Analysis
-
max time kernel
240s -
max time network
240s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
30-06-2024 06:32
Behavioral task
behavioral1
Sample
Packages.exe
Resource
win10-20240611-en
General
-
Target
Packages.exe
-
Size
68KB
-
MD5
9415d4c4cfa3920ceda0b1318dbb15c6
-
SHA1
99e81931f1e2d42eb3cecb5745fc4cde99f983e2
-
SHA256
6fbe3dbb5f3224e36ef2017a3d6df98b134aca7f3cdade044e5ba0cb152c3428
-
SHA512
af2011920b67cb1a0fc5dc30e93e7c1fc401c2769b41a9654b96bcfab2860221ce17a0d47fa2ab28bb504a9a802bb7736c89d9191e8f1e483186d4006cb46adc
-
SSDEEP
1536:YAhnty455oY4jw9PrMIMpGbOAhxw/l69dOFi/:YAB0e534M9TMIEGbOitdOFi/
Malware Config
Extracted
xworm
Ironthing-22901.portmap.host:22901
193.161.193.99:22901
-
Install_directory
%AppData%
-
install_file
Packages.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2840-1-0x0000000000B10000-0x0000000000B28000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\Packages.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2156 powershell.exe 3352 powershell.exe 4184 powershell.exe 5032 powershell.exe -
Drops startup file 2 IoCs
Processes:
Packages.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Packages.lnk Packages.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Packages.lnk Packages.exe -
Executes dropped EXE 3 IoCs
Processes:
Packages.exePackages.exePackages.exepid process 2280 Packages.exe 536 Packages.exe 2732 Packages.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Packages.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\Packages = "C:\\Users\\Admin\\AppData\\Roaming\\Packages.exe" Packages.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2156 powershell.exe 2156 powershell.exe 2156 powershell.exe 3352 powershell.exe 3352 powershell.exe 3352 powershell.exe 4184 powershell.exe 4184 powershell.exe 4184 powershell.exe 5032 powershell.exe 5032 powershell.exe 5032 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Packages.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2840 Packages.exe Token: SeDebugPrivilege 2156 powershell.exe Token: SeIncreaseQuotaPrivilege 2156 powershell.exe Token: SeSecurityPrivilege 2156 powershell.exe Token: SeTakeOwnershipPrivilege 2156 powershell.exe Token: SeLoadDriverPrivilege 2156 powershell.exe Token: SeSystemProfilePrivilege 2156 powershell.exe Token: SeSystemtimePrivilege 2156 powershell.exe Token: SeProfSingleProcessPrivilege 2156 powershell.exe Token: SeIncBasePriorityPrivilege 2156 powershell.exe Token: SeCreatePagefilePrivilege 2156 powershell.exe Token: SeBackupPrivilege 2156 powershell.exe Token: SeRestorePrivilege 2156 powershell.exe Token: SeShutdownPrivilege 2156 powershell.exe Token: SeDebugPrivilege 2156 powershell.exe Token: SeSystemEnvironmentPrivilege 2156 powershell.exe Token: SeRemoteShutdownPrivilege 2156 powershell.exe Token: SeUndockPrivilege 2156 powershell.exe Token: SeManageVolumePrivilege 2156 powershell.exe Token: 33 2156 powershell.exe Token: 34 2156 powershell.exe Token: 35 2156 powershell.exe Token: 36 2156 powershell.exe Token: SeDebugPrivilege 3352 powershell.exe Token: SeIncreaseQuotaPrivilege 3352 powershell.exe Token: SeSecurityPrivilege 3352 powershell.exe Token: SeTakeOwnershipPrivilege 3352 powershell.exe Token: SeLoadDriverPrivilege 3352 powershell.exe Token: SeSystemProfilePrivilege 3352 powershell.exe Token: SeSystemtimePrivilege 3352 powershell.exe Token: SeProfSingleProcessPrivilege 3352 powershell.exe Token: SeIncBasePriorityPrivilege 3352 powershell.exe Token: SeCreatePagefilePrivilege 3352 powershell.exe Token: SeBackupPrivilege 3352 powershell.exe Token: SeRestorePrivilege 3352 powershell.exe Token: SeShutdownPrivilege 3352 powershell.exe Token: SeDebugPrivilege 3352 powershell.exe Token: SeSystemEnvironmentPrivilege 3352 powershell.exe Token: SeRemoteShutdownPrivilege 3352 powershell.exe Token: SeUndockPrivilege 3352 powershell.exe Token: SeManageVolumePrivilege 3352 powershell.exe Token: 33 3352 powershell.exe Token: 34 3352 powershell.exe Token: 35 3352 powershell.exe Token: 36 3352 powershell.exe Token: SeDebugPrivilege 4184 powershell.exe Token: SeIncreaseQuotaPrivilege 4184 powershell.exe Token: SeSecurityPrivilege 4184 powershell.exe Token: SeTakeOwnershipPrivilege 4184 powershell.exe Token: SeLoadDriverPrivilege 4184 powershell.exe Token: SeSystemProfilePrivilege 4184 powershell.exe Token: SeSystemtimePrivilege 4184 powershell.exe Token: SeProfSingleProcessPrivilege 4184 powershell.exe Token: SeIncBasePriorityPrivilege 4184 powershell.exe Token: SeCreatePagefilePrivilege 4184 powershell.exe Token: SeBackupPrivilege 4184 powershell.exe Token: SeRestorePrivilege 4184 powershell.exe Token: SeShutdownPrivilege 4184 powershell.exe Token: SeDebugPrivilege 4184 powershell.exe Token: SeSystemEnvironmentPrivilege 4184 powershell.exe Token: SeRemoteShutdownPrivilege 4184 powershell.exe Token: SeUndockPrivilege 4184 powershell.exe Token: SeManageVolumePrivilege 4184 powershell.exe Token: 33 4184 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Packages.exedescription pid process target process PID 2840 wrote to memory of 2156 2840 Packages.exe powershell.exe PID 2840 wrote to memory of 2156 2840 Packages.exe powershell.exe PID 2840 wrote to memory of 3352 2840 Packages.exe powershell.exe PID 2840 wrote to memory of 3352 2840 Packages.exe powershell.exe PID 2840 wrote to memory of 4184 2840 Packages.exe powershell.exe PID 2840 wrote to memory of 4184 2840 Packages.exe powershell.exe PID 2840 wrote to memory of 5032 2840 Packages.exe powershell.exe PID 2840 wrote to memory of 5032 2840 Packages.exe powershell.exe PID 2840 wrote to memory of 1792 2840 Packages.exe schtasks.exe PID 2840 wrote to memory of 1792 2840 Packages.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Packages.exe"C:\Users\Admin\AppData\Local\Temp\Packages.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Packages.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Packages.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Packages.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Packages.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Packages" /tr "C:\Users\Admin\AppData\Roaming\Packages.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Roaming\Packages.exeC:\Users\Admin\AppData\Roaming\Packages.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Packages.exeC:\Users\Admin\AppData\Roaming\Packages.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Packages.exeC:\Users\Admin\AppData\Roaming\Packages.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Packages.exe.logFilesize
654B
MD516c5fce5f7230eea11598ec11ed42862
SHA175392d4824706090f5e8907eee1059349c927600
SHA25687ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d537d3a46601caceaf81b5de0e917469
SHA168a119c88ce5c79db93d39144f4f2e33d078ef40
SHA2566ead98b2bb9b60f3ceda1750f7bf510ba53202ab4e05c66c3b74dd335b5a364c
SHA5128a69410af11c72cbd11a46c198fe6f256087caea82aa39ce06f00e6573c073e293682018c9aab73f7d12da770fd044df14955742b26f2a8ab484af4eb069595f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5a25da9867df891ebac640f58c43ac0c4
SHA1950862d974bf947a78689425e20af4e38e0ba085
SHA2567fdd9586663fd2ec6295bf5a8f21804547808deea0e70780fd9221c0adc16c95
SHA51294cbd1c14aa2315def23be2af1bc08cf3fe5f99bd01e449a0d302e767d1c9cb1d0eed53bc32cb5e2464cb0d80a186f891e0df941a6a9510965b3f4b3ce378bcf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e5494bf7d4a99a086919f0778db84d92
SHA1c6dddccbd49e38bae93673d89afec73a80b27c9c
SHA2563098a832825599d648dd83b944844318aa42f992778d11aaf256d75338c1d921
SHA512da4e9111532a6caba8fe5537303ce5524ad58ce8b255b5b505b9cc7bc090d73f7b2b71a36570ae29ba4618a2667de81ea0b2c39efdad6492e1f37b90f9710133
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c3vbmy5p.2pn.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Roaming\Packages.exeFilesize
68KB
MD59415d4c4cfa3920ceda0b1318dbb15c6
SHA199e81931f1e2d42eb3cecb5745fc4cde99f983e2
SHA2566fbe3dbb5f3224e36ef2017a3d6df98b134aca7f3cdade044e5ba0cb152c3428
SHA512af2011920b67cb1a0fc5dc30e93e7c1fc401c2769b41a9654b96bcfab2860221ce17a0d47fa2ab28bb504a9a802bb7736c89d9191e8f1e483186d4006cb46adc
-
memory/2156-10-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmpFilesize
9.9MB
-
memory/2156-13-0x0000025C54810000-0x0000025C54886000-memory.dmpFilesize
472KB
-
memory/2156-51-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmpFilesize
9.9MB
-
memory/2156-9-0x0000025C3C150000-0x0000025C3C172000-memory.dmpFilesize
136KB
-
memory/2156-8-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmpFilesize
9.9MB
-
memory/2156-7-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmpFilesize
9.9MB
-
memory/2840-0-0x00007FFF16C53000-0x00007FFF16C54000-memory.dmpFilesize
4KB
-
memory/2840-2-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmpFilesize
9.9MB
-
memory/2840-186-0x00007FFF16C53000-0x00007FFF16C54000-memory.dmpFilesize
4KB
-
memory/2840-187-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmpFilesize
9.9MB
-
memory/2840-1-0x0000000000B10000-0x0000000000B28000-memory.dmpFilesize
96KB