Analysis

  • max time kernel
    121s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-05-2024 01:36

General

  • Target

    6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exe

  • Size

    32KB

  • MD5

    5703edb174766786773f4b565b3ccf85

  • SHA1

    c4e1aa7bf7d5bd0f6c19e8c00d2b32cca143ac19

  • SHA256

    6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5

  • SHA512

    d1c798c43abd58163fb059c56fc5084bc3826c842076bee7b432887b8aec421a685efe7b491c5afce7bc06765565eecc75c52b6901a34d4950c31d965874a2cd

  • SSDEEP

    384:aEbmX5Qa+vN1h1+X3v6JFjL+g93Tm2eaFO3xdRApkFTBLTsOZwpGd2v99Ikuis/:TVa+vNtg+PB93Tw46xdVFE9jyOjhvb/

Malware Config

Extracted

Family

xworm

Version

5.0

C2

91.92.242.85:3344

Mutex

JxfYmBE6u9bELdp4

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 1 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Detects Windows executables referencing non-Windows User-Agents 1 IoCs
  • Detects executables containing artifacts associated with disabling Widnows Defender 1 IoCs
  • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 1 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
  • Detects executables referencing credit card regular expressions 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exe
    "C:\Users\Admin\AppData\Local\Temp\6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2728

Network

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2728-0-0x0000000000D30000-0x0000000000D3E000-memory.dmp
    Filesize

    56KB

  • memory/2728-1-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp
    Filesize

    9.9MB

  • memory/2728-2-0x000000001AD60000-0x000000001ADE0000-memory.dmp
    Filesize

    512KB

  • memory/2728-3-0x0000000000D10000-0x0000000000D1E000-memory.dmp
    Filesize

    56KB

  • memory/2728-4-0x000000001C130000-0x000000001C250000-memory.dmp
    Filesize

    1.1MB

  • memory/2728-28-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp
    Filesize

    9.9MB

  • memory/2728-29-0x000000001AD60000-0x000000001ADE0000-memory.dmp
    Filesize

    512KB