Overview

overview

10

Static

static

10

Sex Xe.exe

windows7-x64

10

Sex Xe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/06/2023, 17:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Sex Xe.exe

  • Size

    55KB

  • MD5

    3d30c7a81d8bf18a73cffacc846c8863

  • SHA1

    fba65301d47756544428f83bcf24ed57fa431e85

  • SHA256

    a398da321b19f80661444ebc2a9e4d59e3270975787dc015e987237867e8f1d8

  • SHA512

    82b2d38e5681415f90b270db5809abe5c571db52d4f1706f0a03adf07fa5417b4611f33413fe57eb077a8f2e363e61d211ecc6c54f4962de3a3b27dbbcba7196

  • SSDEEP

    768:9lLFUqECU5IigSwoyg0tNFgmXx2/bQ1GKnZzbWaGwbV0ea0jdeyjTO9hObEEw:HLg5PwVX60GazbWPwbV0ewyjTO9UY

Score
10/10
xwormevasionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

bush-gain.at.ply.gg:43233

Attributes
  • install_file

    USB.exe

Signatures

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Disables Task Manager via registry modification
    evasion
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Sex Xe.exe
    "C:\Users\Admin\AppData\Local\Temp\Sex Xe.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    PID:4672
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2672.0.294846275\437238697" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1780 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cdee786-44be-4e81-ba36-5ca22966ec3e} 2672 "\\.\pipe\gecko-crash-server-pipe.2672" 1900 1c583aa5e58 gpu
        3⤵
          PID:3172
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2672.1.447744268\1973392853" -parentBuildID 20221007134813 -prefsHandle 2292 -prefMapHandle 2288 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {216aa1d7-c2c6-4cdd-a3e3-eeabdd9334d1} 2672 "\\.\pipe\gecko-crash-server-pipe.2672" 2304 1c583f58858 socket
          3⤵
          • Checks processor information in registry
          PID:1204
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2672.2.767916245\485433700" -childID 1 -isForBrowser -prefsHandle 2876 -prefMapHandle 3032 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9718c7b-d5d3-4148-a88f-bbbcd6dbd7f3} 2672 "\\.\pipe\gecko-crash-server-pipe.2672" 3172 1c586108a58 tab
          3⤵
            PID:1740
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2672.3.1478856325\788447122" -childID 2 -isForBrowser -prefsHandle 3792 -prefMapHandle 3788 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66cbe4b4-cd74-4a40-a62f-2fe4113a9d40} 2672 "\\.\pipe\gecko-crash-server-pipe.2672" 3804 1c587297d58 tab
            3⤵
              PID:4884
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2672.4.725769221\254202961" -childID 3 -isForBrowser -prefsHandle 3956 -prefMapHandle 3952 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b037d0cc-03db-4a9b-be02-daa7d5da08f0} 2672 "\\.\pipe\gecko-crash-server-pipe.2672" 3968 1c58774db58 tab
              3⤵
                PID:4348
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2672.7.1212984136\1391980847" -childID 6 -isForBrowser -prefsHandle 5356 -prefMapHandle 5360 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adbba3ee-f4c8-41e3-b589-fc5203653e87} 2672 "\\.\pipe\gecko-crash-server-pipe.2672" 5124 1c588dccd58 tab
                3⤵
                  PID:388
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2672.6.917240001\1584671497" -childID 5 -isForBrowser -prefsHandle 5024 -prefMapHandle 5152 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d1863f0-97f5-4636-8106-7419436f7d5c} 2672 "\\.\pipe\gecko-crash-server-pipe.2672" 5140 1c588dcc758 tab
                  3⤵
                    PID:4192
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2672.5.1349932375\1754497273" -childID 4 -isForBrowser -prefsHandle 4752 -prefMapHandle 4972 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e31af4c6-1bc3-45f6-9807-dab0ba4357ad} 2672 "\\.\pipe\gecko-crash-server-pipe.2672" 5004 1c58687e558 tab
                    3⤵
                      PID:4660
                • C:\Windows\system32\taskmgr.exe
                  "C:\Windows\system32\taskmgr.exe" /7
                  1⤵
                    PID:2356

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\activity-stream.discovery_stream.json.tmp
                    Filesize

                    151KB

                    MD5

                    cc7eaf2b8772cdab985a4ccc73c73a83

                    SHA1

                    f3f49154c7b34b057376b237d12e646783732564

                    SHA256

                    c7ad541db15a6898afed889ef78b9e2c47111fd4c85268357d1ae1691a4648cc

                    SHA512

                    9978fa41558a598e57f6b2baa8981c8278423fdf5b9ca0a364fe5fa6cf5173a68e7df259785f782245c8f4966db2db49d2a6e4b625356a5b37c92b300eddca51

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    897c0ee08a7b9e0696cb455bbb7334bf

                    SHA1

                    c7a6cfecab97460251bf23bcc1488c397de0365b

                    SHA256

                    4c11e9729afd846e0070f11a416e567749ef790fa2df7d8c43665eac6a88e112

                    SHA512

                    a3692e6496cef36cf1853de8b010a157b0c5f09bdf22ab93a3a586be2d0cdf62ed332390aa7b275d60bab7b3069ccae66e47c4ffb0c64b7b03137cd77181e880

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    02a57d6e7de34d79f0ba13d66545d545

                    SHA1

                    4246ba59df8ed953592071eaf0f01133f2f4dbd1

                    SHA256

                    5e92fdf0214d9ef3f8e31cb21b7e0f6dc9867a51fabaab9f950f7b45f57c46c4

                    SHA512

                    527459406f96c4b50ec7a29307f86edf8423e1483f81b52cd74a825a2d846919c47203c5bf80a8ed583f4ef9ad7589bed73de133fdddd0f012a58835afb44656

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    5478cb84c1079fae2a4cecfeb510fd79

                    SHA1

                    ac9215531199d1451810030d17b4acb5b74c9113

                    SHA256

                    3d47e4e0972f8519d1214da339913e33183e16c9c0a6d57815fa14d60ffcadd1

                    SHA512

                    7575557359b7bac3f38760fa8dd9d173754d38e45d0a27eb427dd99b99cebf5b21e99ae80bf148754b9993f05e0b20e70a788f8af36f7287e57a66c6f7c6e501

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    1KB

                    MD5

                    a6d33d360c573f55fdff9abcc2674bb9

                    SHA1

                    cfd22d058b65cb46f6698ee758f38bc880219a70

                    SHA256

                    644b6300a98c9647887f5ce14a94ab6c243cb1853cec2d1ecb53563260cf2c67

                    SHA512

                    4d8dae25580a346af8eadba7d509e67f6dd9849e989d0565a6e713dd77d329855143c58fa6846720a908bdde7293a2f3c7ef56e4e3180ef83ac686c82587e46d

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\sessionstore.jsonlz4
                    Filesize

                    894B

                    MD5

                    0ccc1d24ccfe0462fd24157e3ce13985

                    SHA1

                    85307cd6c78a3c4918698f74596e5bd8c60322aa

                    SHA256

                    ec00c1ecf0886d23a1495325ef67a1805aa28462b8dd20821de20d80927b4261

                    SHA512

                    69f3ddf5bd621e8dc16577082ad06d8cd67e61a253e75d72e6a82e8f1fcc0705f06efb042b7bccbb1c8dbcf67b28f0b73f587cfb36c3783ebf0e5185f1cf73d2

                    Download Submit

                  • memory/4672-133-0x0000000000D80000-0x0000000000D92000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/4672-140-0x000000001B950000-0x000000001B960000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4672-141-0x000000001B950000-0x000000001B960000-memory.dmp

                    Filesize

                    64KB

                    Download