Overview

overview

10

Static

static

3

msfiler.exe

windows7-x64

10

msfiler.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2024 11:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    msfiler.exe

  • Size

    419KB

  • MD5

    8a716466aa6f2d425ec09770626e8e54

  • SHA1

    62fb757ea5098651331f91c1664db9fe46b21879

  • SHA256

    585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815

  • SHA512

    54f11067e400347834689b4532ae53b00ec96a3ca90a2c21de27942f4ca30306fdda0522c1a3a4cde047ad650162e2d8313205220acaab4cc60e010965690940

  • SSDEEP

    6144:QTCsE3O4yuS5O0RBOInaCa6G6ypdf4Bf7e/DnjBeq04fVXOUvE0CGsSE9BLM:2E3O5uOO0mInnGZCTS84fZLtw

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

5.182.87.154:7000

Mutex

VMFidhoqn75fm5lJ

Attributes
  • Install_directory

    %Temp%

  • install_file

    mdnsresp.exe

aes.plain

Signatures

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\msfiler.exe
    "C:\Users\Admin\AppData\Local\Temp\msfiler.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAbQBzAGYAaQBsAGUAcgAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAbQBzAGYAaQBsAGUAcgAuAGUAeABlADsA
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2756
    • C:\Users\Admin\AppData\Local\Temp\msfiler.exe
      C:\Users\Admin\AppData\Local\Temp\msfiler.exe
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msfiler.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2540
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msfiler.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:960
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mdnsresp.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2860
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mdnsresp.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:936

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    1e2735ce1e64668988daf310bc0a4d6f

    SHA1

    dbb9be4123e1dea42de66ca78cb624921ef9b50f

    SHA256

    fd8992bf4aed2a18a7f26adb2921ba600e8bfaac5f036fba0eba5161fba3d831

    SHA512

    12fe2fd4754aefd6122ad8ec1d11d04e401e977316cd65fb48e0686c02a0010dbc7c33d5b348eca44731c52a798345f691b36f96b928f992b511b1b3bef48f88

    Download Submit

  • \Users\Admin\AppData\Local\Temp\mdnsresp.exe
    Filesize

    419KB

    MD5

    8a716466aa6f2d425ec09770626e8e54

    SHA1

    62fb757ea5098651331f91c1664db9fe46b21879

    SHA256

    585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815

    SHA512

    54f11067e400347834689b4532ae53b00ec96a3ca90a2c21de27942f4ca30306fdda0522c1a3a4cde047ad650162e2d8313205220acaab4cc60e010965690940

    Download Submit

  • memory/936-69-0x0000000071A00000-0x0000000071FAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/936-63-0x0000000071A00000-0x0000000071FAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/936-65-0x0000000071A00000-0x0000000071FAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/936-64-0x0000000002820000-0x0000000002860000-memory.dmp

    Filesize

    256KB

    Download

  • memory/936-66-0x0000000002820000-0x0000000002860000-memory.dmp

    Filesize

    256KB

    Download

  • memory/936-68-0x0000000002820000-0x0000000002860000-memory.dmp

    Filesize

    256KB

    Download

  • memory/960-44-0x00000000026D0000-0x0000000002710000-memory.dmp

    Filesize

    256KB

    Download

  • memory/960-46-0x00000000026D0000-0x0000000002710000-memory.dmp

    Filesize

    256KB

    Download

  • memory/960-47-0x0000000071A00000-0x0000000071FAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/960-43-0x0000000071A00000-0x0000000071FAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/960-45-0x0000000071A00000-0x0000000071FAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2448-18-0x0000000074960000-0x000000007504E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2448-4-0x00000000008D0000-0x0000000000900000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2448-6-0x0000000002100000-0x000000000214C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2448-5-0x0000000000910000-0x0000000000940000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2448-1-0x0000000074960000-0x000000007504E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2448-2-0x0000000004860000-0x00000000048A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2448-3-0x0000000000A20000-0x0000000000A68000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2448-0-0x0000000000A70000-0x0000000000AE0000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2540-35-0x00000000027F0000-0x0000000002830000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2540-32-0x0000000071A00000-0x0000000071FAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2540-33-0x00000000027F0000-0x0000000002830000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2540-34-0x0000000071A00000-0x0000000071FAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2540-36-0x0000000071A00000-0x0000000071FAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2756-26-0x0000000002880000-0x00000000028C0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2756-25-0x0000000002880000-0x00000000028C0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2756-42-0x0000000071A00000-0x0000000071FAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2756-24-0x0000000002880000-0x00000000028C0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2756-23-0x0000000071A00000-0x0000000071FAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2756-22-0x0000000071A00000-0x0000000071FAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2788-13-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-8-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-76-0x0000000004D30000-0x0000000004D70000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2788-75-0x0000000004D30000-0x0000000004D70000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2788-7-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-19-0x0000000074960000-0x000000007504E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2788-9-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-17-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-15-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2788-10-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-67-0x0000000074960000-0x000000007504E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2860-57-0x0000000071450000-0x00000000719FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2860-56-0x0000000001E60000-0x0000000001EA0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2860-55-0x0000000071450000-0x00000000719FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2860-54-0x0000000001E60000-0x0000000001EA0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2860-53-0x0000000071450000-0x00000000719FB000-memory.dmp

    Filesize

    5.7MB

    Download