Analysis
-
max time kernel
13s -
max time network
14s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-03-2024 04:48
Static task
static1
General
-
Target
Win-XwormRat-builder.exe
-
Size
928KB
-
MD5
db9df61757cc712eb190955371d24937
-
SHA1
308155685a2bcc0369a63d1ac2c13c7293cedce7
-
SHA256
276d53b6f343cffb4e81e6db87b30dce162b82dd2ed9aea49d754cdfba8e865a
-
SHA512
cf2ab30da84cdee5988c52f08403a33d99f5565839959763aaa4b34745251cc32839e466e7c6c27f83145bc10b55e0f279a4165af58db28156f34aa2b44a921e
-
SSDEEP
12288:V8pICumxgLj3PSg+Gfqxk01P6RNGZS7yK8g3dviBOEBkCtip/y6Lr9vXjdkpgLMk:p1ixARrLl1/1q+
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot5536756167:AAFMcQrFbMZMBynbrtZUudaOT9ndCJXIqT4/sendMessage?chat_id=2024893777
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Update.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Win-XwormRat-builder.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation win-xwarm-builder.exe -
Executes dropped EXE 2 IoCs
pid Process 4840 win-xwarm-builder.exe 2504 Update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3992 schtasks.exe 1468 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3436 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4980 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2504 Update.exe 2504 Update.exe 2504 Update.exe 2504 Update.exe 2504 Update.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4840 win-xwarm-builder.exe Token: SeDebugPrivilege 4980 tasklist.exe Token: SeDebugPrivilege 2504 Update.exe Token: SeDebugPrivilege 2504 Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2504 Update.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4692 wrote to memory of 4840 4692 Win-XwormRat-builder.exe 89 PID 4692 wrote to memory of 4840 4692 Win-XwormRat-builder.exe 89 PID 4840 wrote to memory of 3992 4840 win-xwarm-builder.exe 101 PID 4840 wrote to memory of 3992 4840 win-xwarm-builder.exe 101 PID 4840 wrote to memory of 2968 4840 win-xwarm-builder.exe 103 PID 4840 wrote to memory of 2968 4840 win-xwarm-builder.exe 103 PID 2968 wrote to memory of 4980 2968 cmd.exe 105 PID 2968 wrote to memory of 4980 2968 cmd.exe 105 PID 2968 wrote to memory of 2232 2968 cmd.exe 106 PID 2968 wrote to memory of 2232 2968 cmd.exe 106 PID 2968 wrote to memory of 3436 2968 cmd.exe 107 PID 2968 wrote to memory of 3436 2968 cmd.exe 107 PID 2968 wrote to memory of 2504 2968 cmd.exe 108 PID 2968 wrote to memory of 2504 2968 cmd.exe 108 PID 2504 wrote to memory of 1468 2504 Update.exe 112 PID 2504 wrote to memory of 1468 2504 Update.exe 112 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Win-XwormRat-builder.exe"C:\Users\Admin\AppData\Local\Temp\Win-XwormRat-builder.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe"C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Static\Update.exe"3⤵
- Creates scheduled task(s)
PID:3992
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5525.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5525.tmp.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 4840"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
C:\Windows\system32\find.exefind ":"4⤵PID:2232
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak4⤵
- Delays execution with timeout.exe
PID:3436
-
-
C:\Users\Static\Update.exe"Update.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Static\Update.exe"5⤵
- Creates scheduled task(s)
PID:1468
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
195B
MD53e6e7ed572917c40774ec2dfb73b36da
SHA146e4b2540954ad11de191fa252ca9d5ab4c60c85
SHA256165cf875dd98ddec219dfd4868d8d1aad4a755537bef6606203e24dc90ed6958
SHA5121d888dd353e83680e9f33de4c49ec3c76fd5c3078090c5dac19baa11ad9b7c3a656c8c245c40b8e93cd8878f2aca956a841ab26ab42f57922a153df3ca3f9373
-
Filesize
127KB
MD5f6f686df785d0abdc66d1f90fa508c4b
SHA175f348132001df30cbad9c7cae2e2072fcaca38e
SHA25661b52af14fc66126a4e7f09b3cff7d3c09e5ad35acf23fb9ba43293fac0c995f
SHA5127daa425723caade3ec747fbe6e425e26bc419e1a7dccd6253770fe1a118a8b90e0f40f6cf4bdac259e68a0198a384ed1b5de7515958f5e17e4e35219b9077d77