Overview

overview

10

Static

static

3

msfiler.exe

windows7-x64

10

msfiler.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20231130-en
  • resource tags

    arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2023 12:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    msfiler.exe

  • Size

    419KB

  • MD5

    8a716466aa6f2d425ec09770626e8e54

  • SHA1

    62fb757ea5098651331f91c1664db9fe46b21879

  • SHA256

    585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815

  • SHA512

    54f11067e400347834689b4532ae53b00ec96a3ca90a2c21de27942f4ca30306fdda0522c1a3a4cde047ad650162e2d8313205220acaab4cc60e010965690940

  • SSDEEP

    6144:QTCsE3O4yuS5O0RBOInaCa6G6ypdf4Bf7e/DnjBeq04fVXOUvE0CGsSE9BLM:2E3O5uOO0mInnGZCTS84fZLtw

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

5.182.87.154:7000

Mutex

VMFidhoqn75fm5lJ

Attributes
  • Install_directory

    %Temp%

  • install_file

    mdnsresp.exe

aes.plain

Signatures

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\msfiler.exe
    "C:\Users\Admin\AppData\Local\Temp\msfiler.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Users\Admin\AppData\Local\Temp\msfiler.exe
      C:\Users\Admin\AppData\Local\Temp\msfiler.exe
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msfiler.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2784
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msfiler.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2980
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mdnsresp.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2692
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mdnsresp.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1540
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAbQBzAGYAaQBsAGUAcgAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAbQBzAGYAaQBsAGUAcgAuAGUAeABlADsA
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2128

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T1W4V5AD2EP15K8LTUK9.temp
    Filesize

    7KB

    MD5

    56a8cf72782661c7726a1d1a16d265d9

    SHA1

    ad13567a6506f27a47f85cbf5cd7eff191f179de

    SHA256

    bcb80593a0f1b50ed1490b13ccdbd3e155fd6aa39007e5dfd5009df2e56fe13b

    SHA512

    ce93d8c77e63362c747584ca9f6019128e2e8c5f85633d2154d235ce8b5583c952a47b218e51df3e34a3d51481d4247e731ba67a36de4b809cc2441e0fa51f4a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    56a8cf72782661c7726a1d1a16d265d9

    SHA1

    ad13567a6506f27a47f85cbf5cd7eff191f179de

    SHA256

    bcb80593a0f1b50ed1490b13ccdbd3e155fd6aa39007e5dfd5009df2e56fe13b

    SHA512

    ce93d8c77e63362c747584ca9f6019128e2e8c5f85633d2154d235ce8b5583c952a47b218e51df3e34a3d51481d4247e731ba67a36de4b809cc2441e0fa51f4a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    56a8cf72782661c7726a1d1a16d265d9

    SHA1

    ad13567a6506f27a47f85cbf5cd7eff191f179de

    SHA256

    bcb80593a0f1b50ed1490b13ccdbd3e155fd6aa39007e5dfd5009df2e56fe13b

    SHA512

    ce93d8c77e63362c747584ca9f6019128e2e8c5f85633d2154d235ce8b5583c952a47b218e51df3e34a3d51481d4247e731ba67a36de4b809cc2441e0fa51f4a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    56a8cf72782661c7726a1d1a16d265d9

    SHA1

    ad13567a6506f27a47f85cbf5cd7eff191f179de

    SHA256

    bcb80593a0f1b50ed1490b13ccdbd3e155fd6aa39007e5dfd5009df2e56fe13b

    SHA512

    ce93d8c77e63362c747584ca9f6019128e2e8c5f85633d2154d235ce8b5583c952a47b218e51df3e34a3d51481d4247e731ba67a36de4b809cc2441e0fa51f4a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    56a8cf72782661c7726a1d1a16d265d9

    SHA1

    ad13567a6506f27a47f85cbf5cd7eff191f179de

    SHA256

    bcb80593a0f1b50ed1490b13ccdbd3e155fd6aa39007e5dfd5009df2e56fe13b

    SHA512

    ce93d8c77e63362c747584ca9f6019128e2e8c5f85633d2154d235ce8b5583c952a47b218e51df3e34a3d51481d4247e731ba67a36de4b809cc2441e0fa51f4a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\mdnsresp.exe
    Filesize

    419KB

    MD5

    8a716466aa6f2d425ec09770626e8e54

    SHA1

    62fb757ea5098651331f91c1664db9fe46b21879

    SHA256

    585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815

    SHA512

    54f11067e400347834689b4532ae53b00ec96a3ca90a2c21de27942f4ca30306fdda0522c1a3a4cde047ad650162e2d8313205220acaab4cc60e010965690940

    Download Submit

  • memory/1540-62-0x00000000028B0000-0x00000000028F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1540-60-0x00000000028B0000-0x00000000028F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1540-63-0x00000000028B0000-0x00000000028F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1540-64-0x0000000071120000-0x00000000716CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1540-59-0x0000000071120000-0x00000000716CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1540-61-0x0000000071120000-0x00000000716CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2128-26-0x00000000716D0000-0x0000000071C7B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2128-28-0x0000000002A90000-0x0000000002AD0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2128-29-0x0000000002A90000-0x0000000002AD0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2128-27-0x00000000716D0000-0x0000000071C7B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2128-30-0x00000000716D0000-0x0000000071C7B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2220-0-0x0000000001330000-0x00000000013A0000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2220-22-0x0000000074630000-0x0000000074D1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2220-6-0x0000000000C90000-0x0000000000CDC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2220-5-0x00000000006A0000-0x00000000006D0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2220-4-0x0000000000310000-0x0000000000340000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2220-2-0x0000000004E40000-0x0000000004E80000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2220-3-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2220-1-0x0000000074630000-0x0000000074D1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2280-11-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2280-83-0x0000000004DE0000-0x0000000004E20000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2280-82-0x0000000074630000-0x0000000074D1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2280-85-0x0000000004DE0000-0x0000000004E20000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2280-7-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2280-9-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2280-13-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2280-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2280-17-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2280-19-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2280-21-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2280-23-0x0000000074630000-0x0000000074D1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2692-74-0x00000000716D0000-0x0000000071C7B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2692-71-0x0000000002E20000-0x0000000002E60000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2692-70-0x00000000716D0000-0x0000000071C7B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2692-72-0x00000000716D0000-0x0000000071C7B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2692-84-0x0000000002E20000-0x0000000002E60000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2692-75-0x0000000002E20000-0x0000000002E60000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2692-73-0x00000000716D0000-0x0000000071C7B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2784-38-0x0000000071120000-0x00000000716CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2784-39-0x0000000071120000-0x00000000716CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2784-40-0x0000000002A40000-0x0000000002A80000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2784-42-0x0000000071120000-0x00000000716CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2784-41-0x0000000002A40000-0x0000000002A80000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2784-36-0x0000000071120000-0x00000000716CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2784-37-0x0000000002A40000-0x0000000002A80000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2980-52-0x00000000028D0000-0x0000000002910000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2980-48-0x00000000716D0000-0x0000000071C7B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2980-49-0x00000000028D0000-0x0000000002910000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2980-50-0x00000000716D0000-0x0000000071C7B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2980-53-0x00000000716D0000-0x0000000071C7B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2980-51-0x00000000028D0000-0x0000000002910000-memory.dmp

    Filesize

    256KB

    Download