Analysis

  • max time kernel
    139s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-04-2024 05:59

General

  • Target

    1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe

  • Size

    32KB

  • MD5

    5703edb174766786773f4b565b3ccf85

  • SHA1

    c4e1aa7bf7d5bd0f6c19e8c00d2b32cca143ac19

  • SHA256

    6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5

  • SHA512

    d1c798c43abd58163fb059c56fc5084bc3826c842076bee7b432887b8aec421a685efe7b491c5afce7bc06765565eecc75c52b6901a34d4950c31d965874a2cd

  • SSDEEP

    384:aEbmX5Qa+vN1h1+X3v6JFjL+g93Tm2eaFO3xdRApkFTBLTsOZwpGd2v99Ikuis/:TVa+vNtg+PB93Tw46xdVFE9jyOjhvb/

Malware Config

Extracted

Family

xworm

Version

5.0

C2

91.92.242.85:3344

Mutex

JxfYmBE6u9bELdp4

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 1 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe
    "C:\Users\Admin\AppData\Local\Temp\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:368

Network

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hi55yuc4.vei.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/368-0-0x00000000000A0000-0x00000000000AE000-memory.dmp
    Filesize

    56KB

  • memory/368-1-0x00007FFE05150000-0x00007FFE05C11000-memory.dmp
    Filesize

    10.8MB

  • memory/368-2-0x000000001AD50000-0x000000001AD60000-memory.dmp
    Filesize

    64KB

  • memory/368-3-0x000000001CA10000-0x000000001CB30000-memory.dmp
    Filesize

    1.1MB

  • memory/368-4-0x000000001B950000-0x000000001B95E000-memory.dmp
    Filesize

    56KB

  • memory/368-14-0x000000001D600000-0x000000001D622000-memory.dmp
    Filesize

    136KB

  • memory/368-53-0x00007FFE05150000-0x00007FFE05C11000-memory.dmp
    Filesize

    10.8MB

  • memory/368-54-0x000000001AD50000-0x000000001AD60000-memory.dmp
    Filesize

    64KB