Overview

overview

10

Static

static

3

4fb48e8fd5...bf.exe

windows7-x64

10

4fb48e8fd5...bf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22/05/2024, 01:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4fb48e8fd54c7dba1422489d3312e5c0bde0f8e4d375103c28160403624afabf.exe

  • Size

    560KB

  • MD5

    4a5f7263d5e978024e4d3c7abed82307

  • SHA1

    0a8f9bb8e9058beb4bd67ea08b8ef82bc90fcd8c

  • SHA256

    4fb48e8fd54c7dba1422489d3312e5c0bde0f8e4d375103c28160403624afabf

  • SHA512

    d843fe704beeb3b61916c789626bc908eed44455a34a86a65994db47c759311aef05c4f2d1530f2f073e99e6bdf3dc2b15944772fee7d161b492e70ba8a09c22

  • SSDEEP

    12288:IzxKn6yWn7fcpVZlu/6uHqa9XnWsh9P5u7JwdprNLUgNYGutA:rn698VVYFlRu7J6ZUgNiA

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

104.250.180.178:7061

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Detects Windows executables referencing non-Windows User-Agents 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4fb48e8fd54c7dba1422489d3312e5c0bde0f8e4d375103c28160403624afabf.exe
    "C:\Users\Admin\AppData\Local\Temp\4fb48e8fd54c7dba1422489d3312e5c0bde0f8e4d375103c28160403624afabf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Users\Admin\AppData\Local\Temp\4fb48e8fd54c7dba1422489d3312e5c0bde0f8e4d375103c28160403624afabf.exe
      "C:\Users\Admin\AppData\Local\Temp\4fb48e8fd54c7dba1422489d3312e5c0bde0f8e4d375103c28160403624afabf.exe"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4fb48e8fd54c7dba1422489d3312e5c0bde0f8e4d375103c28160403624afabf.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2696
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '4fb48e8fd54c7dba1422489d3312e5c0bde0f8e4d375103c28160403624afabf.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1536
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2476
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    869e2008860c190e9c10341c11ae6a6a

    SHA1

    7241bc84a7d54d89d638eec9eef764949596a26f

    SHA256

    db363f004914aa170a51d3ae9ace7eccf8642233303b13d36b7b3de99a040ee4

    SHA512

    2331dfa209c35070133fb12e76ee2fa8c35553c964de144cc64db5ed11e938d563bf72beccda77c5451a8348a7077233e366e676ce6ce327c7423894c70250a6

    Download Submit

  • \Users\Admin\AppData\Roaming\XClient.exe
    Filesize

    560KB

    MD5

    4a5f7263d5e978024e4d3c7abed82307

    SHA1

    0a8f9bb8e9058beb4bd67ea08b8ef82bc90fcd8c

    SHA256

    4fb48e8fd54c7dba1422489d3312e5c0bde0f8e4d375103c28160403624afabf

    SHA512

    d843fe704beeb3b61916c789626bc908eed44455a34a86a65994db47c759311aef05c4f2d1530f2f073e99e6bdf3dc2b15944772fee7d161b492e70ba8a09c22

    Download Submit

  • memory/1504-18-0x00000000743D0000-0x0000000074ABE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1504-1-0x0000000000E90000-0x0000000000F20000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1504-2-0x00000000743D0000-0x0000000074ABE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1504-3-0x00000000005B0000-0x00000000005D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1504-4-0x0000000000530000-0x000000000053C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1504-5-0x0000000000250000-0x0000000000260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1504-6-0x0000000004540000-0x0000000004596000-memory.dmp

    Filesize

    344KB

    Download

  • memory/1504-0-0x00000000743DE000-0x00000000743DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2840-13-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2840-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2840-17-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2840-15-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2840-19-0x00000000743D0000-0x0000000074ABE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2840-9-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2840-10-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2840-8-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2840-7-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2840-44-0x00000000743D0000-0x0000000074ABE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2840-45-0x00000000743D0000-0x0000000074ABE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2840-46-0x00000000743D0000-0x0000000074ABE000-memory.dmp

    Filesize

    6.9MB

    Download