Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
08-02-2024 03:05
General
-
Target
windows.exe
-
Size
332KB
-
MD5
21b941b814ff8935b0f5b308a8c7ec9c
-
SHA1
568e4c957b15f002eebb0bb291537e4c36c8f390
-
SHA256
986f5d92d64819c88ae6b48f2151cc780eb0aabe7d88bd488061f5efc48588fb
-
SHA512
dc486028a9d29f8e37454b38928222a932134ab2534b8bdf191ddd7e85da4edf39802e21de1af6de061b20a162ac14440d43320f8837f927e8e9ea354567ed18
-
SSDEEP
6144:rd4bYBotL3mIhs8DyFPd4U1mGvEMdn7Ml/wCmCJ:rd4EBCqL4RpMi9XmCJ
Malware Config
Extracted
xworm
hai1723rat-60039.portmap.io:60039
Signatures
-
Detect Xworm Payload 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\windows.exe"C:\Users\Admin\AppData\Local\Temp\windows.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\pcnetwork.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'pcnetwork.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6E3D.tmp.bat""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\taskeng.exetaskeng.exe {749E77D9-40F6-40FC-9B61-CA0861C3B682} S-1-5-21-2444714103-3190537498-3629098939-1000:DJLAPDMX\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\pcnetwork.exeC:\Windows\pcnetwork.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\pcnetwork.exe'3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'pcnetwork.exe'3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6E3D.tmp.batFilesize
159B
MD5eb6a878b865fb84e6e3825c83cf6fbe9
SHA1e9145f7616501f1df272051ebd2e035b35b6a92f
SHA256ad5b3e140b19d1bd302a0af360841eaddb6c9c2bd72441d8058e798462963cd3
SHA5128663598632c9bc9cd7e52952d7d297829442d6b5db7051e1d4ad2678707c4799776852f62b38cd253d34c0fdeb16333e4508f66aa47eebbcb157c71181fe84f8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD504cf7a4175296e034c55732bb8104a4b
SHA1086c9fa9de9ac8f5d28655bcab32ac0824564623
SHA2569cf96fd84470186c9c134e43aee6c43438cb3201387bd61e5dfe6cffd782827b
SHA5122a1d35b57a5eab8175152129528ec626040f62d82cb0360220fc25e61464ffc8b0dc10a93f17a82905ef38715c73a65223010025b2955d663e87dc814ea22c40
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD59cd90512c0513fb6b2ea8451c0ba38b0
SHA175ae0632c0cf6a6e1f66267e8072fd72b6da94c9
SHA256631776de06788f0d0efd53f6b300ba20a3ed51c0234b66c3c68421c60a251ce2
SHA5126e77aaa0011d7227fdf8db5348def8fb9c4e5605087168a4f5182c9ccd8ef5a9948886e8c32a3dbe6e642bb197d80337a8420854d00897c556fb24013c204fae
-
C:\Windows\pcnetwork.exeFilesize
332KB
MD521b941b814ff8935b0f5b308a8c7ec9c
SHA1568e4c957b15f002eebb0bb291537e4c36c8f390
SHA256986f5d92d64819c88ae6b48f2151cc780eb0aabe7d88bd488061f5efc48588fb
SHA512dc486028a9d29f8e37454b38928222a932134ab2534b8bdf191ddd7e85da4edf39802e21de1af6de061b20a162ac14440d43320f8837f927e8e9ea354567ed18
-
memory/268-54-0x0000000002980000-0x0000000002A00000-memory.dmpFilesize
512KB
-
memory/268-55-0x000007FEF1EB0000-0x000007FEF284D000-memory.dmpFilesize
9.6MB
-
memory/268-50-0x000007FEF1EB0000-0x000007FEF284D000-memory.dmpFilesize
9.6MB
-
memory/268-51-0x0000000002980000-0x0000000002A00000-memory.dmpFilesize
512KB
-
memory/268-52-0x000007FEF1EB0000-0x000007FEF284D000-memory.dmpFilesize
9.6MB
-
memory/268-53-0x0000000002980000-0x0000000002A00000-memory.dmpFilesize
512KB
-
memory/1180-64-0x00000000029A0000-0x0000000002A20000-memory.dmpFilesize
512KB
-
memory/1180-62-0x00000000029A0000-0x0000000002A20000-memory.dmpFilesize
512KB
-
memory/1180-61-0x000007FEED060000-0x000007FEED9FD000-memory.dmpFilesize
9.6MB
-
memory/1180-63-0x000007FEED060000-0x000007FEED9FD000-memory.dmpFilesize
9.6MB
-
memory/1180-65-0x00000000029A0000-0x0000000002A20000-memory.dmpFilesize
512KB
-
memory/1180-66-0x000007FEED060000-0x000007FEED9FD000-memory.dmpFilesize
9.6MB
-
memory/1980-41-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmpFilesize
9.9MB
-
memory/1980-42-0x00000000003A0000-0x00000000003F8000-memory.dmpFilesize
352KB
-
memory/1980-67-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmpFilesize
9.9MB
-
memory/1980-44-0x00000000005C0000-0x00000000005D8000-memory.dmpFilesize
96KB
-
memory/1980-43-0x000000001AC90000-0x000000001AD10000-memory.dmpFilesize
512KB
-
memory/2692-22-0x000007FEED110000-0x000007FEEDAAD000-memory.dmpFilesize
9.6MB
-
memory/2692-21-0x0000000002A50000-0x0000000002AD0000-memory.dmpFilesize
512KB
-
memory/2692-19-0x0000000002510000-0x0000000002518000-memory.dmpFilesize
32KB
-
memory/2692-18-0x000000001B350000-0x000000001B632000-memory.dmpFilesize
2.9MB
-
memory/2692-20-0x000007FEED110000-0x000007FEEDAAD000-memory.dmpFilesize
9.6MB
-
memory/2692-23-0x0000000002A50000-0x0000000002AD0000-memory.dmpFilesize
512KB
-
memory/2692-25-0x000007FEED110000-0x000007FEEDAAD000-memory.dmpFilesize
9.6MB
-
memory/2692-24-0x0000000002A50000-0x0000000002AD0000-memory.dmpFilesize
512KB
-
memory/2792-9-0x0000000002600000-0x0000000002680000-memory.dmpFilesize
512KB
-
memory/2792-6-0x000000001B230000-0x000000001B512000-memory.dmpFilesize
2.9MB
-
memory/2792-8-0x000007FEEDAB0000-0x000007FEEE44D000-memory.dmpFilesize
9.6MB
-
memory/2792-12-0x000007FEEDAB0000-0x000007FEEE44D000-memory.dmpFilesize
9.6MB
-
memory/2792-7-0x0000000001EC0000-0x0000000001EC8000-memory.dmpFilesize
32KB
-
memory/2792-10-0x0000000002600000-0x0000000002680000-memory.dmpFilesize
512KB
-
memory/2792-11-0x000007FEEDAB0000-0x000007FEEE44D000-memory.dmpFilesize
9.6MB
-
memory/3032-28-0x0000000001FE0000-0x0000000002060000-memory.dmpFilesize
512KB
-
memory/3032-1-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmpFilesize
9.9MB
-
memory/3032-37-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmpFilesize
9.9MB
-
memory/3032-0-0x0000000000B40000-0x0000000000B98000-memory.dmpFilesize
352KB