Overview

overview

10

Static

static

10

693bbd8e6b...b6.exe

windows7-x64

10

693bbd8e6b...b6.exe

windows10-2004-x64

10

Resubmissions

16/05/2023, 08:02

230516-jw5srabh55 10

16/05/2023, 07:55

230516-jshttaad4s 10

Analysis

  • max time kernel
    283s
  • max time network
    302s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/05/2023, 07:55

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    693bbd8e6b779770cf39730d0d8ecaf4ba18f2669f65b77bf1dcb1f658b853b6.exe

  • Size

    35KB

  • MD5

    2cb6d3f3cbe226c62608f0ed56087a0d

  • SHA1

    2bde7e70f1043d83988c90b0dae045c3326e4a41

  • SHA256

    693bbd8e6b779770cf39730d0d8ecaf4ba18f2669f65b77bf1dcb1f658b853b6

  • SHA512

    cd574c096f1b05046e83aa65e85120b4b390fdf90e7aeb11c3e3de0406bf77afbbf2140bc47f6a1e41ffda1b424e76632971126734dc67a27ac59e0747c79917

  • SSDEEP

    384:jNg8ssvG79ki23FNxPLenxM9+OTTwNfbXmXzvsVgtFMA4P6NLTBZw/RZIvK9IkEX:emW98enxM9twMNFWP39gazOMh99QoU

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

tienichxanh.vinaddns.com:7000

Mutex

Ajv3D1sSpOst7unB

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\693bbd8e6b779770cf39730d0d8ecaf4ba18f2669f65b77bf1dcb1f658b853b6.exe
    "C:\Users\Admin\AppData\Local\Temp\693bbd8e6b779770cf39730d0d8ecaf4ba18f2669f65b77bf1dcb1f658b853b6.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3032
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1312
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /7
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4052

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\693bbd8e6b779770cf39730d0d8ecaf4ba18f2669f65b77bf1dcb1f658b853b6.exe
            Filesize

            35KB

            MD5

            2cb6d3f3cbe226c62608f0ed56087a0d

            SHA1

            2bde7e70f1043d83988c90b0dae045c3326e4a41

            SHA256

            693bbd8e6b779770cf39730d0d8ecaf4ba18f2669f65b77bf1dcb1f658b853b6

            SHA512

            cd574c096f1b05046e83aa65e85120b4b390fdf90e7aeb11c3e3de0406bf77afbbf2140bc47f6a1e41ffda1b424e76632971126734dc67a27ac59e0747c79917

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\693bbd8e6b779770cf39730d0d8ecaf4ba18f2669f65b77bf1dcb1f658b853b6.lnk
            Filesize

            1KB

            MD5

            9970966fa050a147d6c642b58c346f29

            SHA1

            c378684f17c343ccf328e8494581412d918e251d

            SHA256

            1bc4b489e6bdef8e39a6dcba4999e26813543a8d384df128bb0361ae2b8a6878

            SHA512

            4f9d134f97a8bc0667fef0f92edcc21dfc77a3fcdc5d8377024512be9fec10c1e5bd835b0e1a83e4c0fc5b6df2eb891c36956aab11806db6e6077547fdc74fd9

            Download Submit

          • memory/3032-133-0x00000000002D0000-0x00000000002E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3032-138-0x000000001AE20000-0x000000001AE30000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3032-139-0x000000001AE20000-0x000000001AE30000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4052-150-0x00000198C6B40000-0x00000198C6B41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4052-146-0x00000198C6B40000-0x00000198C6B41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4052-151-0x00000198C6B40000-0x00000198C6B41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4052-152-0x00000198C6B40000-0x00000198C6B41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4052-153-0x00000198C6B40000-0x00000198C6B41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4052-154-0x00000198C6B40000-0x00000198C6B41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4052-155-0x00000198C6B40000-0x00000198C6B41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4052-156-0x00000198C6B40000-0x00000198C6B41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4052-145-0x00000198C6B40000-0x00000198C6B41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4052-144-0x00000198C6B40000-0x00000198C6B41000-memory.dmp

            Filesize

            4KB

            Download