Analysis
-
max time kernel
28s -
max time network
15s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 05:41
Behavioral task
behavioral1
Sample
windowspowershell.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
windowspowershell.exe
Resource
win10v2004-20240508-en
General
-
Target
windowspowershell.exe
-
Size
70KB
-
MD5
a65730c3385f81d9dd1245fd6a7dd8bc
-
SHA1
bfea51aad8077ffbe0893687c6706449e0204f07
-
SHA256
f3e91c0e63a38f99af50221e9215315f401d591968c9e76d2d786908a6cccf1b
-
SHA512
6e0327af881fbc18dc8542835513e502e1575aa4b94ced9b752194eb3d84014b0e8d47e9a44d0dc2d8eac9552b4fab7744ec4a486879d4242bd57a04ab6256c6
-
SSDEEP
1536:4xr5e+IPIyYGFZabUnYmjLha8qB2nD6T9aZOLTST6:gFE7YWQbUmt2cKOLM6
Malware Config
Extracted
xworm
3.1
so-presently.gl.at.ply.gg :59751
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1708-1-0x0000000000240000-0x0000000000258000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\windowspowershell.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid process 2828 powershell.exe 2492 powershell.exe 2884 powershell.exe -
Drops startup file 2 IoCs
Processes:
windowspowershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windowspowershell.lnk windowspowershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windowspowershell.lnk windowspowershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
windowspowershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowspowershell = "C:\\Users\\Admin\\AppData\\Roaming\\windowspowershell.exe" windowspowershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exewindowspowershell.exepid process 2884 powershell.exe 2828 powershell.exe 2492 powershell.exe 1708 windowspowershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
windowspowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1708 windowspowershell.exe Token: SeDebugPrivilege 2884 powershell.exe Token: SeDebugPrivilege 2828 powershell.exe Token: SeDebugPrivilege 2492 powershell.exe Token: SeDebugPrivilege 1708 windowspowershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
windowspowershell.exepid process 1708 windowspowershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
windowspowershell.exedescription pid process target process PID 1708 wrote to memory of 2884 1708 windowspowershell.exe powershell.exe PID 1708 wrote to memory of 2884 1708 windowspowershell.exe powershell.exe PID 1708 wrote to memory of 2884 1708 windowspowershell.exe powershell.exe PID 1708 wrote to memory of 2828 1708 windowspowershell.exe powershell.exe PID 1708 wrote to memory of 2828 1708 windowspowershell.exe powershell.exe PID 1708 wrote to memory of 2828 1708 windowspowershell.exe powershell.exe PID 1708 wrote to memory of 2492 1708 windowspowershell.exe powershell.exe PID 1708 wrote to memory of 2492 1708 windowspowershell.exe powershell.exe PID 1708 wrote to memory of 2492 1708 windowspowershell.exe powershell.exe PID 1708 wrote to memory of 1172 1708 windowspowershell.exe schtasks.exe PID 1708 wrote to memory of 1172 1708 windowspowershell.exe schtasks.exe PID 1708 wrote to memory of 1172 1708 windowspowershell.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\windowspowershell.exe"C:\Users\Admin\AppData\Local\Temp\windowspowershell.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\windowspowershell.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'windowspowershell.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\windowspowershell.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "windowspowershell" /tr "C:\Users\Admin\AppData\Roaming\windowspowershell.exe"2⤵
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5d48106efff15bfb186c384b1c0ddd862
SHA1c7dd7205f254b3ee2b46b837e89f8f1f7ecb0e55
SHA256335e79dd57ac4d8b7175075567059bcac31f303c8221d87b4826ceebbeb84da8
SHA51216b29ecb3fa647511489acfc5e6aa2946d5093b9758c3df431fe8359f1bbe5343200aac493736aeca4a08754eb29cf757afa328cb83e2f25897e6d3ed4453033
-
C:\Users\Admin\AppData\Roaming\windowspowershell.exeFilesize
70KB
MD5a65730c3385f81d9dd1245fd6a7dd8bc
SHA1bfea51aad8077ffbe0893687c6706449e0204f07
SHA256f3e91c0e63a38f99af50221e9215315f401d591968c9e76d2d786908a6cccf1b
SHA5126e0327af881fbc18dc8542835513e502e1575aa4b94ced9b752194eb3d84014b0e8d47e9a44d0dc2d8eac9552b4fab7744ec4a486879d4242bd57a04ab6256c6
-
memory/1708-0-0x000007FEF5153000-0x000007FEF5154000-memory.dmpFilesize
4KB
-
memory/1708-1-0x0000000000240000-0x0000000000258000-memory.dmpFilesize
96KB
-
memory/1708-2-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmpFilesize
9.9MB
-
memory/1708-30-0x000007FEF5153000-0x000007FEF5154000-memory.dmpFilesize
4KB
-
memory/1708-31-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmpFilesize
9.9MB
-
memory/2828-15-0x000000001B5B0000-0x000000001B892000-memory.dmpFilesize
2.9MB
-
memory/2828-16-0x0000000002250000-0x0000000002258000-memory.dmpFilesize
32KB
-
memory/2884-7-0x0000000002900000-0x0000000002980000-memory.dmpFilesize
512KB
-
memory/2884-8-0x000000001B5D0000-0x000000001B8B2000-memory.dmpFilesize
2.9MB
-
memory/2884-9-0x00000000029E0000-0x00000000029E8000-memory.dmpFilesize
32KB