Overview

overview

10

Static

static

3

4f49150cb8...de.exe

windows7-x64

10

4f49150cb8...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2023 02:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe

  • Size

    753KB

  • MD5

    912a9f5960f78c14a1bfe528860b5cc5

  • SHA1

    6e23c3b72f56358efc066b6ae60d173902a0f033

  • SHA256

    4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde

  • SHA512

    0b09a77600c9df2ece04e6ef4f5ff3ba2779b15f7a33bcfc4ee0c71ebcdbe16b5f9585ec931449427855131a1d265c1e8b76f27a341d0294ac921e3a5a7cd352

  • SSDEEP

    12288:2ufjVpNKUF3OjhlYnf8KPGNaTp7WeqCdmgzKrQXOxTXbebLw7:2sGQOjhlYUUGkp7FzO

Score
10/10
xwormpersistencerattrojan

Malware Config

Signatures

  • Detect Xworm Payload 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe
    "C:\Users\Admin\AppData\Local\Temp\4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4496
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 8 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\hhrjcird.exe,"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3372
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 8
        3⤵
        • Runs ping.exe
        PID:3648
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\hhrjcird.exe,"
        3⤵
        • Modifies WinLogon for persistence
        PID:5052
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 17 > nul && copy "C:\Users\Admin\AppData\Local\Temp\4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe" "C:\Users\Admin\AppData\Roaming\hhrjcird.exe" && ping 127.0.0.1 -n 17 > nul && "C:\Users\Admin\AppData\Roaming\hhrjcird.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4924
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 17
        3⤵
        • Runs ping.exe
        PID:4304
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 17
        3⤵
        • Runs ping.exe
        PID:312
      • C:\Users\Admin\AppData\Roaming\hhrjcird.exe
        "C:\Users\Admin\AppData\Roaming\hhrjcird.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2008
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          4⤵
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:448
        • C:\Users\Admin\AppData\Local\Temp\UehdjUej.exe
          "C:\Users\Admin\AppData\Local\Temp\UehdjUej.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1164
          • C:\Users\Admin\AppData\Local\Temp\UehdjUej.exe
            "C:\Users\Admin\AppData\Local\Temp\UehdjUej.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UehdjUej.exe.log
    Filesize

    1KB

    MD5

    7dca233df92b3884663fa5a40db8d49c

    SHA1

    208b8f27b708c4e06ac37f974471cc7b29c29b60

    SHA256

    90c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c

    SHA512

    d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\UehdjUej.exe
    Filesize

    76KB

    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\UehdjUej.exe
    Filesize

    76KB

    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\UehdjUej.exe
    Filesize

    76KB

    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\UehdjUej.exe
    Filesize

    76KB

    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\UehdjUej.txt
    Filesize

    54B

    MD5

    39b024dff82e46bb774fdaa34cb6b3dc

    SHA1

    a86913e3f45df68a12803a371d3563ecc191051c

    SHA256

    c1bb3f3a122de151a7097ea5dd4764d9d0365cc965fc86a879cd9d95fcbaf9c0

    SHA512

    aa9d9190f3c1d422e2ecaa61e2d24d52968446d0971e972886bae48ce138dddd52db1e6c6c590b30bb8d6660038bb70f736e02c5c79f275a6c643f13b3aee656

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\UehdjUej.txt
    Filesize

    57B

    MD5

    bfb95f5f2139efb5aef54cd3c7ba0055

    SHA1

    015217746f887811177e7b1acbf43f6f8f06b956

    SHA256

    df71607946de0b034a7463dbeaa28f4cb5bf61f28d50121e9bad8bdfdf05c576

    SHA512

    336441827417d27421b1023e3fae459d559eac7538318d81129504a840c081e532141d9e009110be0382c3ae6f6d9e5df62beaffa4a5e4d7404de96a763d2a3c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\UehdjUej.txt
    Filesize

    57B

    MD5

    c1afd08f21d23598cb6d1dd28d8338c6

    SHA1

    27d99ecebe4329df9ec6f66ee446cba63dc5d50f

    SHA256

    ff4a7a1df19adb9b5bfad6ed4ae9a3df5c85c0187b205174bcda895773b50da6

    SHA512

    ddd603089995dc83352162fc1a2fcb4a9729c4038de4fd11195555418a97b5a098c110567af481cf4ae3e6b75e2b430042e17e207ef9a35b367c9e0c213f7a52

    Download Submit

  • C:\Users\Admin\AppData\Roaming\hhrjcird.exe
    Filesize

    753KB

    MD5

    912a9f5960f78c14a1bfe528860b5cc5

    SHA1

    6e23c3b72f56358efc066b6ae60d173902a0f033

    SHA256

    4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde

    SHA512

    0b09a77600c9df2ece04e6ef4f5ff3ba2779b15f7a33bcfc4ee0c71ebcdbe16b5f9585ec931449427855131a1d265c1e8b76f27a341d0294ac921e3a5a7cd352

    Download Submit

  • C:\Users\Admin\AppData\Roaming\hhrjcird.exe
    Filesize

    753KB

    MD5

    912a9f5960f78c14a1bfe528860b5cc5

    SHA1

    6e23c3b72f56358efc066b6ae60d173902a0f033

    SHA256

    4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde

    SHA512

    0b09a77600c9df2ece04e6ef4f5ff3ba2779b15f7a33bcfc4ee0c71ebcdbe16b5f9585ec931449427855131a1d265c1e8b76f27a341d0294ac921e3a5a7cd352

    Download Submit

  • memory/448-31-0x0000000005730000-0x0000000005740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/448-56-0x0000000005740000-0x00000000057A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/448-57-0x0000000005730000-0x0000000005740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/448-59-0x00000000746D0000-0x0000000074E80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/448-60-0x00000000089D0000-0x0000000008B3E000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/448-61-0x0000000008BB0000-0x0000000008BE0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/448-63-0x0000000005730000-0x0000000005740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/448-34-0x0000000005730000-0x0000000005740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/448-62-0x0000000005730000-0x0000000005740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/448-29-0x0000000002EE0000-0x0000000002EFE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/448-32-0x0000000005730000-0x0000000005740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/448-25-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/448-26-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/448-30-0x00000000746D0000-0x0000000074E80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/448-65-0x0000000005730000-0x0000000005740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/448-33-0x00000000055B0000-0x00000000055CC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1164-46-0x00000000746D0000-0x0000000074E80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1164-45-0x0000000000DD0000-0x0000000000DEA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1164-52-0x00000000746D0000-0x0000000074E80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2008-20-0x0000000007920000-0x000000000793A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2008-22-0x00000000746D0000-0x0000000074E80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2008-21-0x0000000007780000-0x0000000007786000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2008-24-0x0000000005660000-0x0000000005670000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2008-19-0x0000000005660000-0x0000000005670000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2008-18-0x0000000005660000-0x0000000005670000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2008-17-0x00000000746D0000-0x0000000074E80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2008-16-0x0000000000460000-0x0000000000522000-memory.dmp

    Filesize

    776KB

    Download

  • memory/2008-23-0x0000000005660000-0x0000000005670000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2888-64-0x00000000746D0000-0x0000000074E80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2888-53-0x00000000746D0000-0x0000000074E80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4496-8-0x0000000005830000-0x0000000005840000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4496-2-0x00000000055E0000-0x000000000567C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4496-1-0x0000000074700000-0x0000000074EB0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4496-3-0x0000000005DF0000-0x0000000006394000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4496-4-0x0000000005830000-0x0000000005840000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4496-5-0x0000000005D20000-0x0000000005D64000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4496-6-0x0000000006540000-0x00000000065D2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4496-7-0x00000000064C0000-0x00000000064CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4496-10-0x0000000074700000-0x0000000074EB0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4496-0-0x00000000002F0000-0x00000000003B2000-memory.dmp

    Filesize

    776KB

    Download