Overview

overview

10

Static

static

3

e43ce5c79d...b7.exe

windows7-x64

10

e43ce5c79d...b7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 02:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe

  • Size

    726KB

  • MD5

    0e9969044f657b12f4cdad27254e5f91

  • SHA1

    41d8196fd7520fa391361a39e3d1c6e6f124f07e

  • SHA256

    e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7

  • SHA512

    2021bc8a0828084bcfbe0af6f997b3847cc0c63fa614db25a9116259b1bf9124eccdf5ad0a1fab37192b535199ad4e5c5570e448be43154baa49bd327db65284

  • SSDEEP

    12288:SMMbni72U8L4042zQ1WVeXFfJoPQ5Puvg8BQcCRjEgTeRJRCIYpu5ssoxU:VMbni723L73/gXFxoY8Y8eckEH

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

104.250.180.178:7061

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Detects Windows executables referencing non-Windows User-Agents 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe
    "C:\Users\Admin\AppData\Local\Temp\e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3500
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5112
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4680
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2600
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1592
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    3d086a433708053f9bf9523e1d87a4e8

    SHA1

    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

    SHA256

    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

    SHA512

    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    bae5176ae11c4f33c7593da6f0778233

    SHA1

    7c3e7bf483b52e7cd0524957fbd1c579ef14357c

    SHA256

    d13f781c6957a6f4a9fcf5c3f66622b61db156a181bec14e57560a0f1f938c36

    SHA512

    0da5a8b7913decae5209ea0570afbea368de0ac8b5e687bcfc8705ced284753d131e42883f326fad1686391d1409239a23322bb4012944db5f436450d0dff32f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    905ddcc629030284435aa280941c23b7

    SHA1

    66cdb2b9867f2c75f8c80402d406594e4e3ea565

    SHA256

    61f283a896cac3ea3dc8c221d2f659631ae1e400b375a029b09d6cf5844ff498

    SHA512

    99b331538ce5ba661e231921cdb67a14e9fe1057b8a760ab291f763a70b5558f7711f27d20ecb1cdb326a0098bc2c6cf8b60e1cc3536a373ccede134b9ad661f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    9dd70cc1e95ae0bea520c9795b2c4afe

    SHA1

    79699bc5928944830668e45d1e1bdab75e2ab310

    SHA256

    26eefd84aad9339bb5235bae1e21c4ff63dfa48d92c7f30fe65d48070ead5561

    SHA512

    958c6edec019c72a0d8655b3c73d2941f984878224cec094f2e917f8a5f515e1219b09f0aeb1083665d3ba4a106e9775c67d985d5a68c543044350bce9c10009

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xbgxqhqh.tck.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1592-96-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2600-72-0x00000000056B0000-0x0000000005A04000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2600-74-0x0000000005CC0000-0x0000000005D0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2600-75-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3432-117-0x0000000070FB0000-0x0000000070FFC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3500-6-0x0000000005730000-0x00000000057CC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3500-7-0x0000000006750000-0x0000000006794000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3500-12-0x000000000A1E0000-0x000000000A1E6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3500-10-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3500-15-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3500-9-0x00000000750AE000-0x00000000750AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3500-8-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3500-11-0x0000000007B60000-0x0000000007B7A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3500-0-0x00000000750AE000-0x00000000750AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3500-5-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3500-4-0x0000000005490000-0x000000000549A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3500-3-0x00000000054D0000-0x0000000005562000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3500-2-0x00000000059E0000-0x0000000005F84000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3500-1-0x0000000000870000-0x000000000092C000-memory.dmp

    Filesize

    752KB

    Download

  • memory/4680-35-0x0000000006080000-0x000000000609E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4680-57-0x0000000007700000-0x000000000771A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4680-32-0x00000000059C0000-0x0000000005A26000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4680-36-0x0000000006120000-0x000000000616C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4680-37-0x0000000006650000-0x0000000006682000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4680-38-0x0000000070FB0000-0x0000000070FFC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4680-48-0x0000000007250000-0x000000000726E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4680-49-0x0000000007270000-0x0000000007313000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4680-50-0x00000000079F0000-0x000000000806A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4680-51-0x00000000073B0000-0x00000000073CA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4680-52-0x0000000007410000-0x000000000741A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4680-53-0x0000000007640000-0x00000000076D6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4680-54-0x00000000075B0000-0x00000000075C1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4680-55-0x00000000075E0000-0x00000000075EE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4680-56-0x00000000075F0000-0x0000000007604000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4680-34-0x0000000005C10000-0x0000000005F64000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4680-58-0x0000000007630000-0x0000000007638000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4680-61-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4680-33-0x0000000005BA0000-0x0000000005C06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4680-22-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4680-21-0x00000000052C0000-0x00000000052E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4680-19-0x00000000052F0000-0x0000000005918000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4680-20-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4680-18-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4680-17-0x0000000002750000-0x0000000002786000-memory.dmp

    Filesize

    216KB

    Download

  • memory/5112-16-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5112-13-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/5112-132-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5112-133-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5112-134-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download