Analysis
-
max time kernel
133s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
28-04-2024 06:12
General
-
Target
Vbucks-gen.exe
-
Size
229KB
-
MD5
6b8f6f416051d2947c802eeb3710077b
-
SHA1
02f986ff007d5867d1d638f72c61e7231c0374d2
-
SHA256
05026b12b16aa7ffb8aa35c47e1d967b17459eb313f443dfaffd528842df5ba2
-
SHA512
0ea970a737ca8d49af5d1008eb254027d939aea1d98af5b8bdae2b092279c2420b1c52f49becda0f23f955e02fbf33c4a78af74935cf94743f553bad6db64480
-
SSDEEP
3072:y85g8Zl3CCzlgJQmzcAkWENrrlKVAvYkzQfQj7oIhGwubdjdhO9dRgeX77fizS:jpZlSIWpqnloO9oqgbLsAeX3az
Score
10/10
Malware Config
Extracted
Family
xworm
C2
192.168.0.197:9999
Mutex
7u0t4YhJyvkbGmU0
Attributes
-
install_file
USB.exe
aes.plain
Signatures
-
Detect Xworm Payload 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Drops startup file 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vbucks-gen.exe"C:\Users\Admin\AppData\Local\Temp\Vbucks-gen.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2584-0-0x0000000000080000-0x00000000000BE000-memory.dmpFilesize
248KB
-
memory/2584-1-0x000007FEF5C20000-0x000007FEF660C000-memory.dmpFilesize
9.9MB
-
memory/2584-2-0x000000001AFD0000-0x000000001B050000-memory.dmpFilesize
512KB
-
memory/2584-5-0x000007FEF5C20000-0x000007FEF660C000-memory.dmpFilesize
9.9MB
-
memory/2584-6-0x000000001AFD0000-0x000000001B050000-memory.dmpFilesize
512KB