Overview

overview

10

Static

static

10

shexwormon...de.exe

windows7-x64

10

shexwormon...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    28-04-2024 05:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    shexwormonmymemztilliminoxide.exe

  • Size

    41KB

  • MD5

    14f963e28858c6c3f653048a83621c89

  • SHA1

    8c3a1d7d823e19558d80f35b0ee7d88f868ab5c6

  • SHA256

    355b67101ba439f05337234d028ecba6641db094c6251aee15369f767c12dc3b

  • SHA512

    2b6cc20e3b24752120ed007d8f07ba44c38bb964ab76b9dcb9d4f745db82450653dd6b5608812ba1bc325dc9e649ae1fb3600e6ad61565e7046ea4ed199a4bb2

  • SSDEEP

    768:xTFHrDMcksBqaEAOrHA7tF5PM96maOwh23EihHJ:XwcGvAwAxFS96maOwwlx

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:38630

147.185.221.19:38630

bay-currencies.gl.at.ply.gg:38630

and-organized.gl.at.ply.gg:38630

community-excess.gl.at.ply.gg:38630
Mutex

TelZ6nrHgxVFZl6W

Attributes
  • Install_directory

    %AppData%

  • install_file

    runbroker.exe

aes.plain

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\shexwormonmymemztilliminoxide.exe
    "C:\Users\Admin\AppData\Local\Temp\shexwormonmymemztilliminoxide.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "runbroker" /tr "C:\Users\Admin\AppData\Roaming\runbroker.exe"
      2⤵
      • Creates scheduled task(s)
      PID:2672
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "runbroker"
      2⤵
        PID:2520
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp15B2.tmp.bat""
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:1792
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:2680
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {0A7B15BB-95D2-4E2F-B540-45AC3B12ECEF} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Users\Admin\AppData\Roaming\runbroker.exe
        C:\Users\Admin\AppData\Roaming\runbroker.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1560

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp15B2.tmp.bat
      Filesize

      181B

      MD5

      1f2675368a54bb9f91bf785ad6dad238

      SHA1

      074095a050a84a41da0504fe1f1753f29bf47302

      SHA256

      722ed289680bf26bbe110a20bce078a41b5da3cf7dedaccba7e8d2d68afb1140

      SHA512

      db7ab9714f5cce7818dd96eeb83ffd4043bf463195feed983203b8d6e915447bb1061a45a93da9680894952ad5ce516571432cfec140381cb35f9cc645fed26a

      Download Submit
    • C:\Users\Admin\AppData\Roaming\runbroker.exe
      Filesize

      41KB

      MD5

      14f963e28858c6c3f653048a83621c89

      SHA1

      8c3a1d7d823e19558d80f35b0ee7d88f868ab5c6

      SHA256

      355b67101ba439f05337234d028ecba6641db094c6251aee15369f767c12dc3b

      SHA512

      2b6cc20e3b24752120ed007d8f07ba44c38bb964ab76b9dcb9d4f745db82450653dd6b5608812ba1bc325dc9e649ae1fb3600e6ad61565e7046ea4ed199a4bb2

      Download Submit
    • memory/1560-12-0x00000000011E0000-0x00000000011F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2416-0-0x00000000000C0000-0x00000000000D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2416-1-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/2416-2-0x000000001B1D0000-0x000000001B250000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2416-7-0x0000000002140000-0x000000000214C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/2416-8-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/2416-13-0x000000001B1D0000-0x000000001B250000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2416-25-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp
      Filesize

      9.9MB

      Download