Overview

overview

10

Static

static

10

LbsClient.exe

windows7-x64

10

LbsClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1209s
  • max time network
    1213s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-03-2023 11:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LbsClient.exe

  • Size

    63KB

  • MD5

    762f2fc17465058d27010124bb425202

  • SHA1

    1b6b701c9c09128886e4676c4f1e534c7db39ad9

  • SHA256

    ae045f8e36db8f38af35258127ff43a71d522ae6ad15b7aad527bf75dd7a7666

  • SHA512

    329eacc85396f176fb30989f8d85fbeea097388ab37edecf22c3f4f368c1b0b0106cc7ec5c5ad06abbe488868ce4a5731ab04e4e7852a3d37bb1bdc42bb4e932

  • SSDEEP

    768:8FfQVS7rGOe01ZDKMFiw7qyignMEOoCenkHubK23vuEBXKZ7ifudOPJhsAjDOep:Yfo/mKM1qrgnqebKivpaV0udOR3us

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

ways-examining.at.ply.gg:18120

Attributes
  • install_file

    USB.exe

Signatures

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LbsClient.exe
    "C:\Users\Admin\AppData\Local\Temp\LbsClient.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4680
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp20B2.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:4376

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp20B2.tmp.bat
    Filesize

    161B

    MD5

    aa54a80dc5231cac40f1c82ca5973604

    SHA1

    747c3f48663ef9b111f443005c5ae9ef0f863c1c

    SHA256

    bb194902155f74b385f48c47b3f75b27d55aef2f8c633c4eb249b1ff4f72b973

    SHA512

    870729b3620f9a98f73b7de8205ef46af669fa67af90d82c77928091fc06ba0429edf02df135b4a21e2432440e37c5e3decba02c52a10fdfe449f67b32cd514c

    Download Submit

  • memory/4680-133-0x0000000000500000-0x0000000000516000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4680-134-0x000000001C7C0000-0x000000001C7D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4680-141-0x000000001C7C0000-0x000000001C7D0000-memory.dmp

    Filesize

    64KB

    Download