Overview

overview

10

Static

static

10

7f8e216231...48.exe

windows7-x64

10

7f8e216231...48.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    21-03-2023 14:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7f8e216231c8e0e57f4d6e06edb5c20fbed0cfa36c44058ad5809935c4a06448.exe

  • Size

    38KB

  • MD5

    1077d2817de834e79983fa8bb6dde71e

  • SHA1

    f251d74238b838ce1605b889d80327a1e47e9a40

  • SHA256

    7f8e216231c8e0e57f4d6e06edb5c20fbed0cfa36c44058ad5809935c4a06448

  • SHA512

    3132c7690ddc33e6c8b7d9533f7b8500bfce540eeee61db706dcc4847d7dcf7634206fd8f04c437706e9412bb09c7706b016b8633c17661f322475046e5d1bba

  • SSDEEP

    768:z5B93liEMuoOzHEgSSxCa7wFWPh9Vi67Owhk9Fxkku:z5BM+NSda0FK9Vi67Owq72

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

kids-abstract.at.ply.gg:26193

Mutex

Q0PQt1zJ8DDIXdji

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f8e216231c8e0e57f4d6e06edb5c20fbed0cfa36c44058ad5809935c4a06448.exe
    "C:\Users\Admin\AppData\Local\Temp\7f8e216231c8e0e57f4d6e06edb5c20fbed0cfa36c44058ad5809935c4a06448.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7f8e216231c8e0e57f4d6e06edb5c20fbed0cfa36c44058ad5809935c4a06448.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1980
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7f8e216231c8e0e57f4d6e06edb5c20fbed0cfa36c44058ad5809935c4a06448.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1212
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\7f8e216231c8e0e57f4d6e06edb5c20fbed0cfa36c44058ad5809935c4a06448.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:516
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "7f8e216231c8e0e57f4d6e06edb5c20fbed0cfa36c44058ad5809935c4a06448" /tr "C:\Users\Admin\AppData\Local\7f8e216231c8e0e57f4d6e06edb5c20fbed0cfa36c44058ad5809935c4a06448.exe"
      2⤵
      • Creates scheduled task(s)
      PID:1032
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {E1359412-50F1-4BDC-BE98-8A5B351381CA} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]
    1⤵
      PID:1448

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      e76762000134b4cad466ed611c3f976b

      SHA1

      229e2d07938caa38f3308c390af9c52ed0e23105

      SHA256

      12f0b8533166f78b6748bd7c6e3262aae10ad4cdfeb4aacb255fa0c77362ed81

      SHA512

      cc5424dda2e0f2b7c6e594b7da3d4405ab4185108b471c875f06af912cf6d6a8c5b3e0dcfb6b8b2c04571d33b528dbb5761ac98141c2022f0c91364c4c6435cb

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      e76762000134b4cad466ed611c3f976b

      SHA1

      229e2d07938caa38f3308c390af9c52ed0e23105

      SHA256

      12f0b8533166f78b6748bd7c6e3262aae10ad4cdfeb4aacb255fa0c77362ed81

      SHA512

      cc5424dda2e0f2b7c6e594b7da3d4405ab4185108b471c875f06af912cf6d6a8c5b3e0dcfb6b8b2c04571d33b528dbb5761ac98141c2022f0c91364c4c6435cb

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V70SRKUWKT83K5POCKNP.temp
      Filesize

      7KB

      MD5

      e76762000134b4cad466ed611c3f976b

      SHA1

      229e2d07938caa38f3308c390af9c52ed0e23105

      SHA256

      12f0b8533166f78b6748bd7c6e3262aae10ad4cdfeb4aacb255fa0c77362ed81

      SHA512

      cc5424dda2e0f2b7c6e594b7da3d4405ab4185108b471c875f06af912cf6d6a8c5b3e0dcfb6b8b2c04571d33b528dbb5761ac98141c2022f0c91364c4c6435cb

      Download Submit
    • memory/516-79-0x00000000028F4000-0x00000000028F7000-memory.dmp
      Filesize

      12KB

      Download
    • memory/516-80-0x00000000028FB000-0x0000000002932000-memory.dmp
      Filesize

      220KB

      Download
    • memory/516-78-0x00000000028F0000-0x0000000002970000-memory.dmp
      Filesize

      512KB

      Download
    • memory/516-77-0x00000000028F0000-0x0000000002970000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1212-69-0x0000000002230000-0x0000000002238000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1212-71-0x000000000284B000-0x0000000002882000-memory.dmp
      Filesize

      220KB

      Download
    • memory/1212-70-0x0000000002844000-0x0000000002847000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1212-68-0x000000001B2C0000-0x000000001B5A2000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/1980-61-0x0000000002734000-0x0000000002737000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1980-62-0x000000000273B000-0x0000000002772000-memory.dmp
      Filesize

      220KB

      Download
    • memory/1980-60-0x0000000001EB0000-0x0000000001EB8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1980-59-0x000000001B240000-0x000000001B522000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/2004-54-0x0000000000D90000-0x0000000000DA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2004-84-0x000000001B270000-0x000000001B2F0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2004-85-0x000000001B270000-0x000000001B2F0000-memory.dmp
      Filesize

      512KB

      Download