Overview

overview

10

Static

static

3

REVISED (D...OC.scr

windows7-x64

10

REVISED (D...OC.scr

windows10-2004-x64

10

UPDATED (D...OC.scr

windows7-x64

10

UPDATED (D...OC.scr

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    12/12/2023, 09:20

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    REVISED (DELAY NOTICE) - CIF Hamburg by Sea - ETC 1129 , SO 6722.DOC.scr

  • Size

    447KB

  • MD5

    c824d690e03774ac57c0967f721e09e3

  • SHA1

    b4f4db1fbb3606a94618b8fc783ceecb9bd2a4d8

  • SHA256

    cf632203d1e3b90e91deacdd99295bd81807e8de345d1716472eef5557c33ce1

  • SHA512

    8741063e5f1f73848dcf3043675b20f3142b818d27a068034a79e4a4bed38a59294293f5e58306b495e4d141d4909d7fb61ab5ca8d1ebee62831ad411030377f

  • SSDEEP

    12288:S3IU8S6eUdJe4AYn1svkGWFWKvBo7gG3BU:IItSAdJZ+O6g

Score
10/10
xwormzgratrattrojan

Malware Config

Extracted

Family

xworm

C2

104.250.180.178:7061

Attributes
  • Install_directory

    %AppData%

  • install_file

    XWorm V5.2 Optimized.exe

Signatures

  • Detect Xworm Payload 6 IoCs
  • Detect ZGRat V1 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\REVISED (DELAY NOTICE) - CIF Hamburg by Sea - ETC 1129 , SO 6722.DOC.scr
    "C:\Users\Admin\AppData\Local\Temp\REVISED (DELAY NOTICE) - CIF Hamburg by Sea - ETC 1129 , SO 6722.DOC.scr" /S
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Users\Admin\AppData\Local\Temp\REVISED (DELAY NOTICE) - CIF Hamburg by Sea - ETC 1129 , SO 6722.DOC.scr
      "C:\Users\Admin\AppData\Local\Temp\REVISED (DELAY NOTICE) - CIF Hamburg by Sea - ETC 1129 , SO 6722.DOC.scr"
      2⤵
        PID:1932
      • C:\Users\Admin\AppData\Local\Temp\REVISED (DELAY NOTICE) - CIF Hamburg by Sea - ETC 1129 , SO 6722.DOC.scr
        "C:\Users\Admin\AppData\Local\Temp\REVISED (DELAY NOTICE) - CIF Hamburg by Sea - ETC 1129 , SO 6722.DOC.scr"
        2⤵
        • Drops startup file
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\REVISED (DELAY NOTICE) - CIF Hamburg by Sea - ETC 1129 , SO 6722.DOC.scr'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2840
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'REVISED (DELAY NOTICE) - CIF Hamburg by Sea - ETC 1129 , SO 6722.DOC.scr'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2672
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XWorm V5.2 Optimized.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1100
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm V5.2 Optimized.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1984

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
            Filesize

            7KB

            MD5

            27d0a046e104b495b37ddc471b06e126

            SHA1

            de531bbb9b732470fc10c32ac44a875eecd8cb0c

            SHA256

            71ebb75db353e76994edc29c8088fe765dcc0dbc5032910c819599674542eebd

            SHA512

            7903e7389c7d472dd5b8c32ba5afee46904067bfbf439c41201a9c3777be1625348cdb55f59b3f975a3a8c45a8ddc2c0188c6dd3420f82f058b7f8a07dbdb3ce

            Download Submit

          • \Users\Admin\AppData\Roaming\XWorm V5.2 Optimized.exe
            Filesize

            447KB

            MD5

            c824d690e03774ac57c0967f721e09e3

            SHA1

            b4f4db1fbb3606a94618b8fc783ceecb9bd2a4d8

            SHA256

            cf632203d1e3b90e91deacdd99295bd81807e8de345d1716472eef5557c33ce1

            SHA512

            8741063e5f1f73848dcf3043675b20f3142b818d27a068034a79e4a4bed38a59294293f5e58306b495e4d141d4909d7fb61ab5ca8d1ebee62831ad411030377f

            Download Submit

          • memory/1100-49-0x0000000071A60000-0x000000007200B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1100-44-0x0000000071A60000-0x000000007200B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1100-45-0x0000000071A60000-0x000000007200B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1100-46-0x0000000071A60000-0x000000007200B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1100-47-0x0000000002740000-0x0000000002780000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1984-59-0x00000000024D0000-0x0000000002510000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1984-55-0x00000000714B0000-0x0000000071A5B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1984-56-0x00000000024D0000-0x0000000002510000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1984-57-0x00000000714B0000-0x0000000071A5B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1984-58-0x00000000024D0000-0x0000000002510000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1984-60-0x00000000714B0000-0x0000000071A5B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2036-12-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2036-19-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2036-67-0x0000000004810000-0x0000000004850000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2036-21-0x00000000749C0000-0x00000000750AE000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2036-66-0x0000000004810000-0x0000000004850000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2036-7-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2036-48-0x00000000749C0000-0x00000000750AE000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2036-9-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2036-17-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2036-11-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2036-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2036-15-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2672-36-0x00000000714B0000-0x0000000071A5B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2672-37-0x00000000025F0000-0x0000000002630000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2672-38-0x00000000714B0000-0x0000000071A5B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2672-35-0x00000000025F0000-0x0000000002630000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2672-34-0x00000000714B0000-0x0000000071A5B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2840-28-0x0000000071A60000-0x000000007200B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2840-27-0x0000000002710000-0x0000000002750000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2840-26-0x0000000002710000-0x0000000002750000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2840-25-0x0000000071A60000-0x000000007200B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2840-24-0x0000000071A60000-0x000000007200B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2880-0-0x0000000000E60000-0x0000000000ED6000-memory.dmp

            Filesize

            472KB

            Download

          • memory/2880-6-0x0000000000DE0000-0x0000000000E32000-memory.dmp

            Filesize

            328KB

            Download

          • memory/2880-5-0x0000000000530000-0x000000000053A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2880-4-0x00000000004A0000-0x00000000004A8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2880-3-0x00000000004D0000-0x00000000004E8000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2880-2-0x0000000004E40000-0x0000000004E80000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2880-1-0x00000000749C0000-0x00000000750AE000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2880-20-0x00000000749C0000-0x00000000750AE000-memory.dmp

            Filesize

            6.9MB

            Download