Overview

overview

10

Static

static

10

Delta.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    70s
  • max time network
    71s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28-04-2024 08:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Delta.exe

  • Size

    77KB

  • MD5

    ccb29e859a2e8b208a32a1b9465c1a98

  • SHA1

    b580f6721b6dfb0fb7918bb274c53d39b53f024e

  • SHA256

    3453e80601ac6d0a84e8119a494552e96d7de44de2ae01e5ec84d1e12d13b165

  • SHA512

    4b095b10ee0d5bef1672805df0094c9d52a705a876b945f15511be1400923cce374a235bcf13ab042ab97090d42a6b9a5dcb6fc150b5ef5bebfc6f51c31a3345

  • SSDEEP

    1536:AFQyer8xk6kI3JJEqYH1oecoaWNyb3AYfa3wzJr6NYiOlCZT36EU:Am3IF3vEtH1oTb3AYxiOlCZbLU

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

materials-thumbzilla.gl.at.ply.gg:24190

Attributes
  • Install_directory

    %Temp%

  • install_file

    Microsoft Network.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Delta.exe
    "C:\Users\Admin\AppData\Local\Temp\Delta.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Delta.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3116
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4988
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft Network.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2172
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Network.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3676
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Network" /tr "C:\Users\Admin\AppData\Local\Temp\Microsoft Network.exe"
      2⤵
      • Creates scheduled task(s)
      PID:648
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4468
  • C:\Windows\System32\SystemSettingsBroker.exe
    C:\Windows\System32\SystemSettingsBroker.exe -Embedding
    1⤵
      PID:4204
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
      1⤵
        PID:4980
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k localservice -s SstpSvc
        1⤵
          PID:1720
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
          1⤵
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Modifies data under HKEY_USERS
          PID:2976
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
          1⤵
          • Drops file in Windows directory
          PID:1352
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s RasMan
          1⤵
            PID:4756
          • C:\Windows\System32\rundll32.exe
            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            1⤵
              PID:4380
            • C:\Users\Admin\AppData\Local\Temp\Microsoft Network.exe
              "C:\Users\Admin\AppData\Local\Temp\Microsoft Network.exe"
              1⤵
              • Executes dropped EXE
              PID:4808

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Scheduled Task/Job

            1
            T1053

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Scheduled Task/Job

            1
            T1053

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Scheduled Task/Job

            1
            T1053

            Defense Evasion

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            System Information Discovery

            2
            T1082

            Query Registry

            2
            T1012

            Peripheral Device Discovery

            1
            T1120

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              3KB

              MD5

              8592ba100a78835a6b94d5949e13dfc1

              SHA1

              63e901200ab9a57c7dd4c078d7f75dcd3b357020

              SHA256

              fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

              SHA512

              87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              fe4bf909ae9efaf3f256888a05e50cd4

              SHA1

              9b01c948a2227b9285f080667c4c497add1c585b

              SHA256

              9e0758d21ba516270ec32eac23d0964915523d3f4d7a9d689188040a0850d781

              SHA512

              7714d0e02c997613c89cb5ccddce6aea211f107b6aef9fd53db3d898df9327498a685136cdcbc16bcf3d2eb8e65adee92e8ba6c4c6e4bb4def50c61a4a4ae9e9

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              092e21ac5a2e9e01c734d0ab7daa29bf

              SHA1

              8ddb3cb7abdff968174a3590a084348ff81fa4de

              SHA256

              7314c098591f9b537084f4bc1b587142f442dd05bb38f35177dcfb1b7bbc2ff0

              SHA512

              7a28bc142c7c8994c0dc41d4c36f2396e7fdab9be96e276186c09c6c0ed382900b895705d76090778a26298bed4551c53ebe0181f81e470c7b03c07157926eb3

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              a953721d088e3d07456fdfca2220f99c

              SHA1

              5b12aded20d8ab611f9e8fa25d458f9ef0f91a72

              SHA256

              7dcf742206203a1a98cc04e546ae8482a43e6c1a449e34fb1f5a97b414af66e4

              SHA512

              77564f706ffda97a399c1c06b12774385f2f4a64c74037069c6d2549dc5bf127b5f70bfaefb30b0e76a9aae360131b4203e2fd2de2a8b6ff89cc420b63a3fb18

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\Microsoft Network.exe
              Filesize

              77KB

              MD5

              ccb29e859a2e8b208a32a1b9465c1a98

              SHA1

              b580f6721b6dfb0fb7918bb274c53d39b53f024e

              SHA256

              3453e80601ac6d0a84e8119a494552e96d7de44de2ae01e5ec84d1e12d13b165

              SHA512

              4b095b10ee0d5bef1672805df0094c9d52a705a876b945f15511be1400923cce374a235bcf13ab042ab97090d42a6b9a5dcb6fc150b5ef5bebfc6f51c31a3345

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jfbtrelq.v3l.ps1
              Filesize

              1B

              MD5

              c4ca4238a0b923820dcc509a6f75849b

              SHA1

              356a192b7913b04c54574d18c28d46e6395428ab

              SHA256

              6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

              SHA512

              4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Network.lnk
              Filesize

              1KB

              MD5

              101ddf9221db5f5eb3909676808cde69

              SHA1

              c59cded34a24879f68211d2d20dae513b6cda2f4

              SHA256

              574299a8b5c8b986e529db1c1662da5e001776f20644ce6395f4c1c708de4388

              SHA512

              99f0bd4ed8a085e1b617b91f82a1445d1a1bb7622f51d48ba5c3d9e2bf6ec17b37be77103395a42563aeb7f0082e0a066a6370964d9ddabfc41606a140adb36e

              Download Submit
            • C:\Windows\INF\netrasa.PNF
              Filesize

              22KB

              MD5

              80648b43d233468718d717d10187b68d

              SHA1

              a1736e8f0e408ce705722ce097d1adb24ebffc45

              SHA256

              8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380

              SHA512

              eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9

              Download Submit
            • C:\Windows\INF\netsstpa.PNF
              Filesize

              6KB

              MD5

              01e21456e8000bab92907eec3b3aeea9

              SHA1

              39b34fe438352f7b095e24c89968fca48b8ce11c

              SHA256

              35ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f

              SHA512

              9d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec

              Download Submit
            • memory/1468-2-0x0000000001450000-0x0000000001460000-memory.dmp
              Filesize

              64KB

              Download
            • memory/1468-1-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp
              Filesize

              9.9MB

              Download
            • memory/1468-0-0x0000000000C20000-0x0000000000C3A000-memory.dmp
              Filesize

              104KB

              Download
            • memory/1468-197-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp
              Filesize

              9.9MB

              Download
            • memory/1468-198-0x0000000001450000-0x0000000001460000-memory.dmp
              Filesize

              64KB

              Download
            • memory/3116-10-0x0000021E40D60000-0x0000021E40D70000-memory.dmp
              Filesize

              64KB

              Download
            • memory/3116-8-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp
              Filesize

              9.9MB

              Download
            • memory/3116-7-0x0000021E40EA0000-0x0000021E40EC2000-memory.dmp
              Filesize

              136KB

              Download
            • memory/3116-13-0x0000021E595C0000-0x0000021E59636000-memory.dmp
              Filesize

              472KB

              Download
            • memory/3116-56-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp
              Filesize

              9.9MB

              Download
            • memory/3116-9-0x0000021E40D60000-0x0000021E40D70000-memory.dmp
              Filesize

              64KB

              Download