Overview

overview

10

Static

static

3

msfiler.exe

windows7-x64

10

msfiler.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2024 11:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    msfiler.exe

  • Size

    419KB

  • MD5

    8a716466aa6f2d425ec09770626e8e54

  • SHA1

    62fb757ea5098651331f91c1664db9fe46b21879

  • SHA256

    585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815

  • SHA512

    54f11067e400347834689b4532ae53b00ec96a3ca90a2c21de27942f4ca30306fdda0522c1a3a4cde047ad650162e2d8313205220acaab4cc60e010965690940

  • SSDEEP

    6144:QTCsE3O4yuS5O0RBOInaCa6G6ypdf4Bf7e/DnjBeq04fVXOUvE0CGsSE9BLM:2E3O5uOO0mInnGZCTS84fZLtw

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

5.182.87.154:7000

Mutex

VMFidhoqn75fm5lJ

Attributes
  • Install_directory

    %Temp%

  • install_file

    mdnsresp.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\msfiler.exe
    "C:\Users\Admin\AppData\Local\Temp\msfiler.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4824
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAbQBzAGYAaQBsAGUAcgAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAbQBzAGYAaQBsAGUAcgAuAGUAeABlADsA
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1068
    • C:\Users\Admin\AppData\Local\Temp\msfiler.exe
      C:\Users\Admin\AppData\Local\Temp\msfiler.exe
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4792
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msfiler.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2916
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msfiler.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3596
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mdnsresp.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4976
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mdnsresp.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4400
    • C:\Users\Admin\AppData\Local\Temp\msfiler.exe
      C:\Users\Admin\AppData\Local\Temp\msfiler.exe
      2⤵
        PID:3200

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1068-57-0x00000000072E0000-0x00000000072F4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1068-59-0x00000000073C0000-0x00000000073C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1068-22-0x00000000056B0000-0x0000000005716000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1068-21-0x0000000005640000-0x00000000056A6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1068-19-0x0000000004E40000-0x0000000004E62000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1068-17-0x00000000747D0000-0x0000000074F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1068-20-0x00000000048A0000-0x00000000048B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1068-62-0x00000000747D0000-0x0000000074F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1068-56-0x00000000072D0000-0x00000000072DE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1068-51-0x00000000076E0000-0x0000000007D5A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1068-16-0x0000000004EE0000-0x0000000005508000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1068-32-0x0000000005860000-0x0000000005BB4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1068-18-0x00000000048A0000-0x00000000048B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1068-54-0x0000000007320000-0x00000000073B6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1068-33-0x0000000005D70000-0x0000000005D8E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1068-34-0x0000000005DB0000-0x0000000005DFC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1068-35-0x000000007F5D0000-0x000000007F5E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1068-36-0x0000000006F40000-0x0000000006F72000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1068-12-0x0000000004770000-0x00000000047A6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1068-55-0x00000000072A0000-0x00000000072B1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1068-37-0x00000000705D0000-0x000000007061C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1068-50-0x0000000006F80000-0x0000000007023000-memory.dmp

      Filesize

      652KB

      Download

    • memory/1068-49-0x00000000048A0000-0x00000000048B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1068-48-0x00000000048A0000-0x00000000048B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1068-52-0x00000000070A0000-0x00000000070BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1068-58-0x00000000073E0000-0x00000000073FA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1068-53-0x0000000007110000-0x000000000711A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1068-47-0x0000000006340000-0x000000000635E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2916-80-0x000000006FE20000-0x000000006FE6C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2916-79-0x000000007F760000-0x000000007F770000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2916-91-0x00000000026F0000-0x0000000002700000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2916-90-0x0000000007200000-0x00000000072A3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/2916-64-0x00000000747D0000-0x0000000074F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2916-65-0x00000000026F0000-0x0000000002700000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2916-92-0x0000000007530000-0x0000000007541000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2916-93-0x0000000007580000-0x0000000007594000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2916-95-0x00000000747D0000-0x0000000074F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2916-66-0x00000000026F0000-0x0000000002700000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2916-72-0x0000000005950000-0x0000000005CA4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2916-78-0x0000000006030000-0x000000000607C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3596-98-0x00000000023F0000-0x0000000002400000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3596-96-0x00000000747D0000-0x0000000074F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3596-123-0x00000000747D0000-0x0000000074F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3596-109-0x000000007F500000-0x000000007F510000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3596-121-0x00000000023F0000-0x0000000002400000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3596-110-0x000000006FE20000-0x000000006FE6C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3596-97-0x00000000023F0000-0x0000000002400000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4792-10-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4792-13-0x00000000747D0000-0x0000000074F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4792-15-0x00000000057C0000-0x000000000585C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4792-120-0x00000000747D0000-0x0000000074F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4824-3-0x0000000004F90000-0x0000000005022000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4824-9-0x00000000052D0000-0x000000000531C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4824-2-0x0000000005660000-0x0000000005C04000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4824-1-0x0000000000530000-0x00000000005A0000-memory.dmp

      Filesize

      448KB

      Download

    • memory/4824-4-0x0000000005150000-0x0000000005160000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4824-6-0x0000000005040000-0x0000000005088000-memory.dmp

      Filesize

      288KB

      Download

    • memory/4824-8-0x00000000052A0000-0x00000000052D0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4824-0-0x00000000747D0000-0x0000000074F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4824-7-0x0000000005120000-0x0000000005150000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4824-14-0x00000000747D0000-0x0000000074F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4824-5-0x0000000005030000-0x000000000503A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4976-126-0x0000000005200000-0x0000000005210000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4976-124-0x00000000747D0000-0x0000000074F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4976-125-0x0000000005200000-0x0000000005210000-memory.dmp

      Filesize

      64KB

      Download