Overview

overview

10

Static

static

10

Mode.exe

windows7-x64

10

Mode.exe

windows10-2004-x64

Analysis

  • max time kernel
    86s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/05/2024, 18:30

Sharing

Copy URL Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Mode.exe

  • Size

    45KB

  • MD5

    692bb1be0c680ec225c34bd446ead322

  • SHA1

    813345d33a051c297f342ae668e7a32b3e40837b

  • SHA256

    3242b26e5d8ebbe6993b03288ae30e5dfc7f0d93f06d8b4a225c184f24bd3034

  • SHA512

    2818761e76ad5f7aaf933a857d96d7080ea91653624d923b965c07e224b629b453f5f93c64880a4c9b1f2d55cfff97254c843160c97c169e7437912b80cd04ec

  • SSDEEP

    768:CurlDweV3OOVbADM9W1v9NfgkBpuAuREcNclYlVvD4xeVhKfkeLbFEPa9pvp16i4:CADweQKADMkV9GkSAcRaelZrO1/FJ9Nw

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

5.tcp.eu.ngrok.io:17399

Mutex

RxBZSfahWZHZu4kD

Attributes
  • Install_directory

    %AppData%

  • install_file

    svhost.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Sets file execution options in registry 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 1 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Mode.exe
    "C:\Users\Admin\AppData\Local\Temp\Mode.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4476
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Mode.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3192
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Mode.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3464
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1100
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1128
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
      2⤵
      • Creates scheduled task(s)
      PID:4484
    • C:\Users\Admin\AppData\Local\Temp\jmehik.exe
      "C:\Users\Admin\AppData\Local\Temp\jmehik.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3544
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Курсор - писюн.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Курсор - писюн.exe"
        3⤵
        • Executes dropped EXE
        PID:3712
    • C:\Windows\regedit.exe
      "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\aylgdu.reg"
      2⤵
      • Sets file execution options in registry
      • Runs .reg file with regedit
      PID:4524
  • C:\Users\Admin\AppData\Roaming\svhost.exe
    C:\Users\Admin\AppData\Roaming\svhost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3288
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3917055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2252

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          6c47b3f4e68eebd47e9332eebfd2dd4e

          SHA1

          67f0b143336d7db7b281ed3de5e877fa87261834

          SHA256

          8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

          SHA512

          0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          19e57a3db75c1ab8def6883f624dbf44

          SHA1

          27749506c5a84a107e8d5e5dc8f1f54dc9d4f754

          SHA256

          6f55255cc5fcd0fa67b7ff9822c9589e82c59302cbba14f266ba4eca304b8f19

          SHA512

          47adba0dc3da2711b617a66f19d801c5ee0c382299dd27c89dec4a3a9676acf1984d9b7a9d5028c83e1315e3c9b29afc3a12f5ece528ab8d11d18f05842db6ad

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          3f687d419075fcb32f92e4e217f47dbe

          SHA1

          3bbcf59c38e8e2a09d80655c832375b585f4a851

          SHA256

          c71aa3093a454179b9cde90857e17dfa22076becf581ea4f4fcb69cf71a68df6

          SHA512

          e46e001c76d27c78d71dc07a4c4672e484cd01d340c9569c97ee428689649b626f01836cf0ec7d0a011ea558a1458a25cb98822d0d07b3f3c66d83bfe0848325

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xui2.cur
          Filesize

          4KB

          MD5

          c1fd2feb9e2b56be00082dd06c2b9658

          SHA1

          6e9272d5d53272f901ebb75ea556e250d4fc54aa

          SHA256

          de7c8bd93cc576d719805835099ae0f2cb88d797fe71585e2f7eb56b67a8fb72

          SHA512

          7530ad40f0adc93d5166b2b4741ba66bc5792ca1882be658b86b290feaa3ccf08f15ef0d55cc40494c6f3fedb78ecc5dab2a5342e0bdc85a068a3a0ffdc6e79a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Курсор - писюн.exe
          Filesize

          5KB

          MD5

          17b935ed6066732a76bed69867702e4b

          SHA1

          23f28e3374f9d0e03d45843b28468aace138e71c

          SHA256

          e60353b37f785c77e1063ac44cba792e9ec69f27b1dc9f3b719280d5ce015cc0

          SHA512

          774ea047cdc5f008df03ad67242df04d630bb962bc99f1ea8974a21baf6a902c7a5d8b8d09d9e5c7d7e46b0378c7baf33bf80fb3e34777cd0958b8fc740d0318

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4fqddjdl.re2.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\aylgdu.reg
          Filesize

          177B

          MD5

          ac6d546b9e8fd0cc8205ec3de3b531b3

          SHA1

          e7ad048b8a5b997bc8fd8171664026856e587453

          SHA256

          b7187ba265fc9e363c2d4565657294603f0258ff035dc7b3da8ff702472b9a1b

          SHA512

          ac5c28799e160b3c8b619b2484a00aee35d2421d195ad4ab5cb46ab0f59fd7a1a624917fd9e2ac154bb72bd53059ad140e390ca12faf736ce2eeb97bfb7fa2dd

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\jmehik.exe
          Filesize

          317KB

          MD5

          00e82a1db301ab77338b0a4863e2e1ad

          SHA1

          7a4a23a285eb1c4ef1b39124ff125eb095c73bc4

          SHA256

          507895a5170319193ced89311753529812a26b344213d44c92a988e3b4c99c06

          SHA512

          745c1f07f194c48938a77c3879b05eec566f8a1a15a75099e31782faeea087a4c488ef3693de08f66735f464784b22b3c14ff0ac85284e412c35e4e0741ce8ef

          Download Submit

        • C:\Users\Admin\AppData\Roaming\svhost.exe
          Filesize

          45KB

          MD5

          692bb1be0c680ec225c34bd446ead322

          SHA1

          813345d33a051c297f342ae668e7a32b3e40837b

          SHA256

          3242b26e5d8ebbe6993b03288ae30e5dfc7f0d93f06d8b4a225c184f24bd3034

          SHA512

          2818761e76ad5f7aaf933a857d96d7080ea91653624d923b965c07e224b629b453f5f93c64880a4c9b1f2d55cfff97254c843160c97c169e7437912b80cd04ec

          Download Submit

        • memory/3192-12-0x000001ABF6460000-0x000001ABF6482000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3192-5-0x00007FF8E8B00000-0x00007FF8E95C1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3192-4-0x00007FF8E8B00000-0x00007FF8E95C1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3192-3-0x00007FF8E8B00000-0x00007FF8E95C1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3192-18-0x00007FF8E8B00000-0x00007FF8E95C1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3712-86-0x00000000007C0000-0x00000000007C8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4476-59-0x000000001DEC0000-0x000000001E3E8000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/4476-60-0x00007FF8E8B00000-0x00007FF8E95C1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4476-0-0x00007FF8E8B03000-0x00007FF8E8B05000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4476-58-0x00007FF8E8B03000-0x00007FF8E8B05000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4476-57-0x000000001BC50000-0x000000001BC5C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4476-2-0x00007FF8E8B00000-0x00007FF8E95C1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4476-1-0x0000000000FE0000-0x0000000000FF2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4476-93-0x00007FF8E8B00000-0x00007FF8E95C1000-memory.dmp

          Filesize

          10.8MB

          Download