Overview

overview

10

Static

static

3

a1d6f223fa...JC.exe

windows7-x64

10

a1d6f223fa...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    30/09/2023, 13:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a1d6f223fa3e037cea557b5b5aa79bea29060a9a323ca9974806a04ad05a3dc6_JC.exe

  • Size

    408KB

  • MD5

    afca5eaa6d402c37a8aa7d93110c97f0

  • SHA1

    e5d797b50a51b9595a85260ec353768ab1515258

  • SHA256

    a1d6f223fa3e037cea557b5b5aa79bea29060a9a323ca9974806a04ad05a3dc6

  • SHA512

    58e02fc9badafbc3a0dee25a4d5af4435dc1830f6e8a8af074ca9b1adafadacd81db74068d8a78c9809cafcbcb8f5945cf4020635d724d77299020c8a1679c03

  • SSDEEP

    6144:LJgOMsar5xbivcUblrM2KDBXQseSDCOTMAtBMA1kqDzumBFTLv++GDZMj:mOMxWcqrlK1XHeSDCOIkBzbD59BGVY

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

atelilian99.ddns.net:8282

Mutex

XqUeUiDC1kQH7xwL

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 6 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1d6f223fa3e037cea557b5b5aa79bea29060a9a323ca9974806a04ad05a3dc6_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\a1d6f223fa3e037cea557b5b5aa79bea29060a9a323ca9974806a04ad05a3dc6_JC.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a1d6f223fa3e037cea557b5b5aa79bea29060a9a323ca9974806a04ad05a3dc6_JC.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2788
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RWtKOUV.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1724
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RWtKOUV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5EA4.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2548
    • C:\Users\Admin\AppData\Local\Temp\a1d6f223fa3e037cea557b5b5aa79bea29060a9a323ca9974806a04ad05a3dc6_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\a1d6f223fa3e037cea557b5b5aa79bea29060a9a323ca9974806a04ad05a3dc6_JC.exe"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp5EA4.tmp
    Filesize

    1KB

    MD5

    4398211bb39eb2b8c7492703362a0d14

    SHA1

    65f429c27adc32b672c52939552baab1593d05cd

    SHA256

    0ac6e7166671acdb0bf2604385829e1b9a846206689311a3bb4990c5c4e24471

    SHA512

    b1405967f4775fb7015b358271554dad12a551ef7bbf76595453d422054206e3c60dba55dded6a986dfc9f21989996a5d425464e92071a9e8e24c630b35c8b3e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F7GSW6JHY9IW30QUULAX.temp
    Filesize

    7KB

    MD5

    21e4d3199f6afb221122b809a517c2af

    SHA1

    73532b134e810226e47916589ced7c6afdf31b2d

    SHA256

    f8eb447fa72d92b348a937782494a7139d6936043c6c4f327ec47c9bbd50e3a3

    SHA512

    90001a9e41be16ccd2ae52abb17ab895365d4f109612c7ed08491acdb15c885823e2aa8251cf9594aacd46ee6279d097ed4ea0c4dfb22cbc90f8dcdcf42fdf21

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    21e4d3199f6afb221122b809a517c2af

    SHA1

    73532b134e810226e47916589ced7c6afdf31b2d

    SHA256

    f8eb447fa72d92b348a937782494a7139d6936043c6c4f327ec47c9bbd50e3a3

    SHA512

    90001a9e41be16ccd2ae52abb17ab895365d4f109612c7ed08491acdb15c885823e2aa8251cf9594aacd46ee6279d097ed4ea0c4dfb22cbc90f8dcdcf42fdf21

    Download Submit

  • C:\Users\Admin\AppData\Roaming\a1d6f223fa3e037cea557b5b5aa79bea29060a9a323ca9974806a04ad05a3dc6_JC.exe
    Filesize

    408KB

    MD5

    afca5eaa6d402c37a8aa7d93110c97f0

    SHA1

    e5d797b50a51b9595a85260ec353768ab1515258

    SHA256

    a1d6f223fa3e037cea557b5b5aa79bea29060a9a323ca9974806a04ad05a3dc6

    SHA512

    58e02fc9badafbc3a0dee25a4d5af4435dc1830f6e8a8af074ca9b1adafadacd81db74068d8a78c9809cafcbcb8f5945cf4020635d724d77299020c8a1679c03

    Download Submit

  • \Users\Admin\AppData\Roaming\a1d6f223fa3e037cea557b5b5aa79bea29060a9a323ca9974806a04ad05a3dc6_JC.exe
    Filesize

    408KB

    MD5

    afca5eaa6d402c37a8aa7d93110c97f0

    SHA1

    e5d797b50a51b9595a85260ec353768ab1515258

    SHA256

    a1d6f223fa3e037cea557b5b5aa79bea29060a9a323ca9974806a04ad05a3dc6

    SHA512

    58e02fc9badafbc3a0dee25a4d5af4435dc1830f6e8a8af074ca9b1adafadacd81db74068d8a78c9809cafcbcb8f5945cf4020635d724d77299020c8a1679c03

    Download Submit

  • memory/1724-40-0x000000006ED30000-0x000000006F2DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1724-44-0x000000006ED30000-0x000000006F2DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1724-42-0x0000000002650000-0x0000000002690000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1724-37-0x000000006ED30000-0x000000006F2DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2228-35-0x0000000074A50000-0x000000007513E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2228-7-0x0000000000D00000-0x0000000000D48000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2228-5-0x0000000004C20000-0x0000000004C60000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2228-4-0x0000000074A50000-0x000000007513E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2228-3-0x0000000000350000-0x0000000000364000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2228-1-0x0000000074A50000-0x000000007513E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2228-2-0x0000000004C20000-0x0000000004C60000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2228-0-0x00000000010E0000-0x000000000114C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2228-6-0x0000000000380000-0x000000000038C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2596-36-0x0000000074A50000-0x000000007513E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2596-20-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2596-32-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2596-30-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2596-55-0x00000000046E0000-0x0000000004720000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2596-34-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2596-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2596-54-0x0000000074A50000-0x000000007513E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2596-26-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2596-53-0x00000000046E0000-0x0000000004720000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2596-22-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2596-24-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-39-0x00000000026D0000-0x0000000002710000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2788-45-0x000000006ED30000-0x000000006F2DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2788-43-0x00000000026D0000-0x0000000002710000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2788-41-0x000000006ED30000-0x000000006F2DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2788-38-0x000000006ED30000-0x000000006F2DB000-memory.dmp

    Filesize

    5.7MB

    Download