Overview

overview

10

Static

static

10

LbsClient.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    404s
  • max time network
    1607s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23-03-2023 10:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LbsClient.exe

  • Size

    63KB

  • MD5

    762f2fc17465058d27010124bb425202

  • SHA1

    1b6b701c9c09128886e4676c4f1e534c7db39ad9

  • SHA256

    ae045f8e36db8f38af35258127ff43a71d522ae6ad15b7aad527bf75dd7a7666

  • SHA512

    329eacc85396f176fb30989f8d85fbeea097388ab37edecf22c3f4f368c1b0b0106cc7ec5c5ad06abbe488868ce4a5731ab04e4e7852a3d37bb1bdc42bb4e932

  • SSDEEP

    768:8FfQVS7rGOe01ZDKMFiw7qyignMEOoCenkHubK23vuEBXKZ7ifudOPJhsAjDOep:Yfo/mKM1qrgnqebKivpaV0udOR3us

Score
10/10
xwormpersistencerattrojan

Malware Config

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LbsClient.exe
    "C:\Users\Admin\AppData\Local\Temp\LbsClient.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Windows\system32\netsh.exe
        netsh wlan show profiles
        3⤵
          PID:1348
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7963.tmp.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3856
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:4688

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp7963.tmp.bat
      Filesize

      161B

      MD5

      397e8be23791621e5e3640c78d7f19e5

      SHA1

      32e8e5ca3cdef28cc5221e24791aed8c4c3c92af

      SHA256

      ec8c9b223367a64d462b28e6b710f1ae05407ea12711b161d011e9937e449685

      SHA512

      7a1fad29dc83d6742f479057e1d67aefd8c14cc674a2947b56cd0e28f95fb647e2e25dafe7e67e7d28f09ff8e808b00b0cb7c66a642b02f459525207917048e1

      Download Submit

    • memory/2516-121-0x0000000000DB0000-0x0000000000DC6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2516-122-0x000000001BA40000-0x000000001BA50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2516-126-0x000000001BA40000-0x000000001BA50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2516-127-0x0000000002F80000-0x0000000002F8C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2516-129-0x0000000001390000-0x0000000001412000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2516-130-0x0000000001350000-0x000000000135A000-memory.dmp

      Filesize

      40KB

      Download