Analysis
-
max time kernel
1799s -
max time network
1796s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
01-07-2024 11:46
Behavioral task
behavioral1
Sample
sv.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
sv.exe
Resource
win7-20240611-en
Behavioral task
behavioral3
Sample
sv.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
sv.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
sv.exe
Resource
win11-20240508-en
General
-
Target
sv.exe
-
Size
63KB
-
MD5
c095a62b525e62244cad230e696028cf
-
SHA1
67232c186d3efe248b540f1f2fe3382770b5074a
-
SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
-
SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
-
SSDEEP
1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM
Malware Config
Extracted
xworm
amount-acceptance.gl.at.ply.gg:7420
-
Install_directory
%ProgramData%
-
install_file
svhost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral3/memory/3936-0-0x0000000000C90000-0x0000000000CA6000-memory.dmp family_xworm C:\ProgramData\svhost.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1612 powershell.exe 952 powershell.exe 2320 powershell.exe 2716 powershell.exe -
Drops startup file 2 IoCs
Processes:
sv.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk sv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk sv.exe -
Executes dropped EXE 30 IoCs
Processes:
svhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exepid process 2228 svhost.exe 2164 svhost.exe 2344 svhost.exe 4992 svhost.exe 1536 svhost.exe 652 svhost.exe 4512 svhost.exe 2080 svhost.exe 4164 svhost.exe 4956 svhost.exe 3956 svhost.exe 3948 svhost.exe 652 svhost.exe 3932 svhost.exe 2444 svhost.exe 1920 svhost.exe 4208 svhost.exe 3176 svhost.exe 2776 svhost.exe 2068 svhost.exe 680 svhost.exe 4344 svhost.exe 4028 svhost.exe 1016 svhost.exe 2112 svhost.exe 4680 svhost.exe 1648 svhost.exe 1460 svhost.exe 4864 svhost.exe 4488 svhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
sv.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" sv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2320 powershell.exe 2320 powershell.exe 2320 powershell.exe 2716 powershell.exe 2716 powershell.exe 2716 powershell.exe 1612 powershell.exe 1612 powershell.exe 1612 powershell.exe 952 powershell.exe 952 powershell.exe 952 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
sv.exepid process 3936 sv.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
sv.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3936 sv.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeIncreaseQuotaPrivilege 2320 powershell.exe Token: SeSecurityPrivilege 2320 powershell.exe Token: SeTakeOwnershipPrivilege 2320 powershell.exe Token: SeLoadDriverPrivilege 2320 powershell.exe Token: SeSystemProfilePrivilege 2320 powershell.exe Token: SeSystemtimePrivilege 2320 powershell.exe Token: SeProfSingleProcessPrivilege 2320 powershell.exe Token: SeIncBasePriorityPrivilege 2320 powershell.exe Token: SeCreatePagefilePrivilege 2320 powershell.exe Token: SeBackupPrivilege 2320 powershell.exe Token: SeRestorePrivilege 2320 powershell.exe Token: SeShutdownPrivilege 2320 powershell.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeSystemEnvironmentPrivilege 2320 powershell.exe Token: SeRemoteShutdownPrivilege 2320 powershell.exe Token: SeUndockPrivilege 2320 powershell.exe Token: SeManageVolumePrivilege 2320 powershell.exe Token: 33 2320 powershell.exe Token: 34 2320 powershell.exe Token: 35 2320 powershell.exe Token: 36 2320 powershell.exe Token: SeDebugPrivilege 2716 powershell.exe Token: SeIncreaseQuotaPrivilege 2716 powershell.exe Token: SeSecurityPrivilege 2716 powershell.exe Token: SeTakeOwnershipPrivilege 2716 powershell.exe Token: SeLoadDriverPrivilege 2716 powershell.exe Token: SeSystemProfilePrivilege 2716 powershell.exe Token: SeSystemtimePrivilege 2716 powershell.exe Token: SeProfSingleProcessPrivilege 2716 powershell.exe Token: SeIncBasePriorityPrivilege 2716 powershell.exe Token: SeCreatePagefilePrivilege 2716 powershell.exe Token: SeBackupPrivilege 2716 powershell.exe Token: SeRestorePrivilege 2716 powershell.exe Token: SeShutdownPrivilege 2716 powershell.exe Token: SeDebugPrivilege 2716 powershell.exe Token: SeSystemEnvironmentPrivilege 2716 powershell.exe Token: SeRemoteShutdownPrivilege 2716 powershell.exe Token: SeUndockPrivilege 2716 powershell.exe Token: SeManageVolumePrivilege 2716 powershell.exe Token: 33 2716 powershell.exe Token: 34 2716 powershell.exe Token: 35 2716 powershell.exe Token: 36 2716 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeIncreaseQuotaPrivilege 1612 powershell.exe Token: SeSecurityPrivilege 1612 powershell.exe Token: SeTakeOwnershipPrivilege 1612 powershell.exe Token: SeLoadDriverPrivilege 1612 powershell.exe Token: SeSystemProfilePrivilege 1612 powershell.exe Token: SeSystemtimePrivilege 1612 powershell.exe Token: SeProfSingleProcessPrivilege 1612 powershell.exe Token: SeIncBasePriorityPrivilege 1612 powershell.exe Token: SeCreatePagefilePrivilege 1612 powershell.exe Token: SeBackupPrivilege 1612 powershell.exe Token: SeRestorePrivilege 1612 powershell.exe Token: SeShutdownPrivilege 1612 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeSystemEnvironmentPrivilege 1612 powershell.exe Token: SeRemoteShutdownPrivilege 1612 powershell.exe Token: SeUndockPrivilege 1612 powershell.exe Token: SeManageVolumePrivilege 1612 powershell.exe Token: 33 1612 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
sv.exedescription pid process target process PID 3936 wrote to memory of 2320 3936 sv.exe powershell.exe PID 3936 wrote to memory of 2320 3936 sv.exe powershell.exe PID 3936 wrote to memory of 2716 3936 sv.exe powershell.exe PID 3936 wrote to memory of 2716 3936 sv.exe powershell.exe PID 3936 wrote to memory of 1612 3936 sv.exe powershell.exe PID 3936 wrote to memory of 1612 3936 sv.exe powershell.exe PID 3936 wrote to memory of 952 3936 sv.exe powershell.exe PID 3936 wrote to memory of 952 3936 sv.exe powershell.exe PID 3936 wrote to memory of 4568 3936 sv.exe schtasks.exe PID 3936 wrote to memory of 4568 3936 sv.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sv.exe"C:\Users\Admin\AppData\Local\Temp\sv.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\svhost.exeFilesize
63KB
MD5c095a62b525e62244cad230e696028cf
SHA167232c186d3efe248b540f1f2fe3382770b5074a
SHA256a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA5125ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.logFilesize
654B
MD516c5fce5f7230eea11598ec11ed42862
SHA175392d4824706090f5e8907eee1059349c927600
SHA25687ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b71789d087829439aca1df8f283d3071
SHA17e533f0fd80f301d38f0996f022dc6c2b47f87c3
SHA256642e7829ede31c9547b6c3c7afcfbcd3af6764807ee48be29a065462ecdab510
SHA5124ae908bda256285f99dc554e6b28e4797299e19b6ddcde8e8e57ecb9d01a11454cdec331725b6f82ce09c135342d337a9556ce0c41e4bfa7a43c1c9e8af463f7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD570567807c59c442fdaee30be7c3cf590
SHA120a60d2561362a3ede7ef1070d9249a16f30b276
SHA256f359100508880a92633d36cdb69b8a3044e0eaf5f15433b5edc9f3717520c514
SHA5128f90aa172d6adcc2e911b00ee4b8c38ae39da31143917f724f8163a40a6f2eb8e56fe76413b7a5598b0b9174d321b9ae93365f2ccf69d07d9f4ef28f2f97213f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58e68d0b1881b9084b62529aacdfda63b
SHA16e94ca42a8c817aa94b6f204212bde71b71927b6
SHA2560876f27a62ea7970aadd4f3468bfe3f3c8823b557ec940dfd4aebb3ff434de02
SHA5126c7e1198f1e27815c5c90bf10c2f93f3ff20d96e1054d55b1b8835c260db0173f388430dbe4b35dca918be575f58226506b1d3e53142b87a8c18f9723dc0612a
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fhzgcnfq.jot.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
memory/2320-10-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmpFilesize
9.9MB
-
memory/2320-41-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmpFilesize
9.9MB
-
memory/2320-51-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmpFilesize
9.9MB
-
memory/2320-52-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmpFilesize
9.9MB
-
memory/2320-12-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmpFilesize
9.9MB
-
memory/2320-11-0x00000291C22E0000-0x00000291C2356000-memory.dmpFilesize
472KB
-
memory/2320-7-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmpFilesize
9.9MB
-
memory/2320-6-0x00000291C1FC0000-0x00000291C1FE2000-memory.dmpFilesize
136KB
-
memory/3936-0-0x0000000000C90000-0x0000000000CA6000-memory.dmpFilesize
88KB
-
memory/3936-187-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmpFilesize
9.9MB
-
memory/3936-188-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmpFilesize
9.9MB
-
memory/3936-1-0x00007FFFEE743000-0x00007FFFEE744000-memory.dmpFilesize
4KB