Overview

overview

10

Static

static

3

SeroXenBuilder.exe

windows7-x64

10

SeroXenBuilder.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-04-2024 16:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SeroXenBuilder.exe

  • Size

    91KB

  • MD5

    8e298601185d24d6b8d9ba9d04eb4da8

  • SHA1

    308c42c588c7dffcbe895b32a62b7edb689db20a

  • SHA256

    f53553980b3b4a76cc4faf39f7338e20107f9fd6e1e65cf7f23185ced976f8c4

  • SHA512

    4dc01eb4753065753b463247fdb450cad69432924e9f1c156512d34c2d676f389ef5d6665cc8deda003187683a201b5114abd093b693fe999f9165b3bf0fb4f4

  • SSDEEP

    1536:dKgm3aS+IJ+fc3mPZoCGWvw+tWMeROVhTkbeIRR4LlV5/eEWCU8VQDDY4:dK33F+I8flo/SogVNBhV5GEyc4

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

no-speed.gl.at.ply.gg:1836

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\SeroXenBuilder.exe
    "C:\Users\Admin\AppData\Local\Temp\SeroXenBuilder.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Users\Admin\AppData\Roaming\XYZV1.exe
      "C:\Users\Admin\AppData\Roaming\XYZV1.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1296
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XYZV1.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2484
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XYZV1.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:944
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2824
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2324
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows" /tr "C:\Users\Admin\AppData\Roaming\Windows"
        3⤵
        • Creates scheduled task(s)
        PID:2724
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
        PID:2752
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {59B5CDE0-EE82-4658-8318-943AEB181D26} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:988
      • C:\Users\Admin\AppData\Roaming\Windows
        C:\Users\Admin\AppData\Roaming\Windows
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:984
      • C:\Users\Admin\AppData\Roaming\Windows
        C:\Users\Admin\AppData\Roaming\Windows
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1568

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      400b16745c7cb017b06810ee0fccdb6b

      SHA1

      7988c1a05186fd976b9fc7432cf6fa229948c52e

      SHA256

      e0b7f109ab285a859d366b0a44d1bd2030de40cafdad90e221ab08a03b54f573

      SHA512

      54972000ff32932808e62de22c205e63d91c379bcff3f253704064ff4c9591bfebcf8c7adb23a6ddcd4f8a312614c62fe653af30f49a6e429d2d6905146b45a7

      Download Submit
    • C:\Users\Admin\AppData\Roaming\XYZV1.exe
      Filesize

      80KB

      MD5

      f337249869cf597748578e6a9d441d86

      SHA1

      ff871d0e24eb8ee902d7ec9cfc8c08bf4714616e

      SHA256

      67391b8a35af74d6453e8f0d7233c84044e8f0346506d78761cb91e957ba03a2

      SHA512

      4ca7283417bb635278903d5d456b02f4ddee6d02e2bdd3db988b191061e359d22df43bddc5c44d1e99afee2551033ffde434de28e0565c3630e26aa852eff899

      Download Submit
    • memory/944-39-0x000007FEEDE40000-0x000007FEEE7DD000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/944-36-0x0000000002720000-0x00000000027A0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/944-35-0x000007FEEDE40000-0x000007FEEE7DD000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/944-34-0x0000000002720000-0x00000000027A0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/944-32-0x00000000027F0000-0x00000000027F8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/944-33-0x000007FEEDE40000-0x000007FEEE7DD000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/944-31-0x000000001B060000-0x000000001B342000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/944-38-0x0000000002720000-0x00000000027A0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/944-37-0x0000000002720000-0x00000000027A0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/984-71-0x0000000000920000-0x000000000093A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/984-72-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/984-73-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/1296-45-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/1296-67-0x000000001A8A0000-0x000000001A8AC000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1296-13-0x000000001B380000-0x000000001B400000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1296-11-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/1296-10-0x0000000001330000-0x000000000134A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1568-76-0x0000000000D70000-0x0000000000D8A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1568-77-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/1568-78-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/2324-58-0x000007FEEDE40000-0x000007FEEE7DD000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2324-63-0x000007FEEDE40000-0x000007FEEE7DD000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2324-60-0x0000000002720000-0x00000000027A0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2324-59-0x0000000002720000-0x00000000027A0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2324-61-0x000007FEEDE40000-0x000007FEEE7DD000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2324-62-0x0000000002720000-0x00000000027A0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2484-19-0x000007FEEE7E0000-0x000007FEEF17D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2484-20-0x0000000002470000-0x0000000002478000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2484-21-0x000007FEEE7E0000-0x000007FEEF17D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2484-22-0x00000000023F0000-0x0000000002470000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2484-25-0x000007FEEE7E0000-0x000007FEEF17D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2484-18-0x000000001B260000-0x000000001B542000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/2484-23-0x00000000023F0000-0x0000000002470000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2484-24-0x00000000023F0000-0x0000000002470000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2824-48-0x000007FEEE7E0000-0x000007FEEF17D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2824-52-0x000007FEEE7E0000-0x000007FEEF17D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2824-50-0x0000000002580000-0x0000000002600000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2824-51-0x0000000002580000-0x0000000002600000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2824-49-0x0000000002580000-0x0000000002600000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2824-47-0x0000000002580000-0x0000000002600000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2824-46-0x000007FEEE7E0000-0x000007FEEF17D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/3000-0-0x0000000000930000-0x000000000094E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3000-12-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/3000-1-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp
      Filesize

      9.9MB

      Download