Analysis
-
max time kernel
37s -
max time network
45s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 18:53
Behavioral task
behavioral1
Sample
Image Logger Hybrid V4.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral2
Sample
Image Logger Hybrid V4.exe
Resource
win11-20240508-en
General
-
Target
Image Logger Hybrid V4.exe
-
Size
126KB
-
MD5
6d103c685ef0960fab6eca5bf4617583
-
SHA1
ea11a8ba30f54015d71ed646fbd14b8800fc2e3f
-
SHA256
77d041474b58f2142077c3da4fc2d64c29a40eb400410c784e2606647028fa3f
-
SHA512
2429d67cf73056d496ff4cff2b8a72e2bc643201616b969464543580bd027366e13c51fda4161e319af122fa22c088c1ec737e87e8528e09b4e450d84755732d
-
SSDEEP
3072:RMSncRzAOLeCyRuZA3A+bZ5FFOOszPAv:ySncRl3Zebv
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
dllhost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE family_xworm behavioral1/memory/1540-22-0x0000000000060000-0x0000000000076000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1960 powershell.exe 3812 powershell.exe 3364 powershell.exe 3260 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
S.EXETESTEE.EXEImage Logger Hybrid V4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation S.EXE Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation TESTEE.EXE Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation Image Logger Hybrid V4.exe -
Executes dropped EXE 3 IoCs
Processes:
S.EXETESTEE.EXEdllhost.exepid process 1724 S.EXE 1540 TESTEE.EXE 3432 dllhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
TESTEE.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe" TESTEE.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeTESTEE.EXEpid process 1960 powershell.exe 1960 powershell.exe 1960 powershell.exe 3812 powershell.exe 3812 powershell.exe 3812 powershell.exe 3364 powershell.exe 3364 powershell.exe 3364 powershell.exe 3260 powershell.exe 3260 powershell.exe 3260 powershell.exe 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE 1540 TESTEE.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
TESTEE.EXEpowershell.exepowershell.exepowershell.exepowershell.exedllhost.exedescription pid process Token: SeDebugPrivilege 1540 TESTEE.EXE Token: SeDebugPrivilege 1960 powershell.exe Token: SeDebugPrivilege 3812 powershell.exe Token: SeDebugPrivilege 3364 powershell.exe Token: SeDebugPrivilege 3260 powershell.exe Token: SeDebugPrivilege 3432 dllhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
TESTEE.EXEpid process 1540 TESTEE.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Image Logger Hybrid V4.exeS.EXETESTEE.EXEcmd.exedescription pid process target process PID 3164 wrote to memory of 1724 3164 Image Logger Hybrid V4.exe S.EXE PID 3164 wrote to memory of 1724 3164 Image Logger Hybrid V4.exe S.EXE PID 3164 wrote to memory of 1540 3164 Image Logger Hybrid V4.exe TESTEE.EXE PID 3164 wrote to memory of 1540 3164 Image Logger Hybrid V4.exe TESTEE.EXE PID 1724 wrote to memory of 2364 1724 S.EXE cmd.exe PID 1724 wrote to memory of 2364 1724 S.EXE cmd.exe PID 1540 wrote to memory of 1960 1540 TESTEE.EXE powershell.exe PID 1540 wrote to memory of 1960 1540 TESTEE.EXE powershell.exe PID 1540 wrote to memory of 3812 1540 TESTEE.EXE powershell.exe PID 1540 wrote to memory of 3812 1540 TESTEE.EXE powershell.exe PID 1540 wrote to memory of 3364 1540 TESTEE.EXE powershell.exe PID 1540 wrote to memory of 3364 1540 TESTEE.EXE powershell.exe PID 1540 wrote to memory of 3260 1540 TESTEE.EXE powershell.exe PID 1540 wrote to memory of 3260 1540 TESTEE.EXE powershell.exe PID 1540 wrote to memory of 2272 1540 TESTEE.EXE schtasks.exe PID 1540 wrote to memory of 2272 1540 TESTEE.EXE schtasks.exe PID 2364 wrote to memory of 3264 2364 cmd.exe cmd.exe PID 2364 wrote to memory of 3264 2364 cmd.exe cmd.exe PID 2364 wrote to memory of 1608 2364 cmd.exe findstr.exe PID 2364 wrote to memory of 1608 2364 cmd.exe findstr.exe PID 2364 wrote to memory of 1956 2364 cmd.exe cmd.exe PID 2364 wrote to memory of 1956 2364 cmd.exe cmd.exe PID 2364 wrote to memory of 4864 2364 cmd.exe findstr.exe PID 2364 wrote to memory of 4864 2364 cmd.exe findstr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Image Logger Hybrid V4.exe"C:\Users\Admin\AppData\Local\Temp\Image Logger Hybrid V4.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\S.EXE"C:\Users\Admin\AppData\Local\Temp\S.EXE"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gPNIGqDv.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo id. "4⤵
-
C:\Windows\system32\findstr.exefindstr /c:"".png""4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo idk.png "4⤵
-
C:\Windows\system32\findstr.exefindstr /c:"".png""4⤵
-
C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE"C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TESTEE.EXE'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\dllhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dllhost" /tr "C:\Users\Admin\AppData\Roaming\dllhost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1032,i,4778049104057176787,6631751660692402210,262144 --variations-seed-version --mojo-platform-channel-handle=3760 /prefetch:81⤵
-
C:\Users\Admin\AppData\Roaming\dllhost.exeC:\Users\Admin\AppData\Roaming\dllhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5cae60f0ddddac635da71bba775a2c5b4
SHA1386f1a036af61345a7d303d45f5230e2df817477
SHA256b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16
SHA51228ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
C:\Users\Admin\AppData\Local\Temp\S.EXEFilesize
7KB
MD5b8d58060de9ef19140c2801ea6c979bf
SHA1f98094ff9101b483e7a0d2826884a351c734fa9b
SHA25638d7a6d3e1fee555dd526ade1d5efaf18d62bb35dbcea1505f47fd6346b432a8
SHA5123eec6801ce54fc2541374a6f97956186d17e841a35f039fce59d7b0143f31d9fe8efe33e89fd676311b79baf75b5fae04f785d493206b75e424ba8d4e56adc7d
-
C:\Users\Admin\AppData\Local\Temp\TESTEE.EXEFilesize
66KB
MD504b8f12a041a2812f433aaf8f0a897e7
SHA1b0680cf948c750266c565d21a100e8127d8bae40
SHA25694fc19b165838e67bb83583d20b11d5acc7af865aa8a1c73691addd86975ac15
SHA512018e3e534249abaa1d7da77566a3f1742e047a074ee07ae9a6cfcfa32d68f2b1bfb853360928cc9d2b28299d41803f7841aa5b5ef6431310b0b8b3ce0adf608e
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xntcrsi0.mg0.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\gPNIGqDv.batFilesize
2KB
MD5f588fb26f7bb8500fe4235446e808d1d
SHA10d0029a41f068d8b2ace763b57a1a7cdca6ea86b
SHA25670b6546689c6e17ce3da85e5d52f0b053fdc18579559f3477d3362e2cdaff41e
SHA512fc84adc7447cb36b43aa9c90f395126622044c83321bc2c2c6791f8f4f6099b43137e5668f2eff5c1d9edec0f5af5ae2e7b22d64dc2307404c27291349822a1e
-
memory/1540-90-0x00007FFB91823000-0x00007FFB91825000-memory.dmpFilesize
8KB
-
memory/1540-78-0x00007FFB91820000-0x00007FFB922E1000-memory.dmpFilesize
10.8MB
-
memory/1540-102-0x00007FFB91820000-0x00007FFB922E1000-memory.dmpFilesize
10.8MB
-
memory/1540-22-0x0000000000060000-0x0000000000076000-memory.dmpFilesize
88KB
-
memory/1540-21-0x00007FFB91823000-0x00007FFB91825000-memory.dmpFilesize
8KB
-
memory/1724-24-0x0000000000DA0000-0x0000000000DA8000-memory.dmpFilesize
32KB
-
memory/1724-97-0x00007FFB91820000-0x00007FFB922E1000-memory.dmpFilesize
10.8MB
-
memory/1724-101-0x00007FFB91820000-0x00007FFB922E1000-memory.dmpFilesize
10.8MB
-
memory/1724-29-0x00007FFB91820000-0x00007FFB922E1000-memory.dmpFilesize
10.8MB
-
memory/1960-40-0x000001FCC3400000-0x000001FCC3422000-memory.dmpFilesize
136KB