Analysis
-
max time kernel
1800s -
max time network
1172s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 09:10
Behavioral task
behavioral1
Sample
sv.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral2
Sample
sv.exe
Resource
win7-20231129-en
Behavioral task
behavioral3
Sample
sv.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
sv.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
sv.exe
Resource
win11-20240508-en
General
-
Target
sv.exe
-
Size
63KB
-
MD5
c095a62b525e62244cad230e696028cf
-
SHA1
67232c186d3efe248b540f1f2fe3382770b5074a
-
SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
-
SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
-
SSDEEP
1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM
Malware Config
Extracted
xworm
amount-acceptance.gl.at.ply.gg:7420
-
Install_directory
%ProgramData%
-
install_file
svhost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral4/memory/4280-1-0x00000000008E0000-0x00000000008F6000-memory.dmp family_xworm C:\ProgramData\svhost.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4192 powershell.exe 436 powershell.exe 1540 powershell.exe 1112 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sv.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation sv.exe -
Drops startup file 2 IoCs
Processes:
sv.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk sv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk sv.exe -
Executes dropped EXE 6 IoCs
Processes:
svhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exepid process 3092 svhost.exe 4480 svhost.exe 2244 svhost.exe 5108 svhost.exe 2860 svhost.exe 2628 svhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
sv.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" sv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "206" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4192 powershell.exe 4192 powershell.exe 436 powershell.exe 436 powershell.exe 1540 powershell.exe 1540 powershell.exe 1112 powershell.exe 1112 powershell.exe -
Suspicious behavior: LoadsDriver 64 IoCs
Processes:
pid process 1012 4736 4508 3076 220 4452 3700 3140 1564 3512 1876 1816 1644 4904 3092 3816 3760 3524 3960 4672 232 3872 344 8 1728 2748 1584 4484 1276 4112 1940 3684 2968 5064 760 1864 5088 2324 1388 888 2428 4180 4576 1248 936 2020 3560 3564 436 3900 5104 4440 1652 2160 4148 3836 1756 4936 4724 2572 1972 1732 3440 2488 -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
sv.exepowershell.exepowershell.exepowershell.exepowershell.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exedescription pid process Token: SeDebugPrivilege 4280 sv.exe Token: SeDebugPrivilege 4192 powershell.exe Token: SeDebugPrivilege 436 powershell.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeDebugPrivilege 1112 powershell.exe Token: SeDebugPrivilege 4280 sv.exe Token: SeDebugPrivilege 3092 svhost.exe Token: SeDebugPrivilege 4480 svhost.exe Token: SeDebugPrivilege 2244 svhost.exe Token: SeDebugPrivilege 5108 svhost.exe Token: SeDebugPrivilege 2860 svhost.exe Token: SeDebugPrivilege 2628 svhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 5112 LogonUI.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
sv.exedescription pid process target process PID 4280 wrote to memory of 4192 4280 sv.exe powershell.exe PID 4280 wrote to memory of 4192 4280 sv.exe powershell.exe PID 4280 wrote to memory of 436 4280 sv.exe powershell.exe PID 4280 wrote to memory of 436 4280 sv.exe powershell.exe PID 4280 wrote to memory of 1540 4280 sv.exe powershell.exe PID 4280 wrote to memory of 1540 4280 sv.exe powershell.exe PID 4280 wrote to memory of 1112 4280 sv.exe powershell.exe PID 4280 wrote to memory of 1112 4280 sv.exe powershell.exe PID 4280 wrote to memory of 656 4280 sv.exe schtasks.exe PID 4280 wrote to memory of 656 4280 sv.exe schtasks.exe PID 4280 wrote to memory of 4316 4280 sv.exe shutdown.exe PID 4280 wrote to memory of 4316 4280 sv.exe shutdown.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sv.exe"C:\Users\Admin\AppData\Local\Temp\sv.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SYSTEM32\shutdown.exeshutdown.exe -L2⤵
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3939055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\svhost.exeFilesize
63KB
MD5c095a62b525e62244cad230e696028cf
SHA167232c186d3efe248b540f1f2fe3382770b5074a
SHA256a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA5125ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5fa8d1461e4feb2c39654e3a555a027f8
SHA10ca46b8961ceba8f9da31de5ed2408643fc89141
SHA2567e26e4f0ef3a7d2904818a691429789c4781029ff4aab697c3b7c9a4287d661f
SHA512e486b8f029c7eec60b6b2b5603390330afb1ddf627cc01c511808c47e68676b4c429b9f75fd4e16e48b496dccfe8cc8ec4a35825e1e889e66571acb6c03e0869
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD596e3b86880fedd5afc001d108732a3e5
SHA18fc17b39d744a9590a6d5897012da5e6757439a3
SHA256c3077e4cadb4ed246c02abe55aa6cf832fee4c2546b7addb7d22cd1c7c8c1294
SHA512909b1968f7204fa7029109b02232d8cc5438f6b4dc7c9044e4e47c59fcee538199b13029e36592b12ed573d48a308dd4822d2ced4129ab08d4111897e02be55d
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mgqe5p3i.ort.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/4192-12-0x00007FFC3D360000-0x00007FFC3DE21000-memory.dmpFilesize
10.8MB
-
memory/4192-17-0x00007FFC3D360000-0x00007FFC3DE21000-memory.dmpFilesize
10.8MB
-
memory/4192-14-0x00007FFC3D360000-0x00007FFC3DE21000-memory.dmpFilesize
10.8MB
-
memory/4192-13-0x00007FFC3D360000-0x00007FFC3DE21000-memory.dmpFilesize
10.8MB
-
memory/4192-2-0x0000023C6A720000-0x0000023C6A742000-memory.dmpFilesize
136KB
-
memory/4280-0-0x00007FFC3D363000-0x00007FFC3D365000-memory.dmpFilesize
8KB
-
memory/4280-56-0x00007FFC3D360000-0x00007FFC3DE21000-memory.dmpFilesize
10.8MB
-
memory/4280-57-0x00007FFC3D360000-0x00007FFC3DE21000-memory.dmpFilesize
10.8MB
-
memory/4280-1-0x00000000008E0000-0x00000000008F6000-memory.dmpFilesize
88KB
-
memory/4280-68-0x00007FFC3D360000-0x00007FFC3DE21000-memory.dmpFilesize
10.8MB