Analysis
-
max time kernel
294s -
max time network
286s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-06-2024 06:36
Behavioral task
behavioral1
Sample
Packages.exe
Resource
win11-20240508-en
General
-
Target
Packages.exe
-
Size
75KB
-
MD5
e1b71f4ba193223fc5569d6c2c8987d8
-
SHA1
ab0634c9bc987c434b55896cd9b1523af1280571
-
SHA256
15af6ab42b15ed39a5257f1e750c728accb88dc332162937f1fd22ba314b7afa
-
SHA512
d98ae8f4d37bdae664a4d703c5d5bc0a57f1cdc992fca0aad080863cd68b19b63e50c327de541bd9ca2a12582ecb23ff61344a3bca173574c563fa45a4d951a8
-
SSDEEP
1536:b61UmSLuLfh3THEpbHhE+3lDZ6BwqTD+EViiODLkhpI:eumVfVTMbHhfA9ViiODLk/I
Malware Config
Extracted
xworm
193.161.193.99:22901
Ironthing-22901.portmap.host:22901
-
Install_directory
%AppData%
-
install_file
Packages.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/5040-1-0x0000000000100000-0x000000000011A000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\Packages.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4996 powershell.exe 736 powershell.exe 3896 powershell.exe 1564 powershell.exe -
Drops startup file 2 IoCs
Processes:
Packages.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Packages.lnk Packages.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Packages.lnk Packages.exe -
Executes dropped EXE 5 IoCs
Processes:
Packages.exePackages.exePackages.exePackages.exePackages.exepid process 4308 Packages.exe 4788 Packages.exe 4792 Packages.exe 4660 Packages.exe 236 Packages.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Packages.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\Packages = "C:\\Users\\Admin\\AppData\\Roaming\\Packages.exe" Packages.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4996 powershell.exe 4996 powershell.exe 736 powershell.exe 736 powershell.exe 3896 powershell.exe 3896 powershell.exe 1564 powershell.exe 1564 powershell.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
Packages.exepowershell.exepowershell.exepowershell.exepowershell.exePackages.exePackages.exePackages.exePackages.exePackages.exedescription pid process Token: SeDebugPrivilege 5040 Packages.exe Token: SeDebugPrivilege 4996 powershell.exe Token: SeDebugPrivilege 736 powershell.exe Token: SeDebugPrivilege 3896 powershell.exe Token: SeDebugPrivilege 1564 powershell.exe Token: SeDebugPrivilege 5040 Packages.exe Token: SeDebugPrivilege 4308 Packages.exe Token: SeDebugPrivilege 4788 Packages.exe Token: SeDebugPrivilege 4792 Packages.exe Token: SeDebugPrivilege 4660 Packages.exe Token: SeDebugPrivilege 236 Packages.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Packages.exedescription pid process target process PID 5040 wrote to memory of 4996 5040 Packages.exe powershell.exe PID 5040 wrote to memory of 4996 5040 Packages.exe powershell.exe PID 5040 wrote to memory of 736 5040 Packages.exe powershell.exe PID 5040 wrote to memory of 736 5040 Packages.exe powershell.exe PID 5040 wrote to memory of 3896 5040 Packages.exe powershell.exe PID 5040 wrote to memory of 3896 5040 Packages.exe powershell.exe PID 5040 wrote to memory of 1564 5040 Packages.exe powershell.exe PID 5040 wrote to memory of 1564 5040 Packages.exe powershell.exe PID 5040 wrote to memory of 4560 5040 Packages.exe schtasks.exe PID 5040 wrote to memory of 4560 5040 Packages.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Packages.exe"C:\Users\Admin\AppData\Local\Temp\Packages.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Packages.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Packages.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Packages.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Packages.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Packages" /tr "C:\Users\Admin\AppData\Roaming\Packages.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Roaming\Packages.exeC:\Users\Admin\AppData\Roaming\Packages.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Packages.exeC:\Users\Admin\AppData\Roaming\Packages.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Packages.exeC:\Users\Admin\AppData\Roaming\Packages.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Packages.exeC:\Users\Admin\AppData\Roaming\Packages.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Packages.exeC:\Users\Admin\AppData\Roaming\Packages.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Packages.exe.logFilesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD521017c68eaf9461301de459f4f07e888
SHA141ff30fc8446508d4c3407c79e798cf6eaa5bb73
SHA25603b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888
SHA512956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5eb9dd0f1e84c3e70c5b401d33c439803
SHA136f90b3634d6b7c78140e762397d47845ffb944c
SHA256c1647b091931f45c019578e5215d837bffe70f8edafae1cee39025116e8fcfd4
SHA5121c5a3ee2a79f8653759a16f1a15ae62600ff4eedef66a16dfeab4504a1650c5222de8227a95215d42b3741d4d9ae1a985b9fbe594fffa4b2dfb969c3c5fdfab6
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kr4w0n0m.qla.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Packages.exeFilesize
75KB
MD5e1b71f4ba193223fc5569d6c2c8987d8
SHA1ab0634c9bc987c434b55896cd9b1523af1280571
SHA25615af6ab42b15ed39a5257f1e750c728accb88dc332162937f1fd22ba314b7afa
SHA512d98ae8f4d37bdae664a4d703c5d5bc0a57f1cdc992fca0aad080863cd68b19b63e50c327de541bd9ca2a12582ecb23ff61344a3bca173574c563fa45a4d951a8
-
memory/4996-12-0x00007FF829670000-0x00007FF82A132000-memory.dmpFilesize
10.8MB
-
memory/4996-15-0x00007FF829670000-0x00007FF82A132000-memory.dmpFilesize
10.8MB
-
memory/4996-18-0x00007FF829670000-0x00007FF82A132000-memory.dmpFilesize
10.8MB
-
memory/4996-14-0x00007FF829670000-0x00007FF82A132000-memory.dmpFilesize
10.8MB
-
memory/4996-13-0x00007FF829670000-0x00007FF82A132000-memory.dmpFilesize
10.8MB
-
memory/4996-3-0x00000241B4300000-0x00000241B4322000-memory.dmpFilesize
136KB
-
memory/5040-0-0x00007FF829673000-0x00007FF829675000-memory.dmpFilesize
8KB
-
memory/5040-54-0x00007FF829670000-0x00007FF82A132000-memory.dmpFilesize
10.8MB
-
memory/5040-2-0x00007FF829670000-0x00007FF82A132000-memory.dmpFilesize
10.8MB
-
memory/5040-1-0x0000000000100000-0x000000000011A000-memory.dmpFilesize
104KB