Overview

overview

10

Static

static

3

123.exe

windows7-x64

10

123.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    295s
  • max time network
    296s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-04-2024 08:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    123.exe

  • Size

    84KB

  • MD5

    7c62f15ff5d809dff951f790d82e2467

  • SHA1

    5b1bfa175e653fd1151ffb6507a278691cd866f7

  • SHA256

    feee64c070c62a05724bd2b337eaba9a08d30f8ab97ac07af2f356eb49ef4c91

  • SHA512

    8a97c5d371b7d5bd1e4ff5ba4a6b384fadebfeddf5021b8e0ef39a3999f275992c8bf9e8ec88cfe0670dd989d8f37328def2ea33a6c10f17493bb182539904ee

  • SSDEEP

    1536:OXfDXmRJaspkKzva5heXThX/LkPsj8YK/ia2o7nZ/USH4RTFNTx62/p:2DWLVFzRThvLDy/l/UPLTx3/p

Score
10/10
xwormpersistenceransomwarerattrojan

Malware Config

Extracted

Family

xworm

C2

uk2.localto.net:40515

Attributes
  • Install_directory

    %AppData%

  • install_file

    Google.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 58 IoCs
  • Suspicious use of SendNotifyMessage 57 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\123.exe
    "C:\Users\Admin\AppData\Local\Temp\123.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Sets desktop wallpaper using registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2588
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2776
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2152
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:1172
    • C:\Program Files\Windows Defender\MSASCui.exe
      "C:\Program Files\Windows Defender\MSASCui.exe"
      1⤵
        PID:2032
      • C:\Program Files\Windows Defender\MSASCui.exe
        "C:\Program Files\Windows Defender\MSASCui.exe"
        1⤵
          PID:2000

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          ee16a626e0df5d0001969b3ef7b2c7ff

          SHA1

          789e2d55b2688da3de04f06b3fbc0750a1357f5e

          SHA256

          192192a44656d6d27a149c4994432e53f8135e019f46ebdec0a3d943447e9b27

          SHA512

          5fdc1957be04432e4f4121ef4f108640e20aac05004c87eecbf74eacc2eb701feda8adf6164792a72b552137bad23d43d0ecdaf3d47724676e815514acd2fae7

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          c97243cdc899a5543022c66f2c122bc0

          SHA1

          82fff3196bc8b7240aeddfef24e32d2aab1aaa8b

          SHA256

          2b6d29d5cb0747b01e2ac795eb4f8bd01acc49107f47f7ceb63636e9c3100a78

          SHA512

          4d257d9a01228e76afd9be1d3d584938ee082f02275274b67552694476bce6de7143f42ba54f21bce41b6f49a6275bff3ea61c9a3f5e8caac7b6f8483d965350

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          644ecac56efe80f1a46fe3d94ed86ac7

          SHA1

          ab95f88f3742967ebbe3402025320cd928fef3a5

          SHA256

          fc4199ae8c0c958fc980a1e575b193c8b5bae0f5b23843711d9f214e4e23c0b3

          SHA512

          b7f9d029ed2f55ae287bb2ddae9dd15679e4641e8712e790ebff3e53574d4d91d6d2e70489f0fa6ce35550668d829c336d0f9768d0450d61bfdfebb4daeafd8b

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          a17eb2ec82253ccff772aa1cd16f49c9

          SHA1

          ed3c42d80719eec78d680fe62bc1ae81f335b64e

          SHA256

          84ca0627fb98b6a0d79ed2d98db8eeac975164294936fedf0eebe531fa5f6f8d

          SHA512

          52071cef8c3655e51b087f8c9d166f18552d8d7f68140e1044f61aba2221e54cd4c5be994a1ca6b74105df9ba4eceaa86faafe3fe38492d04cff176bf5cf442b

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          3c58f15554a50d71a015573bd6a90265

          SHA1

          c3782eaa64a2fa0267eaf4e23b1342f412cb5a33

          SHA256

          f65bb14dfbb866940c57b916de129ca7a869f461ecee8920abd76711f3866cb7

          SHA512

          55ddf6f46b6b097255a686a4365a7f2e50c69518436e0a4aae8f0522cbf7f3979d92ea3641fc4169d16886dfdab93c05eae64a9c2525d62b4e0ae07d13928d6b

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          14c341eda1376ac769160ce47a21a421

          SHA1

          2d455722b8a0a0327c2eb598b2f60d1f86de50f9

          SHA256

          cfbbc6e216ce4fb0036a3f50698135f3d1296150d1d64061d965d923f933d4a8

          SHA512

          3558c91e4596cd679b442ba37ecdc4f23c4d2317e7881c41bb74dec2f3ce87011738414cdb9e75b13e1beb1b35dc7fcc4f967f01748928f628dda2d579380b16

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          99bd2dfbab519a73f37b5d431a15a7a4

          SHA1

          a339cefc0ebd867084458a76cd3fa6e89886e08e

          SHA256

          c035107a647d4d713d32649d1ec4952816e53f40058edb3ff3a27d97daaf96b7

          SHA512

          a02b1a45342f4c3ee203bacddf4c4c4bbd11e51e05d9ccd3f1d1e6eadb4c85460a84139a8bf2ffd4e1d0d330eb79c1c126f9788fc62c089662253896401daff6

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          2179ceb717fd64ff2adedb6a4d978650

          SHA1

          90c57a0596bc091dec570866d059655df9407a43

          SHA256

          2349340022f4977ec5a81a8b1faecbe0c2d8dd2d802b0b160faca60b33817ef6

          SHA512

          720aa7f1ffa81e1b4cc8c291df6e4592c3dd0be5a239928cfeff237f83d7ec638f563417ad76d0e4f34c73602a618b871f23dc901e660baf2fa87fa049b3317f

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          3642240e07fcc2497efb6ae22e78b453

          SHA1

          8f63476ce87e7694e4b3e68b57273e6e9285b386

          SHA256

          49d27c77e215ef8416f73df681a58cf62868d66b912205cb52fe0c46df2f9888

          SHA512

          7a731a8c06ee1ee08b3e538c042358c0978b65a24fd484ddfe8bc78731aaec695be211135bdffbbf2c3345250389b90cedddd41311b0bff611f524ca43c3c421

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\CabFFD5.tmp
          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\TarA7.tmp
          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

          Download Submit

        • C:\Users\Admin\Desktop\How To Decrypt My Files.html
          Filesize

          639B

          MD5

          d2dbbc3383add4cbd9ba8e1e35872552

          SHA1

          020abbc821b2fe22c4b2a89d413d382e48770b6f

          SHA256

          5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

          SHA512

          bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

          Download Submit

        • C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.ENC
          Filesize

          16B

          MD5

          3da7dfbd6c9e11b4d8dd5adb76c9a987

          SHA1

          cdd4cf0d8e5d5656d1e47308835268c1c27f5567

          SHA256

          4c00b7f2eac4df1134d965618429bf66e981bca09974e14e6447bdc269f51f40

          SHA512

          107e23de41fd6863fc639cdd2157c9b7df51f2daa38bfb9e28c45e00366b1904121192b1a5f0a73eaed1941fc5c96beb5b81d9c94af71f3983933e6f89928d31

          Download Submit

        • \Users\Admin\AppData\Roaming\Google.exe
          Filesize

          63KB

          MD5

          b58b926c3574d28d5b7fdd2ca3ec30d5

          SHA1

          d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

          SHA256

          6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

          SHA512

          b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

          Download Submit

        • memory/1964-5-0x00000000003D0000-0x00000000003EA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1964-1-0x00000000745F0000-0x0000000074CDE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1964-18-0x00000000745F0000-0x0000000074CDE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1964-0-0x0000000000D10000-0x0000000000D2C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1964-2-0x0000000004BE0000-0x0000000004C20000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1964-3-0x00000000745F0000-0x0000000074CDE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1964-4-0x0000000004BE0000-0x0000000004C20000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2152-36-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/2152-37-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/2152-38-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/2152-39-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/2560-41-0x00000000006F0000-0x00000000006FC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2560-40-0x00000000006D0000-0x00000000006DA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2560-17-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2560-9-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2560-7-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2560-13-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2560-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2560-10-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2560-8-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2560-15-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2560-733-0x00000000009C0000-0x00000000009CE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2560-734-0x0000000007B50000-0x0000000007E32000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2560-736-0x0000000005440000-0x0000000005488000-memory.dmp

          Filesize

          288KB

          Download

        • memory/2560-735-0x0000000002430000-0x000000000244C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2560-737-0x00000000023B0000-0x00000000023B8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2560-738-0x0000000006580000-0x0000000006626000-memory.dmp

          Filesize

          664KB

          Download

        • memory/2560-739-0x0000000005730000-0x0000000005764000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2560-740-0x0000000005FA0000-0x0000000005FEA000-memory.dmp

          Filesize

          296KB

          Download

        • memory/2560-741-0x0000000002940000-0x0000000002956000-memory.dmp

          Filesize

          88KB

          Download