Overview

overview

10

Static

static

3

SFX.exe

windows7-x64

10

Analysis

  • max time kernel
    65s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    26/08/2023, 15:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    SFX.exe

  • Size

    3.6MB

  • MD5

    645235b9ddb0045556c55cd47773bef1

  • SHA1

    db55a92f67fe795b79f2232c41a2f6ebcb4e868c

  • SHA256

    3c7bd4fc2dbce2b91b4f05abce2e4ad0809c62d452432cb06f6bad55fc04c4d1

  • SHA512

    88fa25af846bd621859663745a9ab5aa1cdfe4af5d23a50a6ef41da38aa2dedb34d88e2e51d840824525e01199015589245bd867712d735ed8463541c9f9b24e

  • SSDEEP

    98304:20ilsDX8etMPDi7WCM1LCvZhigmovxZ0kZt:Mq76PDiiC8CvZNzFr

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

classic-lovers.at.ply.gg:11647

Attributes
  • install_file

    avp.exe

Signatures

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 42 IoCs
  • Suspicious use of SendNotifyMessage 42 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SFX.exe
    "C:\Users\Admin\AppData\Local\Temp\SFX.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Users\Admin\AppData\Local\Temp\avp.exe
      "C:\Users\Admin\AppData\Local\Temp\avp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "avp" /tr "C:\Users\Admin\avp.exe"
        3⤵
        • Creates scheduled task(s)
        PID:2332
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {1FFDEC50-7186-4B18-BB5F-DE283EFF97C8} S-1-5-21-722410544-1258951091-1992882075-1000:MGKTNXNO\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Users\Admin\avp.exe
      C:\Users\Admin\avp.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2968
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2452

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\avp.exe
          Filesize

          112KB

          MD5

          6e8437e9e3371aaf060fb8e9ad0270ba

          SHA1

          ca387c23e31abb43ad2048b50fd767dd7348c666

          SHA256

          b67454498ef1d85aec09c98ac3d7ffc041ff9c007e1ea48d5e0674a61e380698

          SHA512

          e1141ee2e4974217f91ad976c48877372556467df1df21d3b04a4a8c2fef824104f14a9be2272fd92f4205a01a814ba7d1a22bd4256a7aee055ad660d5ef201b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\avp.exe
          Filesize

          112KB

          MD5

          6e8437e9e3371aaf060fb8e9ad0270ba

          SHA1

          ca387c23e31abb43ad2048b50fd767dd7348c666

          SHA256

          b67454498ef1d85aec09c98ac3d7ffc041ff9c007e1ea48d5e0674a61e380698

          SHA512

          e1141ee2e4974217f91ad976c48877372556467df1df21d3b04a4a8c2fef824104f14a9be2272fd92f4205a01a814ba7d1a22bd4256a7aee055ad660d5ef201b

          Download Submit

        • C:\Users\Admin\avp.exe
          Filesize

          112KB

          MD5

          6e8437e9e3371aaf060fb8e9ad0270ba

          SHA1

          ca387c23e31abb43ad2048b50fd767dd7348c666

          SHA256

          b67454498ef1d85aec09c98ac3d7ffc041ff9c007e1ea48d5e0674a61e380698

          SHA512

          e1141ee2e4974217f91ad976c48877372556467df1df21d3b04a4a8c2fef824104f14a9be2272fd92f4205a01a814ba7d1a22bd4256a7aee055ad660d5ef201b

          Download Submit

        • C:\Users\Admin\avp.exe
          Filesize

          112KB

          MD5

          6e8437e9e3371aaf060fb8e9ad0270ba

          SHA1

          ca387c23e31abb43ad2048b50fd767dd7348c666

          SHA256

          b67454498ef1d85aec09c98ac3d7ffc041ff9c007e1ea48d5e0674a61e380698

          SHA512

          e1141ee2e4974217f91ad976c48877372556467df1df21d3b04a4a8c2fef824104f14a9be2272fd92f4205a01a814ba7d1a22bd4256a7aee055ad660d5ef201b

          Download Submit

        • C:\Users\Admin\avp.exe
          Filesize

          112KB

          MD5

          6e8437e9e3371aaf060fb8e9ad0270ba

          SHA1

          ca387c23e31abb43ad2048b50fd767dd7348c666

          SHA256

          b67454498ef1d85aec09c98ac3d7ffc041ff9c007e1ea48d5e0674a61e380698

          SHA512

          e1141ee2e4974217f91ad976c48877372556467df1df21d3b04a4a8c2fef824104f14a9be2272fd92f4205a01a814ba7d1a22bd4256a7aee055ad660d5ef201b

          Download Submit

        • memory/2144-1-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2144-10-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2144-0-0x0000000000940000-0x0000000000CE2000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/2172-9-0x0000000000A30000-0x0000000000A50000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2172-15-0x000000001AC10000-0x000000001AC90000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2172-14-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2172-13-0x000000001AC10000-0x000000001AC90000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2172-11-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2452-22-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/2452-23-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/2452-24-0x00000000020E0000-0x00000000020F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2452-25-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/2452-26-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/2968-19-0x0000000001290000-0x00000000012B0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2968-20-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2968-21-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

          Filesize

          9.9MB

          Download