Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 15:25
Static task
static1
Behavioral task
behavioral1
Sample
XBinderOutput.exe
Resource
win7-20240221-en
General
-
Target
XBinderOutput.exe
-
Size
81KB
-
MD5
6a473a6fbeda2aa9557f5fb7eab5c9c6
-
SHA1
eb79bcf494c6cc5852b2439bc7ecdf04adf92b4e
-
SHA256
9f48bafc8116d691886054d64bd81dd84cf5114c84b72eb7ffcf8b9bac4341b4
-
SHA512
8a8fa406029ccd61907ad9cb18d9333c067eea2d81dbe079d658c8e3533e401027de95c1c77afe09b6d55695438e01a6dd677f14b94bb490bad51f959b3e5fbf
-
SSDEEP
1536:IzJVjzYoptrwvJBDrqiYQ9SZxlc9lQPykpl6VPM/qy:kyoptk/qcgc9+aQ6hu
Malware Config
Extracted
xworm
million-houston.gl.at.ply.gg:27705
-
Install_directory
%AppData%
-
install_file
BloxstrapModded.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\XClient.exe family_xworm behavioral2/memory/4796-32-0x0000000000D80000-0x0000000000D9A000-memory.dmp family_xworm -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
XBinderOutput.exeBloxstrapModded.exeXClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation XBinderOutput.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation BloxstrapModded.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation XClient.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BloxstrapModded.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BloxstrapModded.lnk XClient.exe -
Executes dropped EXE 2 IoCs
Processes:
BloxstrapModded.exeXClient.exepid process 4504 BloxstrapModded.exe 4796 XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 32 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
BloxstrapModded.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings BloxstrapModded.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2148 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeXClient.exepid process 4768 powershell.exe 4768 powershell.exe 4768 powershell.exe 2660 powershell.exe 2660 powershell.exe 2660 powershell.exe 4436 powershell.exe 4436 powershell.exe 4436 powershell.exe 4880 powershell.exe 4880 powershell.exe 4880 powershell.exe 4796 XClient.exe 4796 XClient.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4796 XClient.exe Token: SeDebugPrivilege 4768 powershell.exe Token: SeDebugPrivilege 2660 powershell.exe Token: SeDebugPrivilege 4436 powershell.exe Token: SeDebugPrivilege 4880 powershell.exe Token: SeDebugPrivilege 4796 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 4796 XClient.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
XBinderOutput.exeBloxstrapModded.exeXClient.exedescription pid process target process PID 3140 wrote to memory of 4504 3140 XBinderOutput.exe BloxstrapModded.exe PID 3140 wrote to memory of 4504 3140 XBinderOutput.exe BloxstrapModded.exe PID 4504 wrote to memory of 4796 4504 BloxstrapModded.exe XClient.exe PID 4504 wrote to memory of 4796 4504 BloxstrapModded.exe XClient.exe PID 4504 wrote to memory of 2148 4504 BloxstrapModded.exe NOTEPAD.EXE PID 4504 wrote to memory of 2148 4504 BloxstrapModded.exe NOTEPAD.EXE PID 4796 wrote to memory of 4768 4796 XClient.exe powershell.exe PID 4796 wrote to memory of 4768 4796 XClient.exe powershell.exe PID 4796 wrote to memory of 2660 4796 XClient.exe powershell.exe PID 4796 wrote to memory of 2660 4796 XClient.exe powershell.exe PID 4796 wrote to memory of 4436 4796 XClient.exe powershell.exe PID 4796 wrote to memory of 4436 4796 XClient.exe powershell.exe PID 4796 wrote to memory of 4880 4796 XClient.exe powershell.exe PID 4796 wrote to memory of 4880 4796 XClient.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BloxstrapModded.exe"C:\Users\Admin\AppData\Local\Temp\BloxstrapModded.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\BloxstrapModded.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BloxstrapModded.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\README.txt3⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5993af531f0b57e8128ec273731c3a8e2
SHA1a42ea55876f4f390837dd2c95fb7ff2344b6e9e1
SHA256fff934d70d813381536d272c5b8ac6ad70acd054267b13592da767c9bd1dda62
SHA512bdf5970ff2ee314dc297fce5c0f44765e77acbf269cd9ad9e7448a391d5f80d66a0c5426f99bc3480851e8763413aa180b3b3b6b22ef0e86a365450cb8c334e4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
C:\Users\Admin\AppData\Local\Temp\BloxstrapModded.exeFilesize
10.0MB
MD5d4823d25c86c905b29ff3cd42127d5b3
SHA14380e4416b419f1bde9ee98c45b14fc7f29e8876
SHA25671cc081cbe5e67b32b6b07ca8e63211610e6a52d477f8afc32521a0b1cfd1f45
SHA512e9d12f0e1c4c2a434c6ec8a004d85141a6f6bc6a81179d7f9200d387a8f7031554615a39e33384694c2e8291ebab533c3c703d927498480078a87b6f49520152
-
C:\Users\Admin\AppData\Local\Temp\README.txtFilesize
438B
MD5659061a5689cae197b49f62be53bcf40
SHA16467f2252645e7ce87932aad37e24a6eed3fefeb
SHA2560ca739b146beb166072cb199c8090f98140b88c5a7c251cf4ed730487507936c
SHA512f5933100e6ce6a030cb7ee36213308cfa4b05859b903564c4d711e60433079dd8182922ea45f25ec8b8defca90c5aa56a94bce031e5aa0e35e11ae19fb858567
-
C:\Users\Admin\AppData\Local\Temp\XClient.exeFilesize
80KB
MD5cfeb71480542c9b6d6aec88f02e6d820
SHA14fcf90f5f8e16dcee2fa5ee1611394533f7ff740
SHA256ebabe3ead25f28d4fe0a3ab1a592d7160065995da465ec549ebe8f27ba5eeee9
SHA512e5d1a95fe948e295f0f7cc55f88464136e088b0c7f531a132eab76025885f2de93d101981fc3dedc4bd7ed271b58578bcab235fc9d2bedca6e209fb3f7d594bd
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iztraoev.urt.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/2660-69-0x00007FF973090000-0x00007FF973B51000-memory.dmpFilesize
10.8MB
-
memory/2660-66-0x0000026E042E0000-0x0000026E042F0000-memory.dmpFilesize
64KB
-
memory/2660-67-0x0000026E042E0000-0x0000026E042F0000-memory.dmpFilesize
64KB
-
memory/2660-64-0x00007FF973090000-0x00007FF973B51000-memory.dmpFilesize
10.8MB
-
memory/3140-0-0x0000000000840000-0x000000000085A000-memory.dmpFilesize
104KB
-
memory/3140-15-0x00007FF973090000-0x00007FF973B51000-memory.dmpFilesize
10.8MB
-
memory/3140-2-0x000000001B430000-0x000000001B440000-memory.dmpFilesize
64KB
-
memory/3140-1-0x00007FF973090000-0x00007FF973B51000-memory.dmpFilesize
10.8MB
-
memory/4436-79-0x00007FF973090000-0x00007FF973B51000-memory.dmpFilesize
10.8MB
-
memory/4436-81-0x00000224772D0000-0x00000224772E0000-memory.dmpFilesize
64KB
-
memory/4436-83-0x00007FF973090000-0x00007FF973B51000-memory.dmpFilesize
10.8MB
-
memory/4504-16-0x0000000000860000-0x0000000000874000-memory.dmpFilesize
80KB
-
memory/4504-35-0x00007FF973090000-0x00007FF973B51000-memory.dmpFilesize
10.8MB
-
memory/4504-17-0x00007FF973090000-0x00007FF973B51000-memory.dmpFilesize
10.8MB
-
memory/4504-19-0x000000001B580000-0x000000001B590000-memory.dmpFilesize
64KB
-
memory/4768-45-0x000002A3EB0E0000-0x000002A3EB0F0000-memory.dmpFilesize
64KB
-
memory/4768-38-0x00007FF973090000-0x00007FF973B51000-memory.dmpFilesize
10.8MB
-
memory/4768-53-0x00007FF973090000-0x00007FF973B51000-memory.dmpFilesize
10.8MB
-
memory/4768-50-0x000002A3EBBA0000-0x000002A3EBBC2000-memory.dmpFilesize
136KB
-
memory/4768-39-0x000002A3EB0E0000-0x000002A3EB0F0000-memory.dmpFilesize
64KB
-
memory/4796-103-0x00007FF973090000-0x00007FF973B51000-memory.dmpFilesize
10.8MB
-
memory/4796-32-0x0000000000D80000-0x0000000000D9A000-memory.dmpFilesize
104KB
-
memory/4796-37-0x000000001BBD0000-0x000000001BBE0000-memory.dmpFilesize
64KB
-
memory/4796-34-0x00007FF973090000-0x00007FF973B51000-memory.dmpFilesize
10.8MB
-
memory/4796-104-0x000000001BBD0000-0x000000001BBE0000-memory.dmpFilesize
64KB
-
memory/4880-95-0x000002A35F780000-0x000002A35F790000-memory.dmpFilesize
64KB
-
memory/4880-98-0x00007FF973090000-0x00007FF973B51000-memory.dmpFilesize
10.8MB
-
memory/4880-93-0x00007FF973090000-0x00007FF973B51000-memory.dmpFilesize
10.8MB
-
memory/4880-94-0x000002A35F780000-0x000002A35F790000-memory.dmpFilesize
64KB