Overview

overview

10

Static

static

10

Kaught.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    148s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    29/08/2023, 20:40

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Kaught.exe

  • Size

    63KB

  • MD5

    24d062abf47e76a592996e57e4146a4c

  • SHA1

    99c4fee76e22523d9d03189f5e65295f51aeb0b1

  • SHA256

    b40c5e0c9e7fc8cc0fe7d2f1ead00295df5341c4fb9d59a277575450038aad2d

  • SHA512

    56dc50182d4fae3ad50d05656bb0a5ca3d14e71a37efe0fb84ca3fb28a48c471732251df0e4959efd32884b5c59aa06db8978210dc7d00ab40f03c4ca40b8f40

  • SSDEEP

    1536:WSKfMqlTPADtRxNqDN06Zb7R84n4RLVA6NDO5D3Cr:WSKUqonxNsbZb7gVzDO5Dyr

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

Kaught-53088.portmap.host:53088

Attributes
  • install_file

    spoofer.exe

Signatures

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Kaught.exe
    "C:\Users\Admin\AppData\Local\Temp\Kaught.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:372
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Kaught.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2740
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Kaught.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2212
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Kaught.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4440
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Kaught" /tr "C:\Users\Admin\Kaught.exe"
      2⤵
      • Creates scheduled task(s)
      PID:4144
  • C:\Users\Admin\Kaught.exe
    C:\Users\Admin\Kaught.exe
    1⤵
    • Executes dropped EXE
    PID:4800
  • C:\Users\Admin\Kaught.exe
    C:\Users\Admin\Kaught.exe
    1⤵
    • Executes dropped EXE
    PID:4684

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Kaught.exe.log
          Filesize

          654B

          MD5

          16c5fce5f7230eea11598ec11ed42862

          SHA1

          75392d4824706090f5e8907eee1059349c927600

          SHA256

          87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

          SHA512

          153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          3KB

          MD5

          8592ba100a78835a6b94d5949e13dfc1

          SHA1

          63e901200ab9a57c7dd4c078d7f75dcd3b357020

          SHA256

          fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

          SHA512

          87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          22d2015204e662c4e966a798855d2385

          SHA1

          3dc128d1e88b884a8b0cd5966e6437e73b4b1e0c

          SHA256

          5a8d41756b0b84a38d989a937ced9a0a907af2ea46851eb111f5dcf56056afdb

          SHA512

          56391d321f6402251146b18267a86b81d8c222cf9901606d51472578931acb92156463946ec0705524c01348dc7a415519723f0db611564300c709deacb2f3be

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          d57613dc4f15067cb0105ecd16803368

          SHA1

          e156381a2b061ed90903697488775d989c689c44

          SHA256

          86a29cdf6eed9002cfe6f01183137a0a17b9d57908deb77782137f0cc6e5d3e0

          SHA512

          715470b2ca4b0ac6af09ca29c7be0a7e56307f79d1c9a48b6c6db0c15c219347cc03b3502d552e5dd724eddee4e48d2616b07fd2348c7e070001b63e2b04eeae

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bd2b0aw1.l5k.ps1
          Filesize

          1B

          MD5

          c4ca4238a0b923820dcc509a6f75849b

          SHA1

          356a192b7913b04c54574d18c28d46e6395428ab

          SHA256

          6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

          SHA512

          4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

          Download Submit

        • C:\Users\Admin\Kaught.exe
          Filesize

          63KB

          MD5

          24d062abf47e76a592996e57e4146a4c

          SHA1

          99c4fee76e22523d9d03189f5e65295f51aeb0b1

          SHA256

          b40c5e0c9e7fc8cc0fe7d2f1ead00295df5341c4fb9d59a277575450038aad2d

          SHA512

          56dc50182d4fae3ad50d05656bb0a5ca3d14e71a37efe0fb84ca3fb28a48c471732251df0e4959efd32884b5c59aa06db8978210dc7d00ab40f03c4ca40b8f40

          Download Submit

        • C:\Users\Admin\Kaught.exe
          Filesize

          63KB

          MD5

          24d062abf47e76a592996e57e4146a4c

          SHA1

          99c4fee76e22523d9d03189f5e65295f51aeb0b1

          SHA256

          b40c5e0c9e7fc8cc0fe7d2f1ead00295df5341c4fb9d59a277575450038aad2d

          SHA512

          56dc50182d4fae3ad50d05656bb0a5ca3d14e71a37efe0fb84ca3fb28a48c471732251df0e4959efd32884b5c59aa06db8978210dc7d00ab40f03c4ca40b8f40

          Download Submit

        • C:\Users\Admin\Kaught.exe
          Filesize

          63KB

          MD5

          24d062abf47e76a592996e57e4146a4c

          SHA1

          99c4fee76e22523d9d03189f5e65295f51aeb0b1

          SHA256

          b40c5e0c9e7fc8cc0fe7d2f1ead00295df5341c4fb9d59a277575450038aad2d

          SHA512

          56dc50182d4fae3ad50d05656bb0a5ca3d14e71a37efe0fb84ca3fb28a48c471732251df0e4959efd32884b5c59aa06db8978210dc7d00ab40f03c4ca40b8f40

          Download Submit

        • C:\Users\Admin\Kaught.exe
          Filesize

          63KB

          MD5

          24d062abf47e76a592996e57e4146a4c

          SHA1

          99c4fee76e22523d9d03189f5e65295f51aeb0b1

          SHA256

          b40c5e0c9e7fc8cc0fe7d2f1ead00295df5341c4fb9d59a277575450038aad2d

          SHA512

          56dc50182d4fae3ad50d05656bb0a5ca3d14e71a37efe0fb84ca3fb28a48c471732251df0e4959efd32884b5c59aa06db8978210dc7d00ab40f03c4ca40b8f40

          Download Submit

        • memory/372-161-0x000000001B7A0000-0x000000001B7B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/372-162-0x000000001B7A0000-0x000000001B7B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/372-1-0x00007FFA24730000-0x00007FFA2511C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/372-0-0x0000000000AD0000-0x0000000000AE6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/372-56-0x00007FFA24730000-0x00007FFA2511C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2212-100-0x000001E925260000-0x000001E925270000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2212-61-0x000001E925260000-0x000001E925270000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2212-60-0x000001E925260000-0x000001E925270000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2212-77-0x000001E925260000-0x000001E925270000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2212-58-0x00007FFA24730000-0x00007FFA2511C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2212-103-0x00007FFA24730000-0x00007FFA2511C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2740-5-0x00007FFA24730000-0x00007FFA2511C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2740-25-0x0000021A8B610000-0x0000021A8B620000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2740-7-0x0000021A8B610000-0x0000021A8B620000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2740-52-0x00007FFA24730000-0x00007FFA2511C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2740-8-0x0000021A8B610000-0x0000021A8B620000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2740-9-0x0000021A8B4A0000-0x0000021A8B4C2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2740-12-0x0000021AA3B80000-0x0000021AA3BF6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2740-48-0x0000021A8B610000-0x0000021A8B620000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4440-106-0x00007FFA24730000-0x00007FFA2511C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/4440-152-0x00007FFA24730000-0x00007FFA2511C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/4440-149-0x00000276C9730000-0x00000276C9740000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4440-126-0x00000276C9730000-0x00000276C9740000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4440-110-0x00000276C9730000-0x00000276C9740000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4440-108-0x00000276C9730000-0x00000276C9740000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4684-171-0x00007FFA24730000-0x00007FFA2511C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/4684-172-0x00007FFA24730000-0x00007FFA2511C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/4800-165-0x00007FFA24730000-0x00007FFA2511C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/4800-167-0x00007FFA24730000-0x00007FFA2511C000-memory.dmp

          Filesize

          9.9MB

          Download