Analysis
-
max time kernel
32s -
max time network
43s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-06-2024 18:53
Behavioral task
behavioral1
Sample
Image Logger Hybrid V4.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral2
Sample
Image Logger Hybrid V4.exe
Resource
win11-20240508-en
General
-
Target
Image Logger Hybrid V4.exe
-
Size
126KB
-
MD5
6d103c685ef0960fab6eca5bf4617583
-
SHA1
ea11a8ba30f54015d71ed646fbd14b8800fc2e3f
-
SHA256
77d041474b58f2142077c3da4fc2d64c29a40eb400410c784e2606647028fa3f
-
SHA512
2429d67cf73056d496ff4cff2b8a72e2bc643201616b969464543580bd027366e13c51fda4161e319af122fa22c088c1ec737e87e8528e09b4e450d84755732d
-
SSDEEP
3072:RMSncRzAOLeCyRuZA3A+bZ5FFOOszPAv:ySncRl3Zebv
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
dllhost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE family_xworm behavioral2/memory/980-22-0x0000000000A60000-0x0000000000A76000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4088 powershell.exe 928 powershell.exe 4244 powershell.exe 5060 powershell.exe -
Executes dropped EXE 3 IoCs
Processes:
S.EXETESTEE.EXEdllhost.exepid process 3816 S.EXE 980 TESTEE.EXE 3692 dllhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
TESTEE.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe" TESTEE.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeTESTEE.EXEpid process 5060 powershell.exe 5060 powershell.exe 4088 powershell.exe 4088 powershell.exe 928 powershell.exe 928 powershell.exe 4244 powershell.exe 4244 powershell.exe 980 TESTEE.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
TESTEE.EXEpowershell.exepowershell.exepowershell.exepowershell.exedllhost.exedescription pid process Token: SeDebugPrivilege 980 TESTEE.EXE Token: SeDebugPrivilege 5060 powershell.exe Token: SeDebugPrivilege 4088 powershell.exe Token: SeDebugPrivilege 928 powershell.exe Token: SeDebugPrivilege 4244 powershell.exe Token: SeDebugPrivilege 3692 dllhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
TESTEE.EXEpid process 980 TESTEE.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Image Logger Hybrid V4.exeS.EXETESTEE.EXEdescription pid process target process PID 5064 wrote to memory of 3816 5064 Image Logger Hybrid V4.exe S.EXE PID 5064 wrote to memory of 3816 5064 Image Logger Hybrid V4.exe S.EXE PID 5064 wrote to memory of 980 5064 Image Logger Hybrid V4.exe TESTEE.EXE PID 5064 wrote to memory of 980 5064 Image Logger Hybrid V4.exe TESTEE.EXE PID 3816 wrote to memory of 4336 3816 S.EXE cmd.exe PID 3816 wrote to memory of 4336 3816 S.EXE cmd.exe PID 980 wrote to memory of 5060 980 TESTEE.EXE powershell.exe PID 980 wrote to memory of 5060 980 TESTEE.EXE powershell.exe PID 980 wrote to memory of 4088 980 TESTEE.EXE powershell.exe PID 980 wrote to memory of 4088 980 TESTEE.EXE powershell.exe PID 980 wrote to memory of 928 980 TESTEE.EXE powershell.exe PID 980 wrote to memory of 928 980 TESTEE.EXE powershell.exe PID 980 wrote to memory of 4244 980 TESTEE.EXE powershell.exe PID 980 wrote to memory of 4244 980 TESTEE.EXE powershell.exe PID 980 wrote to memory of 2116 980 TESTEE.EXE schtasks.exe PID 980 wrote to memory of 2116 980 TESTEE.EXE schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Image Logger Hybrid V4.exe"C:\Users\Admin\AppData\Local\Temp\Image Logger Hybrid V4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\S.EXE"C:\Users\Admin\AppData\Local\Temp\S.EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMm41yoJ.bat" "3⤵
-
C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE"C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TESTEE.EXE'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\dllhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dllhost" /tr "C:\Users\Admin\AppData\Roaming\dllhost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Roaming\dllhost.exeC:\Users\Admin\AppData\Roaming\dllhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD545f53352160cf0903c729c35c8edfdce
SHA1b35a4d4fbaf2a3cc61e540fc03516dd70f3c34ab
SHA2569cf18d157a858fc143a6de5c2dd3f618516a527b34478ac478d8c94ff027b0d2
SHA512e3fa27a80a1df58acb49106c306dab22e5ed582f6b0cd7d9c3ef0a85e9f5919333257e88aa44f42a0e095fd577c9e12a02957a7845c0d109f821f32d8d3343f3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d25824885a04d4e312ef2a5259828e5b
SHA19befaa1be8b82ab0adbf95bea0e211f3bed56d61
SHA2569bafaf42de818939e444144a6f0e231a21c3fb881d32d718ffcd658bc0efb9ca
SHA512729cebf87417b7848ef627e70bb51399f463c468e32468d861d219077050833e95330af63307c0cc2ec22936d93ef994bc12db842b636fc6a80d967459c2f631
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD521017c68eaf9461301de459f4f07e888
SHA141ff30fc8446508d4c3407c79e798cf6eaa5bb73
SHA25603b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888
SHA512956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d
-
C:\Users\Admin\AppData\Local\Temp\S.EXEFilesize
7KB
MD5b8d58060de9ef19140c2801ea6c979bf
SHA1f98094ff9101b483e7a0d2826884a351c734fa9b
SHA25638d7a6d3e1fee555dd526ade1d5efaf18d62bb35dbcea1505f47fd6346b432a8
SHA5123eec6801ce54fc2541374a6f97956186d17e841a35f039fce59d7b0143f31d9fe8efe33e89fd676311b79baf75b5fae04f785d493206b75e424ba8d4e56adc7d
-
C:\Users\Admin\AppData\Local\Temp\TESTEE.EXEFilesize
66KB
MD504b8f12a041a2812f433aaf8f0a897e7
SHA1b0680cf948c750266c565d21a100e8127d8bae40
SHA25694fc19b165838e67bb83583d20b11d5acc7af865aa8a1c73691addd86975ac15
SHA512018e3e534249abaa1d7da77566a3f1742e047a074ee07ae9a6cfcfa32d68f2b1bfb853360928cc9d2b28299d41803f7841aa5b5ef6431310b0b8b3ce0adf608e
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wkwt5yic.q05.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\bMm41yoJ.batFilesize
2KB
MD5f588fb26f7bb8500fe4235446e808d1d
SHA10d0029a41f068d8b2ace763b57a1a7cdca6ea86b
SHA25670b6546689c6e17ce3da85e5d52f0b053fdc18579559f3477d3362e2cdaff41e
SHA512fc84adc7447cb36b43aa9c90f395126622044c83321bc2c2c6791f8f4f6099b43137e5668f2eff5c1d9edec0f5af5ae2e7b22d64dc2307404c27291349822a1e
-
memory/980-22-0x0000000000A60000-0x0000000000A76000-memory.dmpFilesize
88KB
-
memory/980-21-0x00007FFA49493000-0x00007FFA49495000-memory.dmpFilesize
8KB
-
memory/980-74-0x00007FFA49490000-0x00007FFA49F52000-memory.dmpFilesize
10.8MB
-
memory/980-79-0x00007FFA49490000-0x00007FFA49F52000-memory.dmpFilesize
10.8MB
-
memory/3816-27-0x00007FFA49490000-0x00007FFA49F52000-memory.dmpFilesize
10.8MB
-
memory/3816-24-0x0000000000C00000-0x0000000000C08000-memory.dmpFilesize
32KB
-
memory/3816-78-0x00007FFA49490000-0x00007FFA49F52000-memory.dmpFilesize
10.8MB
-
memory/5060-32-0x000001E63BBC0000-0x000001E63BBE2000-memory.dmpFilesize
136KB