Overview

overview

10

Static

static

3

x.exe

windows7-x64

10

x.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    23/12/2023, 12:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    x.exe

  • Size

    320KB

  • MD5

    c940e89943c98832a5738d260f16bf94

  • SHA1

    b422d97d5d59fe0ac82bcb379e2c1d4a27f77618

  • SHA256

    4001c4f249a156e7e9410886ddaf8ca7652689eb914a57d3bb17c1284f79dab1

  • SHA512

    44587a723fa9d51d5dfb216181bdab33987aedd32cff30eec72363425b6de228a7bc51b84fc66214f81b4b398edc70723839d8e979f533595b140cb52bc31cbd

  • SSDEEP

    6144:7DKW1Lgbdl0TBBvjc/RUizNnjLF00mpPGy5Bmfb1cdmhCq3t:Ph1Lk70Tnvjchnjx004uyefbcU3t

Score
10/10
xwormzgratpersistencerattrojan

Malware Config

Signatures

  • Detect Xworm Payload 2 IoCs
  • Detect ZGRat V1 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\x.exe
    "C:\Users\Admin\AppData\Local\Temp\x.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\x.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2792
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2580
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\taskscheder.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1948
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskscheder.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1640
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "taskscheder" /tr "C:\Users\Admin\AppData\Roaming\taskscheder.exe"
      2⤵
      • Creates scheduled task(s)
      PID:456
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {769A50A5-E0DA-4146-9722-EC356D3F26CA} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:620
    • C:\Users\Admin\AppData\Roaming\taskscheder.exe
      C:\Users\Admin\AppData\Roaming\taskscheder.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1352
    • C:\Users\Admin\AppData\Roaming\taskscheder.exe
      C:\Users\Admin\AppData\Roaming\taskscheder.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    cbb743bd0d28b7aa52f0123d55bffbb3

    SHA1

    588d0cf90529c6dfab43c60d97c211f6a0f5297d

    SHA256

    9298658ac315945d6849279d3041a1240d79676474dbc4853c1fd8cde9c46bc6

    SHA512

    700be899ceea53bdb89dd46eb6f6d07ca14fb944ca33092d0d29abf24a9ce3259fcfca3c05eee7fbcb33caf01bf208dd27d79cc145ffd6d4c09e5510a76c162a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\taskscheder.exe
    Filesize

    63KB

    MD5

    e6fd1d3a409b3dd866eb666e079baaa2

    SHA1

    17aa7ce8d7e1e111ca84784ce8f6fd92257ff014

    SHA256

    1e1fc41db1b61696c8539b81e29421fe20316c66fdeac9a02dbfc7e84d8adb0a

    SHA512

    2d01c7393ef4d9ddd738d13637b66502ead3d8bd9071a7024c8637903457682eb0056d08d210a716f5d160946fb20a94a616b85db93312db21394ae3e3ee6ff7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\taskscheder.exe
    Filesize

    36KB

    MD5

    e4df7d2cb818500929d6948bee762f13

    SHA1

    4e721ba5b86b7ebfb1fe99945765ec82d5e4a4c2

    SHA256

    277954df41b8425ea3c7c908fbd4c9478c0bc755480c2f8659a3855fa013feda

    SHA512

    faf0d2b1898976ce8eb5e72730a0dd28d35d915530eec30a90a7a0047c25cf6d6b003140e37954240cf8ca007288487e0d6ff44f548e9f88f49b5e954540a9a3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\taskscheder.exe
    Filesize

    320KB

    MD5

    c940e89943c98832a5738d260f16bf94

    SHA1

    b422d97d5d59fe0ac82bcb379e2c1d4a27f77618

    SHA256

    4001c4f249a156e7e9410886ddaf8ca7652689eb914a57d3bb17c1284f79dab1

    SHA512

    44587a723fa9d51d5dfb216181bdab33987aedd32cff30eec72363425b6de228a7bc51b84fc66214f81b4b398edc70723839d8e979f533595b140cb52bc31cbd

    Download Submit

  • \Users\Admin\AppData\Roaming\taskscheder.exe
    Filesize

    70KB

    MD5

    0c7c8a89728cad8874ab638e6964b199

    SHA1

    797a49f4a999db2e7b6c01909fb6bbf7f872a1d4

    SHA256

    657ef00c81c216ead771c28a60d0febf1247f71032de8590b7d11075e4c1d689

    SHA512

    2cc86af7694902ad6f163648e338f6fbf618bc04b866ac5c78167b83e95a42a362c8068e1a7b0c6800b9133d3c045dfaba688e3d5a6f7c2e69b8edc1424db8d7

    Download Submit

  • memory/944-69-0x00000000745A0000-0x0000000074C8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/944-66-0x00000000745A0000-0x0000000074C8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/944-67-0x00000000023A0000-0x00000000023E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/944-68-0x00000000023A0000-0x00000000023E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1352-63-0x00000000745A0000-0x0000000074C8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1352-61-0x0000000002090000-0x00000000020D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1352-60-0x0000000002090000-0x00000000020D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1352-59-0x00000000745A0000-0x0000000074C8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1352-62-0x0000000002090000-0x00000000020D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1640-50-0x000000006DA00000-0x000000006DFAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1640-45-0x000000006DA00000-0x000000006DFAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1640-46-0x000000006DA00000-0x000000006DFAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1640-47-0x0000000002480000-0x00000000024C0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1640-49-0x0000000002480000-0x00000000024C0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1640-48-0x0000000002480000-0x00000000024C0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1948-39-0x000000006DFB0000-0x000000006E55B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1948-33-0x000000006DFB0000-0x000000006E55B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1948-34-0x00000000027C0000-0x0000000002800000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1948-35-0x000000006DFB0000-0x000000006E55B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1948-37-0x00000000027C0000-0x0000000002800000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1948-36-0x00000000027C0000-0x0000000002800000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2512-0-0x00000000745A0000-0x0000000074C8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2512-1-0x00000000046D0000-0x0000000004710000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2512-4-0x00000000046D0000-0x0000000004710000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2512-32-0x00000000046D0000-0x0000000004710000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2512-3-0x00000000046D0000-0x0000000004710000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2512-38-0x00000000046D0000-0x0000000004710000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2512-5-0x0000000004780000-0x00000000047E8000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2512-6-0x00000000046D0000-0x0000000004710000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2512-2-0x0000000004710000-0x0000000004778000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2512-19-0x00000000745A0000-0x0000000074C8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2580-24-0x000000006DA00000-0x000000006DFAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2580-21-0x0000000002700000-0x0000000002740000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2580-23-0x000000006DA00000-0x000000006DFAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2580-25-0x0000000002700000-0x0000000002740000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2580-20-0x000000006DA00000-0x000000006DFAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2580-22-0x000000006DA00000-0x000000006DFAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2792-13-0x000000006DFB0000-0x000000006E55B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2792-11-0x0000000002590000-0x00000000025D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2792-12-0x0000000002590000-0x00000000025D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2792-10-0x000000006DFB0000-0x000000006E55B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2792-9-0x000000006DFB0000-0x000000006E55B000-memory.dmp

    Filesize

    5.7MB

    Download