Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
08-02-2024 03:05
General
-
Target
windows.exe
-
Size
332KB
-
MD5
21b941b814ff8935b0f5b308a8c7ec9c
-
SHA1
568e4c957b15f002eebb0bb291537e4c36c8f390
-
SHA256
986f5d92d64819c88ae6b48f2151cc780eb0aabe7d88bd488061f5efc48588fb
-
SHA512
dc486028a9d29f8e37454b38928222a932134ab2534b8bdf191ddd7e85da4edf39802e21de1af6de061b20a162ac14440d43320f8837f927e8e9ea354567ed18
-
SSDEEP
6144:rd4bYBotL3mIhs8DyFPd4U1mGvEMdn7Ml/wCmCJ:rd4EBCqL4RpMi9XmCJ
Malware Config
Extracted
xworm
hai1723rat-60039.portmap.io:60039
Signatures
-
Detect Xworm Payload 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\windows.exe"C:\Users\Admin\AppData\Local\Temp\windows.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\pcnetwork.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'pcnetwork.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6E3D.tmp.bat""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {749E77D9-40F6-40FC-9B61-CA0861C3B682} S-1-5-21-2444714103-3190537498-3629098939-1000:DJLAPDMX\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\pcnetwork.exeC:\Windows\pcnetwork.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\pcnetwork.exe'3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'pcnetwork.exe'3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
159B
MD5eb6a878b865fb84e6e3825c83cf6fbe9
SHA1e9145f7616501f1df272051ebd2e035b35b6a92f
SHA256ad5b3e140b19d1bd302a0af360841eaddb6c9c2bd72441d8058e798462963cd3
SHA5128663598632c9bc9cd7e52952d7d297829442d6b5db7051e1d4ad2678707c4799776852f62b38cd253d34c0fdeb16333e4508f66aa47eebbcb157c71181fe84f8
-
Filesize
7KB
MD504cf7a4175296e034c55732bb8104a4b
SHA1086c9fa9de9ac8f5d28655bcab32ac0824564623
SHA2569cf96fd84470186c9c134e43aee6c43438cb3201387bd61e5dfe6cffd782827b
SHA5122a1d35b57a5eab8175152129528ec626040f62d82cb0360220fc25e61464ffc8b0dc10a93f17a82905ef38715c73a65223010025b2955d663e87dc814ea22c40
-
Filesize
7KB
MD59cd90512c0513fb6b2ea8451c0ba38b0
SHA175ae0632c0cf6a6e1f66267e8072fd72b6da94c9
SHA256631776de06788f0d0efd53f6b300ba20a3ed51c0234b66c3c68421c60a251ce2
SHA5126e77aaa0011d7227fdf8db5348def8fb9c4e5605087168a4f5182c9ccd8ef5a9948886e8c32a3dbe6e642bb197d80337a8420854d00897c556fb24013c204fae
-
Filesize
332KB
MD521b941b814ff8935b0f5b308a8c7ec9c
SHA1568e4c957b15f002eebb0bb291537e4c36c8f390
SHA256986f5d92d64819c88ae6b48f2151cc780eb0aabe7d88bd488061f5efc48588fb
SHA512dc486028a9d29f8e37454b38928222a932134ab2534b8bdf191ddd7e85da4edf39802e21de1af6de061b20a162ac14440d43320f8837f927e8e9ea354567ed18
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.9MB
-
Filesize
352KB
-
Filesize
9.9MB
-
Filesize
96KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
352KB