Overview

overview

10

Static

static

10

Krayton-Setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    34s
  • max time network
    78s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/08/2023, 10:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Krayton-Setup.exe

  • Size

    15.0MB

  • MD5

    8d9825b5c71ce9c61eab9a9c9966670d

  • SHA1

    38b676fd58e571453ef38f0e40c577b9943a4a50

  • SHA256

    629e31cfbe2598295daec354e9085dbe9f55fd0cd58b9305f0196560d51ccd9f

  • SHA512

    8c095cbae4fe0aebfbd21c076aedf0f057967e1d6f56dbb2f29d4dbaf194867a51256778fb87e3320f41f3bf65454e930c134579d2014e4838d4368b3aa6a178

  • SSDEEP

    3072:yjWwFFUmuzIBSIObVJPROhW+BzDjWwFFUmuzIBSIObVJPROhW+Bz:y3+musBdObvoX3+musBdObvo

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

192.168.48.132:7000

Attributes
  • install_file

    UserConfig.exe

Signatures

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Krayton-Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Krayton-Setup.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3716
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Krayton-Setup" /tr "C:\Users\Admin\AppData\Roaming\Krayton-Setup.exe"
      2⤵
      • Creates scheduled task(s)
      PID:4784
  • C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Windows\system32\ipconfig.exe
      ipconfig
      2⤵
      • Gathers network information
      PID:316
  • C:\Users\Admin\AppData\Roaming\Krayton-Setup.exe
    C:\Users\Admin\AppData\Roaming\Krayton-Setup.exe
    1⤵
    • Executes dropped EXE
    PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Krayton-Setup.exe
    Filesize

    15.0MB

    MD5

    8d9825b5c71ce9c61eab9a9c9966670d

    SHA1

    38b676fd58e571453ef38f0e40c577b9943a4a50

    SHA256

    629e31cfbe2598295daec354e9085dbe9f55fd0cd58b9305f0196560d51ccd9f

    SHA512

    8c095cbae4fe0aebfbd21c076aedf0f057967e1d6f56dbb2f29d4dbaf194867a51256778fb87e3320f41f3bf65454e930c134579d2014e4838d4368b3aa6a178

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Krayton-Setup.exe
    Filesize

    2.9MB

    MD5

    6047751e3544ab6ec41c1cb3ad815d57

    SHA1

    f6f0dbab7e050f2fa425d6fc736a4004a9349307

    SHA256

    ad2f9c5081cf4faa9cd842c6e79a9c730504c87589230eaf048ae4df50d74424

    SHA512

    35ba0f45ea406be97f65697b71539285a75839a53e3b3eadadf46460f7e892fab23140825b8820cd969bfafab5313f2e961d5a6f5b902fbc6cfb9894402e3b11

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Krayton-Setup.exe
    Filesize

    2.7MB

    MD5

    822d469d5ec3154b443865427fb5ecaf

    SHA1

    e67fc7f020e547bac686735b7b9be794b5b8b8d1

    SHA256

    27e90bf74440c9a41bbb6260e15fd3f105a9875287c3fa694499f2a3e17b4619

    SHA512

    f4ac223af7128beb4422a91a4ef0af57c53b0b389eccbf140cda21e3a50d712b4e4bc0c5d44fb8eeb0454569c35c7c737df5d804a14eb78b71e988fa2437d49e

    Download Submit

  • memory/2840-162-0x00007FF8C1EE0000-0x00007FF8C29A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3716-133-0x0000000000D20000-0x0000000000D38000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3716-134-0x00007FF8C1EE0000-0x00007FF8C29A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3716-143-0x0000000001600000-0x0000000001610000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3716-147-0x00007FF8C1EE0000-0x00007FF8C29A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3716-150-0x0000000001600000-0x0000000001610000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3716-158-0x0000000001600000-0x0000000001610000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3716-159-0x0000000001600000-0x0000000001610000-memory.dmp

    Filesize

    64KB

    Download