Overview

overview

10

Static

static

10

c4067d9656...d0.exe

windows7-x64

10

c4067d9656...d0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    27-02-2023 09:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c4067d965604f4f37a63f298b22cc4d0.exe

  • Size

    157KB

  • MD5

    c4067d965604f4f37a63f298b22cc4d0

  • SHA1

    325b70cdf286d63934fe34f51dd6da3a8b672081

  • SHA256

    6f2e22d541680c151da164b02f916a3d72da0517b2f052f7356d05e8b374690b

  • SHA512

    dd7f7c06e2d28c84f901dbe1ee55963342ec60b08fac54e404185b70b0ef10090df797ca72e9adc42d3ba9ed32aa71f344e3f277529c92f43fc82603a5a8e12e

  • SSDEEP

    1536:tTP0/lt9ZWAUpysZbALBYoz6M9OvW/CdEB:tTs/lt9rUpysZbAL62OvzdEB

Score
10/10
xwormpersistencerattrojan

Malware Config

Signatures

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\c4067d965604f4f37a63f298b22cc4d0.exe
    "C:\Users\Admin\AppData\Local\Temp\c4067d965604f4f37a63f298b22cc4d0.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c4067d965604f4f37a63f298b22cc4d0.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1156
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'c4067d965604f4f37a63f298b22cc4d0.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:268
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\c4067d965604f4f37a63f298b22cc4d0.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1016
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "c4067d965604f4f37a63f298b22cc4d0" /tr "C:\Users\Admin\AppData\Roaming\c4067d965604f4f37a63f298b22cc4d0.exe"
      2⤵
      • Creates scheduled task(s)
      PID:1052
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {537F8A49-791D-4B3C-BB2C-2213D26730E2} S-1-5-21-1914912747-3343861975-731272777-1000:TMRJMUQF\Admin:Interactive:[1]
    1⤵
      PID:1928

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      fedf102969de6012d0a579f1f5e266f9

      SHA1

      782d75ea4995289386c7a031161b9d845a0393ca

      SHA256

      1deab7ebbe65bb290758d2682f7493cdfd9f16d96d1099c6332da582f8531831

      SHA512

      8f288a60219d51682d57612d9d61c825cdb6f2d855b888df4d8d5a928fe670931519137067ecf64ba35f4ad428bf63a30e7165e887f7378610571ecf7a63bc93

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      fedf102969de6012d0a579f1f5e266f9

      SHA1

      782d75ea4995289386c7a031161b9d845a0393ca

      SHA256

      1deab7ebbe65bb290758d2682f7493cdfd9f16d96d1099c6332da582f8531831

      SHA512

      8f288a60219d51682d57612d9d61c825cdb6f2d855b888df4d8d5a928fe670931519137067ecf64ba35f4ad428bf63a30e7165e887f7378610571ecf7a63bc93

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D755IZ9DVY92GGWOSMP8.temp
      Filesize

      7KB

      MD5

      fedf102969de6012d0a579f1f5e266f9

      SHA1

      782d75ea4995289386c7a031161b9d845a0393ca

      SHA256

      1deab7ebbe65bb290758d2682f7493cdfd9f16d96d1099c6332da582f8531831

      SHA512

      8f288a60219d51682d57612d9d61c825cdb6f2d855b888df4d8d5a928fe670931519137067ecf64ba35f4ad428bf63a30e7165e887f7378610571ecf7a63bc93

      Download Submit
    • memory/268-73-0x0000000002A3B000-0x0000000002A72000-memory.dmp
      Filesize

      220KB

      Download
    • memory/268-70-0x000000001B390000-0x000000001B672000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/268-72-0x0000000002A34000-0x0000000002A37000-memory.dmp
      Filesize

      12KB

      Download
    • memory/268-71-0x0000000001F10000-0x0000000001F18000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1016-80-0x000000000297B000-0x00000000029B2000-memory.dmp
      Filesize

      220KB

      Download
    • memory/1016-79-0x0000000002974000-0x0000000002977000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1156-61-0x0000000002AE0000-0x0000000002B60000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1156-60-0x0000000001E50000-0x0000000001E58000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1156-62-0x0000000002AE0000-0x0000000002B60000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1156-59-0x000000001B230000-0x000000001B512000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/1156-64-0x0000000002AE0000-0x0000000002B60000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1156-63-0x0000000002AE0000-0x0000000002B60000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1408-54-0x00000000003B0000-0x00000000003DC000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1408-84-0x0000000001F50000-0x0000000001FD0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1408-85-0x0000000001F50000-0x0000000001FD0000-memory.dmp
      Filesize

      512KB

      Download