Overview

overview

10

Static

static

3

ISF (10+2)...cr.exe

windows7-x64

10

ISF (10+2)...cr.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2024 07:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ISF (10+2) Form 格福-3019 NASHVILLE.xls.scr.exe

  • Size

    943KB

  • MD5

    40a1bbdd302c9737d10df6648e6db7dc

  • SHA1

    5f9d1d4d3aea4a82542b54a84d0fa7822bd24d2c

  • SHA256

    6f4fbb8059780db756519fae97b7f00148f1df2b96ddaf9752d9409d45c1a37e

  • SHA512

    98fa809cb8b7fe598f07bc61658f39379cddbfbb44ebe4e1ae8882a9ead4406820585d51a0ce836d7f2e40e532acfde61c7ba7868175871f771503a813bd0f8b

  • SSDEEP

    12288:XVTGAlfBpSGC9Ed/Ff6qVn60dP185uk+mzA0pRELuvg8IQjzek:XVT7rhCqd/N6qVlyug8IEaY81Pek

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

104.250.180.178:7061

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ISF (10+2) Form 格福-3019 NASHVILLE.xls.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\ISF (10+2) Form 格福-3019 NASHVILLE.xls.scr.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3824
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:116
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4464
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4484
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    536cf17e5f639faace8cf360e1076ba2

    SHA1

    090fbe6a4107931aeffb977c3ae0b548961d7d8c

    SHA256

    1f26808eab99cc2efad8489e293b92c9224439b631cb47b9f1477fa394088bd9

    SHA512

    7bb1933f68437c164f3b0fc55a7b7a04e9d2c56357215beaa9cac88a8a02e297c2f71987a092a366bdc931a7f90232439af670fe0bfda30cb1804a1e301de557

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    2506330e4b6cc8ec10af979099693b95

    SHA1

    063ad3c01f4d579ad8947aafedf744dd0efae1f2

    SHA256

    7dd65d6b28cb3aca7b57f0e4c7f0c37dc1bf379fe61d45e9bfce84e61a7f3a8c

    SHA512

    a41250fe98a5b7866703ed23fcda9ed0a96a81a2f41c55c2068543d37c32af8d04a4a47f738134c4b961eaeee620c34b0e11c6c9690ac7db274409c94380e002

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    cbcffc83c0cd5c19e13a00145b16be06

    SHA1

    7233872c8eea6e328ba7411c477998c1dce5aa4b

    SHA256

    7f0e4ba1e802fb0fdaf9228cfb73903357a9116cad374a6d29776e499681959f

    SHA512

    08e4e7da85020cadf2da0a70abc4814d62849522335461e280639ea7b376758fb748cce4052945974a3d8a48083bb5e2ada3dd651b62dae240710f8488037ee1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rmpjlry2.peq.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/116-54-0x0000000007E40000-0x0000000007E4E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/116-56-0x0000000007F50000-0x0000000007F6A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/116-37-0x0000000070050000-0x000000007009C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/116-60-0x0000000074A00000-0x00000000751B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/116-57-0x0000000007F30000-0x0000000007F38000-memory.dmp

    Filesize

    32KB

    Download

  • memory/116-47-0x0000000006EC0000-0x0000000006EDE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/116-55-0x0000000007E50000-0x0000000007E64000-memory.dmp

    Filesize

    80KB

    Download

  • memory/116-53-0x0000000007E10000-0x0000000007E21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/116-52-0x0000000007E90000-0x0000000007F26000-memory.dmp

    Filesize

    600KB

    Download

  • memory/116-51-0x0000000007C80000-0x0000000007C8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/116-49-0x0000000008260000-0x00000000088DA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/116-17-0x0000000005310000-0x0000000005346000-memory.dmp

    Filesize

    216KB

    Download

  • memory/116-19-0x0000000005A90000-0x00000000060B8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/116-18-0x0000000074A00000-0x00000000751B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/116-36-0x0000000007AA0000-0x0000000007AD2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/116-21-0x0000000005A50000-0x0000000005A72000-memory.dmp

    Filesize

    136KB

    Download

  • memory/116-23-0x0000000006290000-0x00000000062F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/116-22-0x0000000006130000-0x0000000006196000-memory.dmp

    Filesize

    408KB

    Download

  • memory/116-50-0x0000000007C10000-0x0000000007C2A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/116-33-0x0000000006450000-0x00000000067A4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/116-34-0x00000000068E0000-0x00000000068FE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/116-35-0x0000000006930000-0x000000000697C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/116-20-0x0000000074A00000-0x00000000751B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/116-48-0x0000000007AE0000-0x0000000007B83000-memory.dmp

    Filesize

    652KB

    Download

  • memory/2128-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2128-8-0x0000000074A00000-0x00000000751B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2128-5-0x0000000074A00000-0x00000000751B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2128-1-0x00000000006E0000-0x00000000007D2000-memory.dmp

    Filesize

    968KB

    Download

  • memory/2128-15-0x0000000074A00000-0x00000000751B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2128-7-0x0000000005F80000-0x0000000005F8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2128-12-0x0000000074A00000-0x00000000751B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2128-11-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2128-10-0x0000000006C40000-0x0000000006C46000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2128-9-0x0000000006C20000-0x0000000006C3A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2128-6-0x0000000005C80000-0x0000000005CC4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2128-2-0x00000000052C0000-0x0000000005864000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2128-4-0x0000000004EF0000-0x0000000004F8C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2128-3-0x0000000004DB0000-0x0000000004E42000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3824-13-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3824-16-0x0000000074A00000-0x00000000751B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3824-131-0x0000000074A00000-0x00000000751B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3824-132-0x0000000074A00000-0x00000000751B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3824-133-0x0000000074A00000-0x00000000751B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4464-62-0x00000000057B0000-0x0000000005B04000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4464-73-0x0000000070050000-0x000000007009C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4484-95-0x0000000070050000-0x000000007009C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4484-90-0x0000000005A70000-0x0000000005DC4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4876-116-0x0000000070050000-0x000000007009C000-memory.dmp

    Filesize

    304KB

    Download