Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 09:07
Static task
static1
Behavioral task
behavioral1
Sample
Payment_Information.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Payment_Information.exe
Resource
win10v2004-20240508-en
General
-
Target
Payment_Information.exe
-
Size
1.2MB
-
MD5
bfe4e6c774018b6e85d33fd381427d2f
-
SHA1
e75e6b64ea2c112a3a1b6a5ca1c0663cb185f704
-
SHA256
473c0737f6125ad0dff41521ab1e6331cd457c3253556b2bce4482ebf86e829b
-
SHA512
041f0fd37b0fff784b22261e23853fd3474881820f01aa3cc1dbdf4c4c0c25dfda70b15a4ac007aef70b3d28c92cfde60d3ec91e32f48c670f94e90b10d904a3
-
SSDEEP
24576:q4fvrZFtYuN29VEFV5qSh0lhSMXl0NJkdV4KKhnPmgUf5:nvhQVKV5qPkJIV4ZhPmT
Malware Config
Extracted
xworm
5.0
newsferinfo.com:7000
continentalgames.top:7000
8VF9MKRpl0LkiNW2
-
Install_directory
%Public%
-
install_file
microsoft_version_0124.exe
Signatures
-
Detect Xworm Payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/2236-0-0x0000000000250000-0x0000000000272000-memory.dmp family_xworm behavioral1/memory/2236-16-0x0000000000250000-0x0000000000272000-memory.dmp family_xworm behavioral1/memory/1548-18-0x0000000000400000-0x0000000000412000-memory.dmp family_xworm behavioral1/memory/1548-17-0x0000000000400000-0x0000000000412000-memory.dmp family_xworm behavioral1/memory/1548-15-0x0000000000400000-0x0000000000412000-memory.dmp family_xworm behavioral1/memory/1548-12-0x0000000000400000-0x0000000000412000-memory.dmp family_xworm behavioral1/memory/1548-9-0x0000000000400000-0x0000000000412000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2628 powershell.exe 2924 powershell.exe 2224 powershell.exe 1888 powershell.exe -
Drops startup file 2 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft_version_0124.lnk RegAsm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft_version_0124.lnk RegAsm.exe -
Loads dropped DLL 1 IoCs
Processes:
RegAsm.exepid process 1548 RegAsm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsoft_version_0124 = "C:\\Users\\Public\\microsoft_version_0124.exe" RegAsm.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment_Information.exedescription pid process target process PID 2236 set thread context of 1548 2236 Payment_Information.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
RegAsm.exepid process 1548 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeRegAsm.exepid process 2628 powershell.exe 2924 powershell.exe 2224 powershell.exe 1888 powershell.exe 1548 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
RegAsm.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1548 RegAsm.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 1888 powershell.exe Token: SeDebugPrivilege 1548 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 1548 RegAsm.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
Payment_Information.exeRegAsm.exedescription pid process target process PID 2236 wrote to memory of 1548 2236 Payment_Information.exe RegAsm.exe PID 2236 wrote to memory of 1548 2236 Payment_Information.exe RegAsm.exe PID 2236 wrote to memory of 1548 2236 Payment_Information.exe RegAsm.exe PID 2236 wrote to memory of 1548 2236 Payment_Information.exe RegAsm.exe PID 2236 wrote to memory of 1548 2236 Payment_Information.exe RegAsm.exe PID 2236 wrote to memory of 1548 2236 Payment_Information.exe RegAsm.exe PID 2236 wrote to memory of 1548 2236 Payment_Information.exe RegAsm.exe PID 2236 wrote to memory of 1548 2236 Payment_Information.exe RegAsm.exe PID 2236 wrote to memory of 1548 2236 Payment_Information.exe RegAsm.exe PID 2236 wrote to memory of 1548 2236 Payment_Information.exe RegAsm.exe PID 2236 wrote to memory of 1548 2236 Payment_Information.exe RegAsm.exe PID 2236 wrote to memory of 1548 2236 Payment_Information.exe RegAsm.exe PID 1548 wrote to memory of 2628 1548 RegAsm.exe powershell.exe PID 1548 wrote to memory of 2628 1548 RegAsm.exe powershell.exe PID 1548 wrote to memory of 2628 1548 RegAsm.exe powershell.exe PID 1548 wrote to memory of 2628 1548 RegAsm.exe powershell.exe PID 1548 wrote to memory of 2924 1548 RegAsm.exe powershell.exe PID 1548 wrote to memory of 2924 1548 RegAsm.exe powershell.exe PID 1548 wrote to memory of 2924 1548 RegAsm.exe powershell.exe PID 1548 wrote to memory of 2924 1548 RegAsm.exe powershell.exe PID 1548 wrote to memory of 2224 1548 RegAsm.exe powershell.exe PID 1548 wrote to memory of 2224 1548 RegAsm.exe powershell.exe PID 1548 wrote to memory of 2224 1548 RegAsm.exe powershell.exe PID 1548 wrote to memory of 2224 1548 RegAsm.exe powershell.exe PID 1548 wrote to memory of 1888 1548 RegAsm.exe powershell.exe PID 1548 wrote to memory of 1888 1548 RegAsm.exe powershell.exe PID 1548 wrote to memory of 1888 1548 RegAsm.exe powershell.exe PID 1548 wrote to memory of 1888 1548 RegAsm.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment_Information.exe"C:\Users\Admin\AppData\Local\Temp\Payment_Information.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RegAsm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\microsoft_version_0124.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'microsoft_version_0124.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD50dfb140e3d107959b8fef735d8390b0c
SHA10f432dc32913188cdef9d7a4766e9d9f9afc9e67
SHA2562a6f1b85141dac3c9e362fb5a68cf07d7ec245234b2ef4f5b41acb445a33f03b
SHA51216e3a2b0406cb54301be1064cf00d163cdbc907312c03a185c1635db44d4a252712006ea8da33f5198975e226c33893a50d813d89fb1b88006963be43ca26909
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Public\microsoft_version_0124.exeFilesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
memory/1548-12-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1548-17-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1548-15-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1548-9-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1548-6-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1548-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1548-18-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1548-3-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2236-0-0x0000000000250000-0x0000000000272000-memory.dmpFilesize
136KB
-
memory/2236-16-0x0000000000250000-0x0000000000272000-memory.dmpFilesize
136KB