Analysis
-
max time kernel
794s -
max time network
784s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
01-07-2024 08:49
Behavioral task
behavioral1
Sample
sv.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
sv.exe
Resource
win7-20240419-en
Behavioral task
behavioral3
Sample
sv.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
sv.exe
Resource
win10v2004-20240508-en
General
-
Target
sv.exe
-
Size
63KB
-
MD5
c095a62b525e62244cad230e696028cf
-
SHA1
67232c186d3efe248b540f1f2fe3382770b5074a
-
SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
-
SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
-
SSDEEP
1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM
Malware Config
Extracted
xworm
amount-acceptance.gl.at.ply.gg:7420
-
Install_directory
%ProgramData%
-
install_file
svhost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/5116-0-0x0000000000880000-0x0000000000896000-memory.dmp family_xworm C:\ProgramData\svhost.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2260 powershell.exe 1232 powershell.exe 1028 powershell.exe 4792 powershell.exe -
Drops startup file 2 IoCs
Processes:
sv.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk sv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk sv.exe -
Executes dropped EXE 13 IoCs
Processes:
svhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exepid process 1496 svhost.exe 96 svhost.exe 4784 svhost.exe 4020 svhost.exe 3432 svhost.exe 4668 svhost.exe 2088 svhost.exe 3628 svhost.exe 1600 svhost.exe 1492 svhost.exe 3608 svhost.exe 4316 svhost.exe 4444 svhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
sv.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" sv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2260 powershell.exe 2260 powershell.exe 2260 powershell.exe 1232 powershell.exe 1232 powershell.exe 1232 powershell.exe 1028 powershell.exe 1028 powershell.exe 1028 powershell.exe 4792 powershell.exe 4792 powershell.exe 4792 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
sv.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 5116 sv.exe Token: SeDebugPrivilege 2260 powershell.exe Token: SeIncreaseQuotaPrivilege 2260 powershell.exe Token: SeSecurityPrivilege 2260 powershell.exe Token: SeTakeOwnershipPrivilege 2260 powershell.exe Token: SeLoadDriverPrivilege 2260 powershell.exe Token: SeSystemProfilePrivilege 2260 powershell.exe Token: SeSystemtimePrivilege 2260 powershell.exe Token: SeProfSingleProcessPrivilege 2260 powershell.exe Token: SeIncBasePriorityPrivilege 2260 powershell.exe Token: SeCreatePagefilePrivilege 2260 powershell.exe Token: SeBackupPrivilege 2260 powershell.exe Token: SeRestorePrivilege 2260 powershell.exe Token: SeShutdownPrivilege 2260 powershell.exe Token: SeDebugPrivilege 2260 powershell.exe Token: SeSystemEnvironmentPrivilege 2260 powershell.exe Token: SeRemoteShutdownPrivilege 2260 powershell.exe Token: SeUndockPrivilege 2260 powershell.exe Token: SeManageVolumePrivilege 2260 powershell.exe Token: 33 2260 powershell.exe Token: 34 2260 powershell.exe Token: 35 2260 powershell.exe Token: 36 2260 powershell.exe Token: SeDebugPrivilege 1232 powershell.exe Token: SeIncreaseQuotaPrivilege 1232 powershell.exe Token: SeSecurityPrivilege 1232 powershell.exe Token: SeTakeOwnershipPrivilege 1232 powershell.exe Token: SeLoadDriverPrivilege 1232 powershell.exe Token: SeSystemProfilePrivilege 1232 powershell.exe Token: SeSystemtimePrivilege 1232 powershell.exe Token: SeProfSingleProcessPrivilege 1232 powershell.exe Token: SeIncBasePriorityPrivilege 1232 powershell.exe Token: SeCreatePagefilePrivilege 1232 powershell.exe Token: SeBackupPrivilege 1232 powershell.exe Token: SeRestorePrivilege 1232 powershell.exe Token: SeShutdownPrivilege 1232 powershell.exe Token: SeDebugPrivilege 1232 powershell.exe Token: SeSystemEnvironmentPrivilege 1232 powershell.exe Token: SeRemoteShutdownPrivilege 1232 powershell.exe Token: SeUndockPrivilege 1232 powershell.exe Token: SeManageVolumePrivilege 1232 powershell.exe Token: 33 1232 powershell.exe Token: 34 1232 powershell.exe Token: 35 1232 powershell.exe Token: 36 1232 powershell.exe Token: SeDebugPrivilege 1028 powershell.exe Token: SeIncreaseQuotaPrivilege 1028 powershell.exe Token: SeSecurityPrivilege 1028 powershell.exe Token: SeTakeOwnershipPrivilege 1028 powershell.exe Token: SeLoadDriverPrivilege 1028 powershell.exe Token: SeSystemProfilePrivilege 1028 powershell.exe Token: SeSystemtimePrivilege 1028 powershell.exe Token: SeProfSingleProcessPrivilege 1028 powershell.exe Token: SeIncBasePriorityPrivilege 1028 powershell.exe Token: SeCreatePagefilePrivilege 1028 powershell.exe Token: SeBackupPrivilege 1028 powershell.exe Token: SeRestorePrivilege 1028 powershell.exe Token: SeShutdownPrivilege 1028 powershell.exe Token: SeDebugPrivilege 1028 powershell.exe Token: SeSystemEnvironmentPrivilege 1028 powershell.exe Token: SeRemoteShutdownPrivilege 1028 powershell.exe Token: SeUndockPrivilege 1028 powershell.exe Token: SeManageVolumePrivilege 1028 powershell.exe Token: 33 1028 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
sv.exedescription pid process target process PID 5116 wrote to memory of 2260 5116 sv.exe powershell.exe PID 5116 wrote to memory of 2260 5116 sv.exe powershell.exe PID 5116 wrote to memory of 1232 5116 sv.exe powershell.exe PID 5116 wrote to memory of 1232 5116 sv.exe powershell.exe PID 5116 wrote to memory of 1028 5116 sv.exe powershell.exe PID 5116 wrote to memory of 1028 5116 sv.exe powershell.exe PID 5116 wrote to memory of 4792 5116 sv.exe powershell.exe PID 5116 wrote to memory of 4792 5116 sv.exe powershell.exe PID 5116 wrote to memory of 1540 5116 sv.exe schtasks.exe PID 5116 wrote to memory of 1540 5116 sv.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sv.exe"C:\Users\Admin\AppData\Local\Temp\sv.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\svhost.exeFilesize
63KB
MD5c095a62b525e62244cad230e696028cf
SHA167232c186d3efe248b540f1f2fe3382770b5074a
SHA256a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA5125ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.logFilesize
654B
MD516c5fce5f7230eea11598ec11ed42862
SHA175392d4824706090f5e8907eee1059349c927600
SHA25687ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD514741e67e80cf79afc9f78ddecf4511c
SHA14d88dfdbc3a6588810b20cb2d333987305f9411a
SHA256566d4ab531ab8bbb9e68ce82a8543d5788943b9d51ffe8c2c3feedf4a263f4d2
SHA51253c123b8f971e5493418da5593a1a067a323b57574a157bebfa4532d85832585d7fd22bf7236d9f6cfabb55f905ff8cf92b7f6faa984e90541d5bc4ec5884b4a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD53715120b6eb7f27980bbdfa898cea402
SHA14941cc2581199e0b31915c6f7785d7e7fea986f7
SHA2567405d690cbcc4d55b20f10b7dcc93fe00372dd249dcea733ad590561b0483e88
SHA512166b748d0d1eac16b532a16b82961f2aee724bf56a38036163cb9ed049a6142974a5c77e71c553c612771232137b78f433258c49c8177ea581f19f5dd85ad28d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD537e5c10834b07a782e971ec576c02f6d
SHA17b188f5ed6d172cf7c96aadad5f61e6d96d9d070
SHA25675a48f2fdf0dcecee5b7c22e0e959920b2f47733dea615acb733307140f70d4d
SHA512a3d7ab62ff67143026121b3a2a0b6780e81af3c6363c2f0dece18b5c997cbd15c45ae75487d7668a0b2fb415af625c7f07aec8505733ac5110b6b8504f39b20c
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ym3obm3m.iu0.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
memory/2260-10-0x00000292DDCF0000-0x00000292DDD66000-memory.dmpFilesize
472KB
-
memory/2260-41-0x00007FFFDD2A0000-0x00007FFFDDC8C000-memory.dmpFilesize
9.9MB
-
memory/2260-48-0x00007FFFDD2A0000-0x00007FFFDDC8C000-memory.dmpFilesize
9.9MB
-
memory/2260-51-0x00007FFFDD2A0000-0x00007FFFDDC8C000-memory.dmpFilesize
9.9MB
-
memory/2260-24-0x00007FFFDD2A0000-0x00007FFFDDC8C000-memory.dmpFilesize
9.9MB
-
memory/2260-11-0x00007FFFDD2A0000-0x00007FFFDDC8C000-memory.dmpFilesize
9.9MB
-
memory/2260-9-0x00007FFFDD2A0000-0x00007FFFDDC8C000-memory.dmpFilesize
9.9MB
-
memory/2260-6-0x00000292DDB40000-0x00000292DDB62000-memory.dmpFilesize
136KB
-
memory/5116-0-0x0000000000880000-0x0000000000896000-memory.dmpFilesize
88KB
-
memory/5116-186-0x00007FFFDD2A0000-0x00007FFFDDC8C000-memory.dmpFilesize
9.9MB
-
memory/5116-190-0x00007FFFDD2A0000-0x00007FFFDDC8C000-memory.dmpFilesize
9.9MB
-
memory/5116-1-0x00007FFFDD2A3000-0x00007FFFDD2A4000-memory.dmpFilesize
4KB