Overview

overview

10

Static

static

3

a50078c294...0d.exe

windows7-x64

10

a50078c294...0d.exe

windows10-2004-x64

Analysis

  • max time kernel
    70s
  • max time network
    81s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 13:12

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe

  • Size

    455KB

  • MD5

    c8d9593196962fa5d706a207c16674cd

  • SHA1

    686a8e674e6615d5cd91f7b2cba0c755054b3f69

  • SHA256

    a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d

  • SHA512

    5ddae80780c6091bfe0ab5e29bc63732c08ce34f677fc341366dcecf6db9e1bd2e0ed24cfe57eface0d19c6f46010f47eb2d74888b91a503dae00651c4a756bf

  • SSDEEP

    12288:XcTpGLwWpFGIWFfDtaY4S0LEy7w0iymL/:XOpEwiFYxsEyHiyK

Score
10/10
xwormevasionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.1

C2

104.194.9.116:7000

Mutex

bUezpCDHVjUVS3W9

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot6330888131:AAE5ycZdHuNqV5SVYhHeCfRENn6GuCjwXjs/sendMessage?chat_id=1046049845

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Creates new service(s) 1 TTPs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:604
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:384
      • C:\Windows\system32\lsass.exe
        C:\Windows\system32\lsass.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:688
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
        1⤵
          PID:968
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
          1⤵
            PID:528
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
            1⤵
              PID:700
            • C:\Windows\sysmon.exe
              C:\Windows\sysmon.exe
              1⤵
                PID:2500
              • C:\Users\Admin\AppData\Local\Temp\a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
                "C:\Users\Admin\AppData\Local\Temp\a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe"
                1⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1400
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                  2⤵
                  • Checks computer location settings
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2952
                  • C:\Users\Admin\AppData\Local\Temp\lyuwuh.exe
                    "C:\Users\Admin\AppData\Local\Temp\lyuwuh.exe"
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Suspicious use of WriteProcessMemory
                    PID:2452
                    • C:\Program Files\Windows Media Player\wmplayer.exe
                      "C:\Program Files\Windows Media Player\wmplayer.exe"
                      4⤵
                      • Suspicious use of SetThreadContext
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:1588
                      • C:\Windows\system32\dialer.exe
                        C:\Windows\system32\dialer.exe
                        5⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4260
                      • C:\Windows\system32\sc.exe
                        C:\Windows\system32\sc.exe delete "GVKQGWZS"
                        5⤵
                        • Launches sc.exe
                        PID:3672
                      • C:\Windows\system32\sc.exe
                        C:\Windows\system32\sc.exe create "GVKQGWZS" binpath= "C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe" start= "auto"
                        5⤵
                        • Launches sc.exe
                        PID:3352
                      • C:\Windows\system32\sc.exe
                        C:\Windows\system32\sc.exe stop eventlog
                        5⤵
                        • Launches sc.exe
                        PID:2768
                      • C:\Windows\system32\sc.exe
                        C:\Windows\system32\sc.exe start "GVKQGWZS"
                        5⤵
                        • Launches sc.exe
                        PID:656
                  • C:\Users\Admin\AppData\Local\Temp\mwjocl.exe
                    "C:\Users\Admin\AppData\Local\Temp\mwjocl.exe"
                    3⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    PID:936
                    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                      4⤵
                        PID:2588
                • C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe
                  C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe
                  1⤵
                    PID:1376

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe
                    Filesize

                    167KB

                    MD5

                    89dcd2d4c0ec638aadc00d3530e07e1d

                    SHA1

                    53db931eba71bd6fb14a4b0f4d0e601963c09299

                    SHA256

                    c3252a14845280b1a938b4def08f04690ea36e4454d0bebeecc4e31a9c30d742

                    SHA512

                    bad5d21a28f69633d13a372da4c2fa4b9586c30e4b43bec361fac1be6bded7c49fe684c65f77b60e54346c899e2cfb36fcb291ab3536335d92f3c6ac2aedea41

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\lyuwuh.exe
                    Filesize

                    3.1MB

                    MD5

                    f3e70f68d7e2f644bcd312f1333094e1

                    SHA1

                    259dd00ddb8a08fb149c37254bfb865a74bb11b9

                    SHA256

                    6607d552accc951f2cd068bb394200987d7d1e90e34f8cdab3afe6e3ccedee4e

                    SHA512

                    425d60775735804dce4a43aba0426966cc21ef5c0c997d073bc3d0740d3a07b13227fd1e5be93189079e8e01ca0c515d27ddc0451ee4e514e02bdc3bd8f4d33d

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\mwjocl.exe
                    Filesize

                    2.8MB

                    MD5

                    21b6c5c3b7e13ca225dc53324af1cf1d

                    SHA1

                    1903cba2906b60ba1a473049abd3c8abd0175b3c

                    SHA256

                    1d3c862f7876ed0210cc2672c543d407638230d3651dc5a5f63247556c54df39

                    SHA512

                    d05bf8554a98af622c8d80ffc1035c4d9fc8e20a08c10255282adb5bbb2e2b84553106aeba6ce6e099d97c1c6a4cc4f89f9b411d0d31ca88d8249dd791b7e254

                    Download Submit

                  • memory/384-73-0x00007FFE5F710000-0x00007FFE5F720000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/384-78-0x000001F9B9670000-0x000001F9B969B000-memory.dmp

                    Filesize

                    172KB

                    Download

                  • memory/384-69-0x000001F9B9670000-0x000001F9B969B000-memory.dmp

                    Filesize

                    172KB

                    Download

                  • memory/528-82-0x00000206C6370000-0x00000206C639B000-memory.dmp

                    Filesize

                    172KB

                    Download

                  • memory/528-77-0x00000206C6370000-0x00000206C639B000-memory.dmp

                    Filesize

                    172KB

                    Download

                  • memory/528-79-0x00007FFE5F710000-0x00007FFE5F720000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/604-59-0x000001FF4E780000-0x000001FF4E7AB000-memory.dmp

                    Filesize

                    172KB

                    Download

                  • memory/604-63-0x00007FFE9F72D000-0x00007FFE9F72E000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/604-58-0x000001FF4E3A0000-0x000001FF4E3C4000-memory.dmp

                    Filesize

                    144KB

                    Download

                  • memory/688-61-0x000001ADDEFA0000-0x000001ADDEFCB000-memory.dmp

                    Filesize

                    172KB

                    Download

                  • memory/688-64-0x00007FFE5F710000-0x00007FFE5F720000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/688-67-0x00007FFE9F72D000-0x00007FFE9F72E000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/688-71-0x00007FFE9F72F000-0x00007FFE9F730000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/700-90-0x00007FFE5F710000-0x00007FFE5F720000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/700-88-0x0000024329F90000-0x0000024329FBB000-memory.dmp

                    Filesize

                    172KB

                    Download

                  • memory/968-72-0x00007FFE5F710000-0x00007FFE5F720000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/968-74-0x00000251A2FA0000-0x00000251A2FCB000-memory.dmp

                    Filesize

                    172KB

                    Download

                  • memory/968-80-0x00007FFE9F72C000-0x00007FFE9F72D000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/968-68-0x00000251A2FA0000-0x00000251A2FCB000-memory.dmp

                    Filesize

                    172KB

                    Download

                  • memory/1092-91-0x000001F4AB5D0000-0x000001F4AB5FB000-memory.dmp

                    Filesize

                    172KB

                    Download

                  • memory/1100-99-0x00007FFE5F710000-0x00007FFE5F720000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1120-98-0x00000191A7A60000-0x00000191A7A8B000-memory.dmp

                    Filesize

                    172KB

                    Download

                  • memory/1120-100-0x00007FFE5F710000-0x00007FFE5F720000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1400-0-0x00000280F5F30000-0x00000280F5F46000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/1400-1-0x00007FFE81610000-0x00007FFE820D1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1400-2-0x00000280F7DD0000-0x00000280F7DE0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1400-3-0x00000280FA680000-0x00000280FA6F6000-memory.dmp

                    Filesize

                    472KB

                    Download

                  • memory/1400-4-0x00000280F64D0000-0x00000280F64EE000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/1400-5-0x00000280F7E20000-0x00000280F7E84000-memory.dmp

                    Filesize

                    400KB

                    Download

                  • memory/1400-9-0x00007FFE81610000-0x00007FFE820D1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1588-84-0x0000000140000000-0x00000001402C1000-memory.dmp

                    Filesize

                    2.8MB

                    Download

                  • memory/1588-31-0x0000000140000000-0x00000001402C1000-memory.dmp

                    Filesize

                    2.8MB

                    Download

                  • memory/1588-33-0x0000000140000000-0x00000001402C1000-memory.dmp

                    Filesize

                    2.8MB

                    Download

                  • memory/1588-34-0x0000000140000000-0x00000001402C1000-memory.dmp

                    Filesize

                    2.8MB

                    Download

                  • memory/2452-35-0x00007FFE813C0000-0x00007FFE81E81000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/2452-27-0x000001F9F00D0000-0x000001F9F00DC000-memory.dmp

                    Filesize

                    48KB

                    Download

                  • memory/2452-28-0x00007FFE813C0000-0x00007FFE81E81000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/2452-29-0x000001F9F2680000-0x000001F9F2690000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2452-30-0x000001F9F34A0000-0x000001F9F37B6000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/2952-14-0x00000000082D0000-0x0000000008362000-memory.dmp

                    Filesize

                    584KB

                    Download

                  • memory/2952-10-0x0000000005540000-0x00000000055A6000-memory.dmp

                    Filesize

                    408KB

                    Download

                  • memory/2952-6-0x0000000000400000-0x000000000040E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/2952-7-0x0000000074660000-0x0000000074E10000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/2952-8-0x00000000055D0000-0x000000000566C000-memory.dmp

                    Filesize

                    624KB

                    Download

                  • memory/2952-11-0x0000000005530000-0x0000000005540000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2952-12-0x0000000074660000-0x0000000074E10000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/2952-13-0x0000000005530000-0x0000000005540000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2952-15-0x0000000008A20000-0x0000000008FC4000-memory.dmp

                    Filesize

                    5.6MB

                    Download

                  • memory/4260-47-0x0000000140000000-0x000000014002B000-memory.dmp

                    Filesize

                    172KB

                    Download

                  • memory/4260-48-0x0000000140000000-0x000000014002B000-memory.dmp

                    Filesize

                    172KB

                    Download

                  • memory/4260-49-0x0000000140000000-0x000000014002B000-memory.dmp

                    Filesize

                    172KB

                    Download

                  • memory/4260-50-0x0000000140000000-0x000000014002B000-memory.dmp

                    Filesize

                    172KB

                    Download

                  • memory/4260-55-0x0000000140000000-0x000000014002B000-memory.dmp

                    Filesize

                    172KB

                    Download

                  • memory/4260-52-0x0000000140000000-0x000000014002B000-memory.dmp

                    Filesize

                    172KB

                    Download

                  • memory/4260-53-0x00007FFE9F690000-0x00007FFE9F885000-memory.dmp

                    Filesize

                    2.0MB

                    Download

                  • memory/4260-54-0x00007FFE9F460000-0x00007FFE9F51E000-memory.dmp

                    Filesize

                    760KB

                    Download