Overview

overview

10

Static

static

3

XBinderOutput.exe

windows7-x64

10

XBinderOutput.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-04-2024 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XBinderOutput.exe

  • Size

    81KB

  • MD5

    6a473a6fbeda2aa9557f5fb7eab5c9c6

  • SHA1

    eb79bcf494c6cc5852b2439bc7ecdf04adf92b4e

  • SHA256

    9f48bafc8116d691886054d64bd81dd84cf5114c84b72eb7ffcf8b9bac4341b4

  • SHA512

    8a8fa406029ccd61907ad9cb18d9333c067eea2d81dbe079d658c8e3533e401027de95c1c77afe09b6d55695438e01a6dd677f14b94bb490bad51f959b3e5fbf

  • SSDEEP

    1536:IzJVjzYoptrwvJBDrqiYQ9SZxlc9lQPykpl6VPM/qy:kyoptk/qcgc9+aQ6hu

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

million-houston.gl.at.ply.gg:27705

Attributes
  • Install_directory

    %AppData%

  • install_file

    BloxstrapModded.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
    "C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3140
    • C:\Users\Admin\AppData\Local\Temp\BloxstrapModded.exe
      "C:\Users\Admin\AppData\Local\Temp\BloxstrapModded.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4504
      • C:\Users\Admin\AppData\Local\Temp\XClient.exe
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        3⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4796
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4768
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2660
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\BloxstrapModded.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4436
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BloxstrapModded.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4880
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\README.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2148

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    62623d22bd9e037191765d5083ce16a3

    SHA1

    4a07da6872672f715a4780513d95ed8ddeefd259

    SHA256

    95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

    SHA512

    9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    993af531f0b57e8128ec273731c3a8e2

    SHA1

    a42ea55876f4f390837dd2c95fb7ff2344b6e9e1

    SHA256

    fff934d70d813381536d272c5b8ac6ad70acd054267b13592da767c9bd1dda62

    SHA512

    bdf5970ff2ee314dc297fce5c0f44765e77acbf269cd9ad9e7448a391d5f80d66a0c5426f99bc3480851e8763413aa180b3b3b6b22ef0e86a365450cb8c334e4

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    34f595487e6bfd1d11c7de88ee50356a

    SHA1

    4caad088c15766cc0fa1f42009260e9a02f953bb

    SHA256

    0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

    SHA512

    10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\BloxstrapModded.exe
    Filesize

    10.0MB

    MD5

    d4823d25c86c905b29ff3cd42127d5b3

    SHA1

    4380e4416b419f1bde9ee98c45b14fc7f29e8876

    SHA256

    71cc081cbe5e67b32b6b07ca8e63211610e6a52d477f8afc32521a0b1cfd1f45

    SHA512

    e9d12f0e1c4c2a434c6ec8a004d85141a6f6bc6a81179d7f9200d387a8f7031554615a39e33384694c2e8291ebab533c3c703d927498480078a87b6f49520152

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\README.txt
    Filesize

    438B

    MD5

    659061a5689cae197b49f62be53bcf40

    SHA1

    6467f2252645e7ce87932aad37e24a6eed3fefeb

    SHA256

    0ca739b146beb166072cb199c8090f98140b88c5a7c251cf4ed730487507936c

    SHA512

    f5933100e6ce6a030cb7ee36213308cfa4b05859b903564c4d711e60433079dd8182922ea45f25ec8b8defca90c5aa56a94bce031e5aa0e35e11ae19fb858567

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    Filesize

    80KB

    MD5

    cfeb71480542c9b6d6aec88f02e6d820

    SHA1

    4fcf90f5f8e16dcee2fa5ee1611394533f7ff740

    SHA256

    ebabe3ead25f28d4fe0a3ab1a592d7160065995da465ec549ebe8f27ba5eeee9

    SHA512

    e5d1a95fe948e295f0f7cc55f88464136e088b0c7f531a132eab76025885f2de93d101981fc3dedc4bd7ed271b58578bcab235fc9d2bedca6e209fb3f7d594bd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iztraoev.urt.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • memory/2660-69-0x00007FF973090000-0x00007FF973B51000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2660-66-0x0000026E042E0000-0x0000026E042F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2660-67-0x0000026E042E0000-0x0000026E042F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2660-64-0x00007FF973090000-0x00007FF973B51000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3140-0-0x0000000000840000-0x000000000085A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3140-15-0x00007FF973090000-0x00007FF973B51000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3140-2-0x000000001B430000-0x000000001B440000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3140-1-0x00007FF973090000-0x00007FF973B51000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4436-79-0x00007FF973090000-0x00007FF973B51000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4436-81-0x00000224772D0000-0x00000224772E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4436-83-0x00007FF973090000-0x00007FF973B51000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4504-16-0x0000000000860000-0x0000000000874000-memory.dmp
    Filesize

    80KB

    Download
  • memory/4504-35-0x00007FF973090000-0x00007FF973B51000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4504-17-0x00007FF973090000-0x00007FF973B51000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4504-19-0x000000001B580000-0x000000001B590000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4768-45-0x000002A3EB0E0000-0x000002A3EB0F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4768-38-0x00007FF973090000-0x00007FF973B51000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4768-53-0x00007FF973090000-0x00007FF973B51000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4768-50-0x000002A3EBBA0000-0x000002A3EBBC2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4768-39-0x000002A3EB0E0000-0x000002A3EB0F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4796-103-0x00007FF973090000-0x00007FF973B51000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4796-32-0x0000000000D80000-0x0000000000D9A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4796-37-0x000000001BBD0000-0x000000001BBE0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4796-34-0x00007FF973090000-0x00007FF973B51000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4796-104-0x000000001BBD0000-0x000000001BBE0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4880-95-0x000002A35F780000-0x000002A35F790000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4880-98-0x00007FF973090000-0x00007FF973B51000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4880-93-0x00007FF973090000-0x00007FF973B51000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4880-94-0x000002A35F780000-0x000002A35F790000-memory.dmp
    Filesize

    64KB

    Download