Overview

overview

10

Static

static

10

Revert_Proxy2.exe

windows7-x64

10

Revert_Proxy2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/04/2024, 12:16

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Revert_Proxy2.exe

  • Size

    50KB

  • MD5

    8ed10249a741529f5ce9ebbcfa50b4ab

  • SHA1

    1135d5e4cd03ba57c681016c5c18bda35c7144fd

  • SHA256

    a9acd48968fdffc028988d29979a781cc707b96fd1483f7825a1014c89fe9e49

  • SHA512

    2700127217546eb248ce086857c1c0fdc6fda3db18576b65dcde7e208c5319c97b782b7459f9f88a67cd1eeea9844dd7083423f903b4c9f25fe108f072ff6409

  • SSDEEP

    1536:Wf05a/CTjS89IFc9Uw68OMA3dS1EAd8IIR:Wf05a/CTJ9IFc9UuOMmgEA6IIR

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

85.203.4.127:1474

Mutex

eBA1hJEKi2fpwXUX

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    VLC_Media.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Revert_Proxy2.exe
    "C:\Users\Admin\AppData\Local\Temp\Revert_Proxy2.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4820
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Revert_Proxy2.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Revert_Proxy2.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3172
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\VLC_Media.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1664
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4324

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          77d622bb1a5b250869a3238b9bc1402b

          SHA1

          d47f4003c2554b9dfc4c16f22460b331886b191b

          SHA256

          f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

          SHA512

          d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          15dde0683cd1ca19785d7262f554ba93

          SHA1

          d039c577e438546d10ac64837b05da480d06bf69

          SHA256

          d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

          SHA512

          57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          5cfe303e798d1cc6c1dab341e7265c15

          SHA1

          cd2834e05191a24e28a100f3f8114d5a7708dc7c

          SHA256

          c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

          SHA512

          ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ijcs1hbz.mnm.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/1664-51-0x00007FFDC2880000-0x00007FFDC3341000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1664-49-0x0000015F38470000-0x0000015F38480000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1664-48-0x0000015F38470000-0x0000015F38480000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1664-37-0x0000015F38470000-0x0000015F38480000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1664-36-0x00007FFDC2880000-0x00007FFDC3341000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3016-15-0x000002DCE8F80000-0x000002DCE8F90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3016-18-0x00007FFDC2880000-0x00007FFDC3341000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3016-13-0x00007FFDC2880000-0x00007FFDC3341000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3016-8-0x000002DCE8EE0000-0x000002DCE8F02000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3016-14-0x000002DCE8F80000-0x000002DCE8F90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3172-35-0x00007FFDC2880000-0x00007FFDC3341000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3172-21-0x00000228C6F90000-0x00000228C6FA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3172-33-0x00000228C6F90000-0x00000228C6FA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3172-20-0x00007FFDC2880000-0x00007FFDC3341000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3172-22-0x00000228C6F90000-0x00000228C6FA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4324-63-0x0000018848110000-0x0000018848120000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4324-62-0x00007FFDC2880000-0x00007FFDC3341000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4324-66-0x00007FFDC2880000-0x00007FFDC3341000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4820-0-0x0000000000480000-0x0000000000492000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4820-2-0x000000001B0A0000-0x000000001B0B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4820-1-0x00007FFDC2880000-0x00007FFDC3341000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4820-64-0x00007FFDC2880000-0x00007FFDC3341000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4820-71-0x000000001B0A0000-0x000000001B0B0000-memory.dmp

          Filesize

          64KB

          Download