Analysis
-
max time kernel
85s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 04:33
Static task
static1
Behavioral task
behavioral1
Sample
WaveWindowsCracked.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
WaveWindowsCracked.exe
Resource
win10v2004-20240508-en
General
-
Target
WaveWindowsCracked.exe
-
Size
7.6MB
-
MD5
1aec1baab610e71d2dd83ddb08d9c49a
-
SHA1
47789c92be6ce830faa926acb1969086d410e4d4
-
SHA256
e2bfe1a9a590aab1f7572309b45c0cf88558f9c3463acb550d30e24f47132d1c
-
SHA512
2435a57bd91dae06c62ca1d209091f3ce4f3de9012eb80b901e89a62e60b28d45e5c94d018c5af5a831b3ff8d28e4bfc6e0c487125be14926a62b970e459690a
-
SSDEEP
196608:IUhZUvqevevx2QtiFX2PTiiXIeMeZ4SZCqL1:BhOvaZ+X2PG6Iep6SZCy
Malware Config
Extracted
xworm
stewiegriffin-37537.portmap.host:37537
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\DriverUpdt.exe family_xworm behavioral1/memory/2612-13-0x0000000000D10000-0x0000000000D2C000-memory.dmp family_xworm behavioral1/memory/484-47-0x0000000001340000-0x000000000135C000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2444 powershell.exe 2588 powershell.exe 2480 powershell.exe 1528 powershell.exe -
Drops startup file 2 IoCs
Processes:
DriverUpdt.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DriverUpdt.lnk DriverUpdt.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DriverUpdt.lnk DriverUpdt.exe -
Executes dropped EXE 3 IoCs
Processes:
WaveWindows.exeDriverUpdt.exeDriverUpdtpid process 2344 WaveWindows.exe 2612 DriverUpdt.exe 484 DriverUpdt -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DriverUpdt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\DriverUpdt = "C:\\Users\\Admin\\AppData\\Roaming\\DriverUpdt" DriverUpdt.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
WaveWindows.exepowershell.exepowershell.exepowershell.exepowershell.exeDriverUpdt.exepid process 2344 WaveWindows.exe 2444 powershell.exe 2588 powershell.exe 2480 powershell.exe 1528 powershell.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe 2612 DriverUpdt.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
DriverUpdt.exeWaveWindows.exepowershell.exepowershell.exepowershell.exepowershell.exeDriverUpdtdescription pid process Token: SeDebugPrivilege 2612 DriverUpdt.exe Token: SeDebugPrivilege 2344 WaveWindows.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 2480 powershell.exe Token: SeDebugPrivilege 1528 powershell.exe Token: SeDebugPrivilege 2612 DriverUpdt.exe Token: SeDebugPrivilege 484 DriverUpdt -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
DriverUpdt.exepid process 2612 DriverUpdt.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
WaveWindowsCracked.exeDriverUpdt.exetaskeng.exedescription pid process target process PID 2044 wrote to memory of 2344 2044 WaveWindowsCracked.exe WaveWindows.exe PID 2044 wrote to memory of 2344 2044 WaveWindowsCracked.exe WaveWindows.exe PID 2044 wrote to memory of 2344 2044 WaveWindowsCracked.exe WaveWindows.exe PID 2044 wrote to memory of 2344 2044 WaveWindowsCracked.exe WaveWindows.exe PID 2044 wrote to memory of 2612 2044 WaveWindowsCracked.exe DriverUpdt.exe PID 2044 wrote to memory of 2612 2044 WaveWindowsCracked.exe DriverUpdt.exe PID 2044 wrote to memory of 2612 2044 WaveWindowsCracked.exe DriverUpdt.exe PID 2612 wrote to memory of 2444 2612 DriverUpdt.exe powershell.exe PID 2612 wrote to memory of 2444 2612 DriverUpdt.exe powershell.exe PID 2612 wrote to memory of 2444 2612 DriverUpdt.exe powershell.exe PID 2612 wrote to memory of 2588 2612 DriverUpdt.exe powershell.exe PID 2612 wrote to memory of 2588 2612 DriverUpdt.exe powershell.exe PID 2612 wrote to memory of 2588 2612 DriverUpdt.exe powershell.exe PID 2612 wrote to memory of 2480 2612 DriverUpdt.exe powershell.exe PID 2612 wrote to memory of 2480 2612 DriverUpdt.exe powershell.exe PID 2612 wrote to memory of 2480 2612 DriverUpdt.exe powershell.exe PID 2612 wrote to memory of 1528 2612 DriverUpdt.exe powershell.exe PID 2612 wrote to memory of 1528 2612 DriverUpdt.exe powershell.exe PID 2612 wrote to memory of 1528 2612 DriverUpdt.exe powershell.exe PID 2612 wrote to memory of 1736 2612 DriverUpdt.exe schtasks.exe PID 2612 wrote to memory of 1736 2612 DriverUpdt.exe schtasks.exe PID 2612 wrote to memory of 1736 2612 DriverUpdt.exe schtasks.exe PID 2052 wrote to memory of 484 2052 taskeng.exe DriverUpdt PID 2052 wrote to memory of 484 2052 taskeng.exe DriverUpdt PID 2052 wrote to memory of 484 2052 taskeng.exe DriverUpdt -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\WaveWindowsCracked.exe"C:\Users\Admin\AppData\Local\Temp\WaveWindowsCracked.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WaveWindows.exe"C:\Users\Admin\AppData\Roaming\WaveWindows.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\DriverUpdt.exe"C:\Users\Admin\AppData\Roaming\DriverUpdt.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\DriverUpdt.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\DriverUpdt'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DriverUpdt" /tr "C:\Users\Admin\AppData\Roaming\DriverUpdt"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {0D322A70-48BF-41EB-818E-0E0723F4A85E} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\DriverUpdtC:\Users\Admin\AppData\Roaming\DriverUpdt2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\DriverUpdt.exeFilesize
84KB
MD565485b0475b6c8a3b4f35bba541938a6
SHA128e6e6cd2ebf8a9fdffeb4aeba13b70ea7ea03a3
SHA256c6740ee5c8afdc2c7be42fb03ab5a346925efc6ac785fe7d68dec2d5f05d276b
SHA512034303ee48132b80da79e54a6077676cfd436ef869493a11a27c29dc7cb730fd2ce902320d554a0cde81fc0a06f6c56efa5c170a1360906ec9fa7fd101c3706d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD57c521ab51a76c9a6fd932ad04076c9ff
SHA15aadee0181006f12e04147cfe78b1c991f43ef49
SHA256390cfdcaff7cebbcea77c04a6f562e6d745a91cbe162d014b54b907908a53214
SHA5129857e2d896799dd1e2310cd50e66a229853ef0f01eaea0c5d3a814e79bdaec2a2e6d9138594c41753d0b468f5cfc6df1fc6b66e661c8f6f4750091d4a7082fa9
-
C:\Users\Admin\AppData\Roaming\WaveWindows.exeFilesize
7.5MB
MD5cd34bf9c69f229818a4c9301e51435eb
SHA1bfb95a5dc5d777e2b5940f354da271fed397adb2
SHA2563b217daf815ced5cf1087d1f408fc3833c9d80a1e3e25b3f9041698b9e34216f
SHA5122c68b211a4c8c144713cbe99214e8dc33d3ef6c1f244af4a313ff5ab93d946a4281d404b02c5f66ef5652071279649082877eaa728912a0e769c2c848e0a8e6b
-
memory/484-47-0x0000000001340000-0x000000000135C000-memory.dmpFilesize
112KB
-
memory/2044-0-0x000007FEF5623000-0x000007FEF5624000-memory.dmpFilesize
4KB
-
memory/2044-1-0x0000000000B10000-0x00000000012B6000-memory.dmpFilesize
7.6MB
-
memory/2344-15-0x00000000006A0000-0x00000000006EA000-memory.dmpFilesize
296KB
-
memory/2344-16-0x0000000000520000-0x0000000000544000-memory.dmpFilesize
144KB
-
memory/2344-17-0x0000000005880000-0x0000000005966000-memory.dmpFilesize
920KB
-
memory/2344-14-0x0000000000950000-0x00000000010DC000-memory.dmpFilesize
7.5MB
-
memory/2444-22-0x000000001B6E0000-0x000000001B9C2000-memory.dmpFilesize
2.9MB
-
memory/2444-23-0x0000000001ED0000-0x0000000001ED8000-memory.dmpFilesize
32KB
-
memory/2588-29-0x000000001B560000-0x000000001B842000-memory.dmpFilesize
2.9MB
-
memory/2588-30-0x0000000002690000-0x0000000002698000-memory.dmpFilesize
32KB
-
memory/2612-13-0x0000000000D10000-0x0000000000D2C000-memory.dmpFilesize
112KB