Overview

overview

10

Static

static

GxMBK.exe

windows7-x64

10

GxMBK.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    75s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    31-01-2023 21:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GxMBK.exe

  • Size

    1.6MB

  • MD5

    049b7a8f84d8c8e7932bfc6e97362c30

  • SHA1

    f3d85b5214062a92ecacd0a65e02593e44ab188a

  • SHA256

    2716cfd0d3479d42e903bd0c835b91fd5918a02fb63bdc1b52f73921bf4b307a

  • SHA512

    eb0c58f723a9c6a2d3d29b10f89538845cfbdaa2d4579de4238a0753050154dacc7832cc20f858b757fd6a2e491b5f775262f670309b7691437910c59a106924

  • SSDEEP

    24576:bYO8wJFOtz7uuqEP+1MoIpgpgi2esTTPfQHSvMYdihbjct3sP8ZS3pdWMhLaw:koqAI4sTTP4smZ58wl

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7000

Mutex

TU53fgvTBLouBDSy

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GxMBK.exe
    "C:\Users\Admin\AppData\Local\Temp\GxMBK.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1240
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=schtasks.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1172
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1172 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1VLOML3M.txt
    Filesize

    604B

    MD5

    29a278a050def85ef3f2f9e16581e8b5

    SHA1

    6d5acf02a9b25951dac25273e734c5ac4edf558e

    SHA256

    8c2077f840485434e905af03d8c9380c48e283561e1c2a7968f25ef71ceea4bd

    SHA512

    feeef1971a0f6fb6669b5965657d2bfaf5de631aadfdc60c67a15aee5d98fd1151622a090f0bbd4f738008cf6946a32f028b116db5b7f85c328d9f68f96f5a19

    Download Submit
  • memory/1240-57-0x0000000000400000-0x0000000000410000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1240-58-0x0000000000400000-0x0000000000410000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1240-60-0x0000000000400000-0x0000000000410000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1240-61-0x0000000000400000-0x0000000000410000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1240-63-0x000000000040BFCE-mapping.dmp
    Download
  • memory/1240-62-0x0000000000400000-0x0000000000410000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1240-65-0x0000000000400000-0x0000000000410000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1240-67-0x0000000000400000-0x0000000000410000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1652-54-0x0000000001310000-0x00000000014A8000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1652-55-0x0000000074FD1000-0x0000000074FD3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1652-56-0x0000000005630000-0x000000000576C000-memory.dmp
    Filesize

    1.2MB

    Download