Overview

overview

10

Static

static

10

upx.exe

windows7-x64

10

upx.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/05/2024, 03:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    upx.exe

  • Size

    69KB

  • MD5

    a230d428e97911ce6959e1463d781257

  • SHA1

    0946c13059bf98fd3aacefd0b2681a42b95292cd

  • SHA256

    c8e088feb7de05c3852af588c1a440f61d06870a93b07a3c6b7e2c12c9d55b12

  • SHA512

    089f7f6e979729ba037a19510be160d1c407c712fa01614815ce2427ff6c8fe7fa80a2cb673a36611dc37734aba63f7c87832c3848ac9ce011343c0e15b7aa68

  • SSDEEP

    1536:KWEyI4XFyV0UUIRiZAkupj9bIu9uLhQSOIcoFqXgG:KWnIiyVxRiij9bIYYhdOBuqXz

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

45.83.246.140:30120

Attributes
  • Install_directory

    %AppData%

  • install_file

    runtime.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\upx.exe
    "C:\Users\Admin\AppData\Local\Temp\upx.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:536
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3972
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3452

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtime.lnk
            Filesize

            771B

            MD5

            6319f19bf0973d5cd140b30b094c5c4c

            SHA1

            42a7e6f52b59006ec75e298218660b5fe0b170ac

            SHA256

            7da5b9a5811f7f17969c61f993c93db7d4c6d01a2e25a97d683ddefe2c76c986

            SHA512

            baba197f2a82fde07fb2ee599f3a64140a4466dcc8883a142b179b0ec1359abad074cefe9626b4ebb9336a54754010b70fa348fa191ffc1665a728faab86efc6

            Download Submit

          • C:\Users\Admin\AppData\Roaming\runtime.exe
            Filesize

            69KB

            MD5

            a230d428e97911ce6959e1463d781257

            SHA1

            0946c13059bf98fd3aacefd0b2681a42b95292cd

            SHA256

            c8e088feb7de05c3852af588c1a440f61d06870a93b07a3c6b7e2c12c9d55b12

            SHA512

            089f7f6e979729ba037a19510be160d1c407c712fa01614815ce2427ff6c8fe7fa80a2cb673a36611dc37734aba63f7c87832c3848ac9ce011343c0e15b7aa68

            Download Submit

          • memory/536-1-0x00007FFB7BAB3000-0x00007FFB7BAB5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/536-0-0x0000000000930000-0x0000000000948000-memory.dmp

            Filesize

            96KB

            Download

          • memory/536-6-0x00007FFB7BAB0000-0x00007FFB7C571000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/536-7-0x00007FFB7BAB3000-0x00007FFB7BAB5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/536-8-0x00007FFB7BAB0000-0x00007FFB7C571000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/536-25-0x00007FFB7BAB0000-0x00007FFB7C571000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3972-15-0x0000018ABD8C0000-0x0000018ABD8C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3972-16-0x0000018ABD8C0000-0x0000018ABD8C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3972-17-0x0000018ABD8C0000-0x0000018ABD8C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3972-18-0x0000018ABD8C0000-0x0000018ABD8C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3972-19-0x0000018ABD8C0000-0x0000018ABD8C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3972-20-0x0000018ABD8C0000-0x0000018ABD8C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3972-21-0x0000018ABD8C0000-0x0000018ABD8C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3972-10-0x0000018ABD8C0000-0x0000018ABD8C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3972-11-0x0000018ABD8C0000-0x0000018ABD8C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3972-9-0x0000018ABD8C0000-0x0000018ABD8C1000-memory.dmp

            Filesize

            4KB

            Download