Overview

overview

10

Static

static

10

TestRun.exe

windows11-21h2-x64

10

Resubmissions

20-04-2024 15:39

240420-s3xkdscd4t 10

20-04-2024 15:29

240420-sxd6vscb7z 10

Analysis

  • max time kernel
    141s
  • max time network
    143s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20-04-2024 15:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TestRun.exe

  • Size

    56KB

  • MD5

    594c098d8e2cf8fc36669b3398b7bd5a

  • SHA1

    e0cf7de523b55b53ca5881c35090c5106b2041b8

  • SHA256

    06a8d5dde4323a28db52b3932c55c42fa0a9c1c47d4b2a289cf6466b03b3f60b

  • SHA512

    a2febefa9cc0d1b80cc49ffb3b50c2552b2727c826b041c26c35ba31c725d2cd580ab7a9f6260a5cbe568f026080fe77f386403573ef206b3c3ae54ec35771bc

  • SSDEEP

    768:Up3yq/UiGz5EfnLQRySsQLp+pdVQ3apATb9c5h4uaNvjczO5h5tZ2HI:u3yq/dsu/8oSsIp+LVQbb9bLN6O5rb

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

uk2.localto.net:37847

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Google.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TestRun.exe
    "C:\Users\Admin\AppData\Local\Temp\TestRun.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3364
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3052
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4496

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
      Filesize

      10KB

      MD5

      e51dafe414a652360bb13068cb89f30e

      SHA1

      70cf874ffedbb7dc2422530261193fd6a0b6271c

      SHA256

      58e87eb01269c20618026620782ab6409efe3fc42607a9d9c380823b661d37e7

      SHA512

      bc894af738c4270b0293b2b49e897c74e5a8777c90a6f11a158f5c1e8b3dd9179f05a884e3d9768fe1f1b1979f92df9b19e2df5c05cf21d36949e092051f072a

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
      Filesize

      10KB

      MD5

      5b431d6f7e2b9ad35ba13b2d16cb21e3

      SHA1

      db0a9b00ca39f14ee5be3269b8527bdf65ae2fc1

      SHA256

      63e00add8cd4078903228714758131588a3f1165a916bfc66e1a82076558acd0

      SHA512

      f27f5b3c9c23adaf50ff44e0b2af4dd121038ed4bd5ebc0b8d63094b4266a151edf94214ce85990d8e545f1f4b8b288539b7d8003979deb24629825f5b966183

      Download Submit
    • memory/3364-0-0x0000000000130000-0x0000000000144000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3364-1-0x00007FFDAECC0000-0x00007FFDAF782000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3364-2-0x0000000002260000-0x0000000002270000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3364-26-0x00007FFDAECC0000-0x00007FFDAF782000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3364-27-0x0000000002260000-0x0000000002270000-memory.dmp
      Filesize

      64KB

      Download