Overview

overview

10

Static

static

3

msfiler.exe

windows7-x64

10

msfiler.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2024 11:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    msfiler.exe

  • Size

    419KB

  • MD5

    8a716466aa6f2d425ec09770626e8e54

  • SHA1

    62fb757ea5098651331f91c1664db9fe46b21879

  • SHA256

    585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815

  • SHA512

    54f11067e400347834689b4532ae53b00ec96a3ca90a2c21de27942f4ca30306fdda0522c1a3a4cde047ad650162e2d8313205220acaab4cc60e010965690940

  • SSDEEP

    6144:QTCsE3O4yuS5O0RBOInaCa6G6ypdf4Bf7e/DnjBeq04fVXOUvE0CGsSE9BLM:2E3O5uOO0mInnGZCTS84fZLtw

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

5.182.87.154:7000

Mutex

VMFidhoqn75fm5lJ

Attributes
  • Install_directory

    %Temp%

  • install_file

    mdnsresp.exe

aes.plain

Signatures

  • Detect Xworm Payload 6 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\msfiler.exe
    "C:\Users\Admin\AppData\Local\Temp\msfiler.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAbQBzAGYAaQBsAGUAcgAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAbQBzAGYAaQBsAGUAcgAuAGUAeABlADsA
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
    • C:\Users\Admin\AppData\Local\Temp\msfiler.exe
      C:\Users\Admin\AppData\Local\Temp\msfiler.exe
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msfiler.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2640
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msfiler.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2948
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mdnsresp.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:752
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mdnsresp.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    529ceb853a543c021a423ebe4efbc89d

    SHA1

    eae154750e42d8c8e5a30991ad66ee43eedc02b5

    SHA256

    59bf519527a0995b0cda47434fef97803917a4fa6ac94cdb9171bc872bf7920e

    SHA512

    b862ba61dec087f8b324048507c0365117ca85e79bfd1b192b50deebbdbeee4be75d4fccd5bb867e70db3b125151bf48d476bc7f512fb6a8aac5cbf36824dbd6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\mdnsresp.exe
    Filesize

    234KB

    MD5

    fa2f5b70ae3d3c4b9dfec81467ea06ea

    SHA1

    f9e11ae2fd6e5454322568728119e7741409768c

    SHA256

    4664064ae88131fd4e92a5454d08dd4ee9d293895f468ba2ac633a6aceb1f6c2

    SHA512

    ea55b98d25edbc464d6045b5c14ee95a9f2376153a7a3b982a80c9b15368d3f5213e43d304f742155690a71fc5b723403e2e26728f624e4f17628518326a740b

    Download Submit

  • memory/536-18-0x0000000074D10000-0x00000000753FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/536-1-0x0000000074D10000-0x00000000753FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/536-2-0x00000000046A0000-0x00000000046E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/536-3-0x00000000006F0000-0x0000000000738000-memory.dmp

    Filesize

    288KB

    Download

  • memory/536-4-0x00000000005E0000-0x0000000000610000-memory.dmp

    Filesize

    192KB

    Download

  • memory/536-5-0x0000000000790000-0x00000000007C0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/536-6-0x0000000004610000-0x000000000465C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/536-0-0x0000000000270000-0x00000000002E0000-memory.dmp

    Filesize

    448KB

    Download

  • memory/752-62-0x00000000708E0000-0x0000000070E8B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/752-57-0x00000000027E0000-0x0000000002820000-memory.dmp

    Filesize

    256KB

    Download

  • memory/752-59-0x00000000027E0000-0x0000000002820000-memory.dmp

    Filesize

    256KB

    Download

  • memory/752-60-0x00000000027E0000-0x0000000002820000-memory.dmp

    Filesize

    256KB

    Download

  • memory/752-58-0x00000000708E0000-0x0000000070E8B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/752-56-0x00000000708E0000-0x0000000070E8B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2172-70-0x0000000070330000-0x00000000708DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2172-69-0x00000000024E0000-0x0000000002520000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2172-68-0x0000000070330000-0x00000000708DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2172-71-0x00000000024E0000-0x0000000002520000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2172-72-0x00000000024E0000-0x0000000002520000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2172-73-0x0000000070330000-0x00000000708DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2640-35-0x00000000708E0000-0x0000000070E8B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2640-39-0x00000000708E0000-0x0000000070E8B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2640-34-0x0000000002410000-0x0000000002450000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2640-33-0x00000000708E0000-0x0000000070E8B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2640-38-0x0000000002410000-0x0000000002450000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2640-36-0x00000000708E0000-0x0000000070E8B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2640-37-0x0000000002410000-0x0000000002450000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2736-24-0x0000000001DB0000-0x0000000001DF0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2736-27-0x00000000713A0000-0x000000007194B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2736-26-0x0000000001DB0000-0x0000000001DF0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2736-22-0x00000000713A0000-0x000000007194B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2736-23-0x00000000713A0000-0x000000007194B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2736-25-0x0000000001DB0000-0x0000000001DF0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2864-15-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2864-9-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2864-80-0x0000000004110000-0x0000000004150000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2864-79-0x0000000004110000-0x0000000004150000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2864-10-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2864-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2864-7-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2864-61-0x0000000074D10000-0x00000000753FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2864-8-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2864-19-0x0000000074D10000-0x00000000753FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2864-13-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2864-17-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2948-45-0x0000000070330000-0x00000000708DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2948-50-0x0000000070330000-0x00000000708DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2948-46-0x0000000002160000-0x00000000021A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2948-47-0x0000000070330000-0x00000000708DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2948-48-0x0000000002160000-0x00000000021A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2948-49-0x0000000002160000-0x00000000021A0000-memory.dmp

    Filesize

    256KB

    Download