Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-03-2024 12:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    419KB

  • MD5

    8a716466aa6f2d425ec09770626e8e54

  • SHA1

    62fb757ea5098651331f91c1664db9fe46b21879

  • SHA256

    585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815

  • SHA512

    54f11067e400347834689b4532ae53b00ec96a3ca90a2c21de27942f4ca30306fdda0522c1a3a4cde047ad650162e2d8313205220acaab4cc60e010965690940

  • SSDEEP

    6144:QTCsE3O4yuS5O0RBOInaCa6G6ypdf4Bf7e/DnjBeq04fVXOUvE0CGsSE9BLM:2E3O5uOO0mInnGZCTS84fZLtw

Score
10/10
purelogstealerxwormratstealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

5.182.87.154:7000

Mutex

VMFidhoqn75fm5lJ

Attributes
  • Install_directory

    %Temp%

  • install_file

    mdnsresp.exe

aes.plain

Signatures

  • Detect Xworm Payload 5 IoCs
  • PureLog Stealer

    PureLog Stealer is an infostealer written in C#.

    stealerpurelogstealer
  • PureLog Stealer payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAZgBpAGwAZQAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAZgBpAGwAZQAuAGUAeABlADsA
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2096
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      C:\Users\Admin\AppData\Local\Temp\file.exe
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\file.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2556
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1872
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mdnsresp.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2388
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mdnsresp.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    8bd931987585d4f37ffe0bdb31763f77

    SHA1

    a435b95b8e33e097c5360643ad5d05c1328b9f9c

    SHA256

    e0f18b32bb68fc06417c206a94c049bd7f6a5165ff8a730bb7eb2a0972cd53ac

    SHA512

    04f624717fa7775aa329ca0ef692bfd11fb2ad5894793a79b37ed8dce1cd4fcb6aff2b2cd5cf82106b7a4de7d965f5d1986e181e8fdbcf871e2d3090d92339fa

    Download Submit

  • \Users\Admin\AppData\Local\Temp\mdnsresp.exe
    Filesize

    419KB

    MD5

    8a716466aa6f2d425ec09770626e8e54

    SHA1

    62fb757ea5098651331f91c1664db9fe46b21879

    SHA256

    585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815

    SHA512

    54f11067e400347834689b4532ae53b00ec96a3ca90a2c21de27942f4ca30306fdda0522c1a3a4cde047ad650162e2d8313205220acaab4cc60e010965690940

    Download Submit

  • memory/1692-68-0x0000000002A00000-0x0000000002A40000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1692-67-0x000000006FBA0000-0x000000007014B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1692-72-0x000000006FBA0000-0x000000007014B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1692-71-0x0000000002A00000-0x0000000002A40000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1692-70-0x0000000002A00000-0x0000000002A40000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1692-69-0x000000006FBA0000-0x000000007014B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1872-50-0x000000006FBA0000-0x000000007014B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1872-49-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1872-48-0x000000006FBA0000-0x000000007014B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1872-47-0x000000006FBA0000-0x000000007014B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2096-27-0x00000000028C0000-0x0000000002900000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2096-26-0x0000000071650000-0x0000000071BFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2096-28-0x00000000028C0000-0x0000000002900000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2096-29-0x0000000071650000-0x0000000071BFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2096-30-0x0000000071650000-0x0000000071BFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2388-56-0x0000000070150000-0x00000000706FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2388-58-0x0000000070150000-0x00000000706FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2388-61-0x0000000070150000-0x00000000706FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2388-57-0x0000000002890000-0x00000000028D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2388-60-0x0000000002890000-0x00000000028D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2556-36-0x0000000070150000-0x00000000706FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2556-41-0x0000000070150000-0x00000000706FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2556-37-0x0000000070150000-0x00000000706FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2556-38-0x0000000002AF0000-0x0000000002B30000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2556-39-0x0000000002AF0000-0x0000000002B30000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2556-40-0x0000000002AF0000-0x0000000002B30000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2868-4-0x0000000000930000-0x0000000000960000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2868-0-0x0000000000980000-0x00000000009F0000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2868-3-0x00000000004E0000-0x0000000000528000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2868-2-0x0000000004A60000-0x0000000004AA0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2868-1-0x00000000745B0000-0x0000000074C9E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2868-5-0x00000000044D0000-0x0000000004500000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2868-22-0x00000000745B0000-0x0000000074C9E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2868-6-0x00000000045B0000-0x00000000045FC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3024-17-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3024-59-0x00000000745B0000-0x0000000074C9E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3024-23-0x00000000745B0000-0x0000000074C9E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3024-21-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3024-19-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3024-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3024-13-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3024-11-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3024-9-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3024-7-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3024-78-0x0000000000690000-0x00000000006D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3024-79-0x0000000000690000-0x00000000006D0000-memory.dmp

    Filesize

    256KB

    Download