Overview

overview

8

Static

static

3

XBinderOutput.exe

windows7-x64

7

XBinderOutput.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    157s
  • max time network
    219s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/08/2023, 06:55

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    XBinderOutput.exe

  • Size

    96KB

  • MD5

    7e4158cae0e8d0beea7ab56aa44b56e2

  • SHA1

    05783faa988917492d79b74df37a884835666d82

  • SHA256

    cdcbd07924b2df1b04ecc1e1a4cbcfb4e2c8cebcaae6747c11595f20e3853d6d

  • SHA512

    20d5451cb1769b15e275573f26df750cf01e91bf5b136f53afc71c8317e340aef0ecc489a421363954af33e3ecf070106d84763f4fda76cc5bf797b35f4ec5eb

  • SSDEEP

    1536:jnZRaeLRvt3SQftFiil6aagoyqF1ZKiGavLUzTvJcmdPKxh9x:jnZR7LNtzniuLaLzoiGavQvamdE9x

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 23 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
    "C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4988
    • C:\Users\Admin\AppData\Local\TrustedInstaller.exe
      "C:\Users\Admin\AppData\Local\TrustedInstaller.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4640
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TrustedInstaller" /tr "C:\Users\Admin\AppData\Local\TrustedInstaller.exe"
        3⤵
        • Creates scheduled task(s)
        PID:3148
      • C:\Windows\SYSTEM32\taskkill.exe
        taskkill /F /IM explorer.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:416
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1036
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 1036 -s 6180
          4⤵
          • Program crash
          PID:5092
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC97A.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4560
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:4452
  • C:\Users\Admin\AppData\Local\TrustedInstaller.exe
    C:\Users\Admin\AppData\Local\TrustedInstaller.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1116
  • C:\Users\Admin\AppData\Local\TrustedInstaller.exe
    C:\Users\Admin\AppData\Local\TrustedInstaller.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2688
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x508 0x4e4
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3276
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:4852
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 460 -p 1036 -ip 1036
      1⤵
        PID:1936
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
          PID:2812
        • C:\Users\Admin\AppData\Local\TrustedInstaller.exe
          C:\Users\Admin\AppData\Local\TrustedInstaller.exe
          1⤵
            PID:2700

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TrustedInstaller.exe.log
                  Filesize

                  654B

                  MD5

                  2ff39f6c7249774be85fd60a8f9a245e

                  SHA1

                  684ff36b31aedc1e587c8496c02722c6698c1c4e

                  SHA256

                  e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                  SHA512

                  1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpC97A.tmp.bat
                  Filesize

                  165B

                  MD5

                  d6008e9d8f54f60025c8c671073f9851

                  SHA1

                  742a2876fc1654a3853646007f1ff3d29c0296fd

                  SHA256

                  ffb6e8dea7c7fc68339d724a660297ef756c204970416383310e4cc337464ae2

                  SHA512

                  ac3c6eb290aa1a5a0a5e8070a91c157bff5cacbcd186bbe0e4fc35e209c4ddd57a1dfc057dc84652dba9f7010b0aa2ee4ba346d27721b94aa467f29170b3065f

                  Download Submit

                • C:\Users\Admin\AppData\Local\TrustedInstaller.exe
                  Filesize

                  123KB

                  MD5

                  ac0d478d1d11cbcd882b2d226c0a57c4

                  SHA1

                  4c5bde0ce2aabfacd7657638bd8a91181290067f

                  SHA256

                  fe6bd197f488ab1b5287c220299f3361e13209dff32a394c826ed41c86e4d197

                  SHA512

                  ac80c64ac006b349699b050a918b8f6a935c680054ff2058e8ed94f00ece7f5cc4514737e8cf01101c1d20eb8fee3433975e4c89f7e8e8833dc7c67bcf5c1b64

                  Download Submit

                • C:\Users\Admin\AppData\Local\TrustedInstaller.exe
                  Filesize

                  123KB

                  MD5

                  ac0d478d1d11cbcd882b2d226c0a57c4

                  SHA1

                  4c5bde0ce2aabfacd7657638bd8a91181290067f

                  SHA256

                  fe6bd197f488ab1b5287c220299f3361e13209dff32a394c826ed41c86e4d197

                  SHA512

                  ac80c64ac006b349699b050a918b8f6a935c680054ff2058e8ed94f00ece7f5cc4514737e8cf01101c1d20eb8fee3433975e4c89f7e8e8833dc7c67bcf5c1b64

                  Download Submit

                • C:\Users\Admin\AppData\Local\TrustedInstaller.exe
                  Filesize

                  123KB

                  MD5

                  ac0d478d1d11cbcd882b2d226c0a57c4

                  SHA1

                  4c5bde0ce2aabfacd7657638bd8a91181290067f

                  SHA256

                  fe6bd197f488ab1b5287c220299f3361e13209dff32a394c826ed41c86e4d197

                  SHA512

                  ac80c64ac006b349699b050a918b8f6a935c680054ff2058e8ed94f00ece7f5cc4514737e8cf01101c1d20eb8fee3433975e4c89f7e8e8833dc7c67bcf5c1b64

                  Download Submit

                • C:\Users\Admin\AppData\Local\TrustedInstaller.exe
                  Filesize

                  123KB

                  MD5

                  ac0d478d1d11cbcd882b2d226c0a57c4

                  SHA1

                  4c5bde0ce2aabfacd7657638bd8a91181290067f

                  SHA256

                  fe6bd197f488ab1b5287c220299f3361e13209dff32a394c826ed41c86e4d197

                  SHA512

                  ac80c64ac006b349699b050a918b8f6a935c680054ff2058e8ed94f00ece7f5cc4514737e8cf01101c1d20eb8fee3433975e4c89f7e8e8833dc7c67bcf5c1b64

                  Download Submit

                • C:\Users\Admin\AppData\Local\TrustedInstaller.exe
                  Filesize

                  123KB

                  MD5

                  ac0d478d1d11cbcd882b2d226c0a57c4

                  SHA1

                  4c5bde0ce2aabfacd7657638bd8a91181290067f

                  SHA256

                  fe6bd197f488ab1b5287c220299f3361e13209dff32a394c826ed41c86e4d197

                  SHA512

                  ac80c64ac006b349699b050a918b8f6a935c680054ff2058e8ed94f00ece7f5cc4514737e8cf01101c1d20eb8fee3433975e4c89f7e8e8833dc7c67bcf5c1b64

                  Download Submit

                • C:\Users\Admin\AppData\Local\TrustedInstaller.exe
                  Filesize

                  123KB

                  MD5

                  ac0d478d1d11cbcd882b2d226c0a57c4

                  SHA1

                  4c5bde0ce2aabfacd7657638bd8a91181290067f

                  SHA256

                  fe6bd197f488ab1b5287c220299f3361e13209dff32a394c826ed41c86e4d197

                  SHA512

                  ac80c64ac006b349699b050a918b8f6a935c680054ff2058e8ed94f00ece7f5cc4514737e8cf01101c1d20eb8fee3433975e4c89f7e8e8833dc7c67bcf5c1b64

                  Download Submit

                • C:\Users\Admin\AppData\Local\tmp.000.bin
                  Filesize

                  4B

                  MD5

                  3d801aa532c1cec3ee82d87a99fdf63f

                  SHA1

                  d969831eb8a99cff8c02e681f43289e5d3d69664

                  SHA256

                  a6864eb339b0e1f6e00d75293a8840abf069a2c0fe82e6e53af6ac099793c1d5

                  SHA512

                  777c534fd04b2cc000819eaf0a63bfa135a62b42777ea4650c2743ca297b3ac6d33c001c664485c7cb3cd3a08475cd80c434be670c01f16d61218f7f9fe0bde5

                  Download Submit

                • memory/1116-178-0x00007FFC2A8C0000-0x00007FFC2B381000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/1116-176-0x00007FFC2A8C0000-0x00007FFC2B381000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/2688-181-0x00007FFC2A8C0000-0x00007FFC2B381000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/2688-182-0x00007FFC2A8C0000-0x00007FFC2B381000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/4640-174-0x000000001B410000-0x000000001B420000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4640-165-0x00000000007C0000-0x00000000007E4000-memory.dmp

                  Filesize

                  144KB

                  Download

                • memory/4640-171-0x00007FFC2A8C0000-0x00007FFC2B381000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/4640-172-0x000000001B410000-0x000000001B420000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4640-173-0x00007FFC2A8C0000-0x00007FFC2B381000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/4988-164-0x000000001D280000-0x000000001D74E000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4988-133-0x0000000000570000-0x000000000058C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/4988-169-0x00007FFC2CCC0000-0x00007FFC2D661000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/4988-139-0x0000000000E20000-0x0000000000E30000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4988-138-0x000000001B740000-0x000000001B7A2000-memory.dmp

                  Filesize

                  392KB

                  Download

                • memory/4988-137-0x0000000000E20000-0x0000000000E30000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4988-136-0x00007FFC2CCC0000-0x00007FFC2D661000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/4988-135-0x00007FFC2CCC0000-0x00007FFC2D661000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/4988-134-0x000000001B690000-0x000000001B736000-memory.dmp

                  Filesize

                  664KB

                  Download