Analysis

  • max time kernel
    118s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2024 15:41

General

  • Target

    eb75a771291082654ce1c0ef9feb1bf6cd30da8b85b1e342df0bd3b9af35a3b8.exe

  • Size

    60KB

  • MD5

    a66624abb377e5ff52d4d2ae2707aca2

  • SHA1

    a8bcdcaa2536996637e19827d2753e55bba45a28

  • SHA256

    eb75a771291082654ce1c0ef9feb1bf6cd30da8b85b1e342df0bd3b9af35a3b8

  • SHA512

    ec24aad17f3febb434f6c2f8c371ff0bba486abe9e7768c55f8ca766bb0363791b8a991945795277170a57a64f431a1c5f70a7d4acc4b7d878e9e983aafe26d1

  • SSDEEP

    1536:4ptathcJHAxzcA0VzP5k3O+bB3JcSnGSq67Oy7m/:YoPcJVK++b9JcqOyM

Malware Config

Extracted

Family

xworm

C2

loss-winners.gl.at.ply.gg:61007

Attributes
  • Install_directory

    %AppData%

  • install_file

    Expensive 3.1.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb75a771291082654ce1c0ef9feb1bf6cd30da8b85b1e342df0bd3b9af35a3b8.exe
    "C:\Users\Admin\AppData\Local\Temp\eb75a771291082654ce1c0ef9feb1bf6cd30da8b85b1e342df0bd3b9af35a3b8.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\eb75a771291082654ce1c0ef9feb1bf6cd30da8b85b1e342df0bd3b9af35a3b8.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2888
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'eb75a771291082654ce1c0ef9feb1bf6cd30da8b85b1e342df0bd3b9af35a3b8.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2804
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Expensive 3.1.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2648
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Expensive 3.1.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    83d62cd3e7ecd2756a600f52bcd240a0

    SHA1

    c2828820cebfb08ce448c65c9ee6e95bac62bec6

    SHA256

    f7615e2baec966351b7020ca92c850382d34aded5302ef58f34fce71326e91a2

    SHA512

    67ad7ecfceba132b4f745c7e39f3d4580a1677372ce61c64ef179a72eb82e715daddd6379325a9d7183b4cd4479e3246ec52861c83bc816ca5f664b949e14399

  • \??\PIPE\srvsvc

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • memory/2020-0-0x000007FEF5373000-0x000007FEF5374000-memory.dmp

    Filesize

    4KB

  • memory/2020-1-0x0000000000FF0000-0x0000000001006000-memory.dmp

    Filesize

    88KB

  • memory/2020-28-0x000000001B260000-0x000000001B2E0000-memory.dmp

    Filesize

    512KB

  • memory/2020-29-0x000007FEF5373000-0x000007FEF5374000-memory.dmp

    Filesize

    4KB

  • memory/2020-30-0x000000001B260000-0x000000001B2E0000-memory.dmp

    Filesize

    512KB

  • memory/2804-14-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

    Filesize

    2.9MB

  • memory/2804-15-0x00000000029A0000-0x00000000029A8000-memory.dmp

    Filesize

    32KB

  • memory/2888-6-0x0000000002A70000-0x0000000002AF0000-memory.dmp

    Filesize

    512KB

  • memory/2888-7-0x000000001B730000-0x000000001BA12000-memory.dmp

    Filesize

    2.9MB

  • memory/2888-8-0x0000000001F40000-0x0000000001F48000-memory.dmp

    Filesize

    32KB