Analysis

  • max time kernel
    140s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    02/04/2024, 13:14

General

  • Target

    a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe

  • Size

    455KB

  • MD5

    c8d9593196962fa5d706a207c16674cd

  • SHA1

    686a8e674e6615d5cd91f7b2cba0c755054b3f69

  • SHA256

    a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d

  • SHA512

    5ddae80780c6091bfe0ab5e29bc63732c08ce34f677fc341366dcecf6db9e1bd2e0ed24cfe57eface0d19c6f46010f47eb2d74888b91a503dae00651c4a756bf

  • SSDEEP

    12288:XcTpGLwWpFGIWFfDtaY4S0LEy7w0iymL/:XOpEwiFYxsEyHiyK

Score
10/10

Malware Config

Extracted

Family

xworm

Version

5.1

C2

104.194.9.116:7000

Mutex

bUezpCDHVjUVS3W9

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot6330888131:AAE5ycZdHuNqV5SVYhHeCfRENn6GuCjwXjs/sendMessage?chat_id=1046049845

aes.plain

Signatures

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
    "C:\Users\Admin\AppData\Local\Temp\a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2592
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2192
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2592 -s 732
      2⤵
        PID:2636

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/2192-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

          • memory/2192-15-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

          • memory/2192-23-0x0000000004B80000-0x0000000004BC0000-memory.dmp

            Filesize

            256KB

          • memory/2192-22-0x00000000746D0000-0x0000000074DBE000-memory.dmp

            Filesize

            6.9MB

          • memory/2192-4-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

          • memory/2192-6-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

          • memory/2192-8-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

          • memory/2192-10-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

          • memory/2192-19-0x0000000004B80000-0x0000000004BC0000-memory.dmp

            Filesize

            256KB

          • memory/2192-18-0x00000000746D0000-0x0000000074DBE000-memory.dmp

            Filesize

            6.9MB

          • memory/2192-13-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

          • memory/2192-17-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

          • memory/2592-0-0x0000000001260000-0x0000000001276000-memory.dmp

            Filesize

            88KB

          • memory/2592-1-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

            Filesize

            9.9MB

          • memory/2592-20-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

            Filesize

            9.9MB

          • memory/2592-21-0x000000001B4E0000-0x000000001B560000-memory.dmp

            Filesize

            512KB

          • memory/2592-3-0x0000000000CD0000-0x0000000000D34000-memory.dmp

            Filesize

            400KB

          • memory/2592-2-0x000000001B4E0000-0x000000001B560000-memory.dmp

            Filesize

            512KB