000-memory.dmpFilesize
15.2MB
-
memory/2204-0-0x000007FEF55A3000-0x000007FEF55A4000-memory.dmpFilesize
4KB
-
memory/2384-164-0x00000000011D0000-0x00000000011E2000-memory.dmpFilesize
72KB
-
memory/2516-167-0x0000000000100000-0x0000000000112000-memory.dmpFilesize
72KB
-
memory/3068-7-0x00000000010D0000-0x00000000010E2000-memory.dmpFilesize
72KB
-
memory/3068-159-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmpFilesize
9.9MB
-
memory/3068-160-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmpFilesize
9.9MB
-
memory/3068-89-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmpFilesize
9.9MB
-
memory/3068-88-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmpFilesize
9.9MB