Resubmissions
01-07-2024 12:23
240701-pkp6tavcrm 1001-07-2024 12:17
240701-pf8scs1dnf 1001-07-2024 12:12
240701-pdbd3sthnj 1001-07-2024 12:03
240701-n8evbatfll 10Analysis
-
max time kernel
121s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 12:03
Behavioral task
behavioral1
Sample
fix.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
fix.exe
Resource
win10v2004-20240611-en
General
-
Target
fix.exe
-
Size
35KB
-
MD5
83bbe29b99a54bad48074efb72ce1fcc
-
SHA1
421deeba13130a8eebacc8c7f48f28e6fe8485f2
-
SHA256
99bf031f23b1759702a56ccfc9425f0a063654dcc4a94d8feeb89792c82f3082
-
SHA512
67fe2ac907c297cd3c4d1af7f80257b468bc4e73cab428568ea1238d41cd8c43262765a0b0d43b2accb003901a66e9e7ec162fefda2fd89040697e1e168ac27f
-
SSDEEP
768:ChiLce92aOrsQiUy5FyS9ZL6LOjhibold:ChkceWsQi5FT9ZL6LOjGo7
Malware Config
Extracted
xworm
5.0
20.ip.gl.ply.gg:53765
JCfj6Aifpywc6Ul9
-
Install_directory
%AppData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2424-1-0x00000000012A0000-0x00000000012B0000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2236 powershell.exe 3024 powershell.exe 2888 powershell.exe 2744 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fix.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" fix.exe -
Drops file in Windows directory 1 IoCs
Processes:
ehshell.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log ehshell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeehshell.exeehExtHost.exepid process 2236 powershell.exe 3024 powershell.exe 2888 powershell.exe 2744 powershell.exe 1660 ehshell.exe 1916 ehExtHost.exe 1916 ehExtHost.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
fix.exepowershell.exepowershell.exepowershell.exepowershell.exeehshell.exeehExtHost.exedescription pid process Token: SeDebugPrivilege 2424 fix.exe Token: SeDebugPrivilege 2236 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 2888 powershell.exe Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 2424 fix.exe Token: SeDebugPrivilege 1660 ehshell.exe Token: SeDebugPrivilege 1916 ehExtHost.exe Token: SeShutdownPrivilege 1660 ehshell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
fix.exeehshell.exedescription pid process target process PID 2424 wrote to memory of 2236 2424 fix.exe powershell.exe PID 2424 wrote to memory of 2236 2424 fix.exe powershell.exe PID 2424 wrote to memory of 2236 2424 fix.exe powershell.exe PID 2424 wrote to memory of 3024 2424 fix.exe powershell.exe PID 2424 wrote to memory of 3024 2424 fix.exe powershell.exe PID 2424 wrote to memory of 3024 2424 fix.exe powershell.exe PID 2424 wrote to memory of 2888 2424 fix.exe powershell.exe PID 2424 wrote to memory of 2888 2424 fix.exe powershell.exe PID 2424 wrote to memory of 2888 2424 fix.exe powershell.exe PID 2424 wrote to memory of 2744 2424 fix.exe powershell.exe PID 2424 wrote to memory of 2744 2424 fix.exe powershell.exe PID 2424 wrote to memory of 2744 2424 fix.exe powershell.exe PID 1660 wrote to memory of 1916 1660 ehshell.exe ehExtHost.exe PID 1660 wrote to memory of 1916 1660 ehshell.exe ehExtHost.exe PID 1660 wrote to memory of 1916 1660 ehshell.exe ehExtHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fix.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fix.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\eHome\ehshell.exe"C:\Windows\eHome\ehshell.exe" /prefetch:1003 "C:\Users\Admin\Desktop\ShowJoin.DVR"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\eHome\ehExtHost.exe"C:\Windows\eHome\ehExtHost.exe" 1660 e28947be-18c2-4280-9b3a-6e2764549471 3 False False False2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD51d51060b89119092187c763328f5fb7f
SHA1d1114f533aaa033898c58b75cd8670a870a0f89d
SHA256c8676e8aa9778a4e5583f93ade08dd3be74b220b8218b040a47449fbd5a397aa
SHA512d0c8f388f3a9c92dc711b5da4a966a616e4535542e1c66159c42af4f5ba70a5342cc0761224118dc19994b0e266f24064a66f7e1a544a0d7a0a14f06238badc5
-
memory/1660-35-0x000000001F1E0000-0x000000001F298000-memory.dmpFilesize
736KB
-
memory/1660-34-0x000000001D110000-0x000000001D1AE000-memory.dmpFilesize
632KB
-
memory/1660-61-0x000000001D050000-0x000000001D05A000-memory.dmpFilesize
40KB
-
memory/1660-59-0x000000001D050000-0x000000001D087000-memory.dmpFilesize
220KB
-
memory/1660-33-0x000000001E920000-0x000000001EAA4000-memory.dmpFilesize
1.5MB
-
memory/1660-32-0x000000001E310000-0x000000001E918000-memory.dmpFilesize
6.0MB
-
memory/1660-60-0x000000001D050000-0x000000001D05A000-memory.dmpFilesize
40KB
-
memory/1916-36-0x0000000002180000-0x00000000021E0000-memory.dmpFilesize
384KB
-
memory/2236-7-0x000000001B510000-0x000000001B7F2000-memory.dmpFilesize
2.9MB
-
memory/2236-6-0x00000000028E0000-0x0000000002960000-memory.dmpFilesize
512KB
-
memory/2236-8-0x0000000002810000-0x0000000002818000-memory.dmpFilesize
32KB
-
memory/2424-27-0x00000000011F0000-0x0000000001270000-memory.dmpFilesize
512KB
-
memory/2424-30-0x00000000011F0000-0x0000000001270000-memory.dmpFilesize
512KB
-
memory/2424-1-0x00000000012A0000-0x00000000012B0000-memory.dmpFilesize
64KB
-
memory/2424-0-0x000007FEF5893000-0x000007FEF5894000-memory.dmpFilesize
4KB
-
memory/2424-28-0x0000000001290000-0x000000000129C000-memory.dmpFilesize
48KB
-
memory/2424-29-0x000007FEF5893000-0x000007FEF5894000-memory.dmpFilesize
4KB
-
memory/3024-15-0x0000000001E70000-0x0000000001E78000-memory.dmpFilesize
32KB
-
memory/3024-14-0x000000001B4E0000-0x000000001B7C2000-memory.dmpFilesize
2.9MB