Analysis
-
max time kernel
113s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
27-04-2024 08:52
General
-
Target
123.exe
-
Size
84KB
-
MD5
7c62f15ff5d809dff951f790d82e2467
-
SHA1
5b1bfa175e653fd1151ffb6507a278691cd866f7
-
SHA256
feee64c070c62a05724bd2b337eaba9a08d30f8ab97ac07af2f356eb49ef4c91
-
SHA512
8a97c5d371b7d5bd1e4ff5ba4a6b384fadebfeddf5021b8e0ef39a3999f275992c8bf9e8ec88cfe0670dd989d8f37328def2ea33a6c10f17493bb182539904ee
-
SSDEEP
1536:OXfDXmRJaspkKzva5heXThX/LkPsj8YK/ia2o7nZ/USH4RTFNTx62/p:2DWLVFzRThvLDy/l/UPLTx3/p
Malware Config
Extracted
xworm
uk2.localto.net:40515
-
Install_directory
%AppData%
-
install_file
Google.exe
Signatures
-
Detect Xworm Payload 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\123.exe"C:\Users\Admin\AppData\Local\Temp\123.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
Filesize
766B
MD555a08afdf7a082578a0b9ec25dd99753
SHA1daa858441a980a6c44e745cce92bd68a5d8022b6
SHA25676a78cde2d385cc6d20ab3237aaf9a0a5e19aa7b835aeaa6bec66acd9c2bc865
SHA512be5a9640f3edac468aa92f4df8dc00964a49084485e372492a07691f64ed7cfc7016edd3126f0871ce9e3283a00d839c94b493008fce88890bf369203d1bb62d
-
Filesize
472KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
120KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
88KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB