Analysis

  • max time kernel
    32s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2024 15:12

General

  • Target

    Gbeta.exe

  • Size

    620KB

  • MD5

    a80fd81703b974b03a3e665d9e1a8f81

  • SHA1

    13230cc88893ba287d975caa02464f306dc0a2e1

  • SHA256

    e14916b5552020906ba0c25450f9dcb0c5ab6bcf58d5042c26edde8c6289a1d8

  • SHA512

    198e3dbd8122dfcf4eb3b3dc0da0d382b7ce686e50f5ff9eda031ed1cee54b89f99adbcdd8b5fc3147394c774345ad21f2d0e2943c73847a61c6b51da06cdc4f

  • SSDEEP

    1536:xDOptR2uwOmSyGoiBrhAj9OvGJbN+iBa0aQT76+ueOWOiJf6zjjjZSE4MMMzTXqB:xKptdvmSLx5gbwzQTNueOWOiYLgSni

Malware Config

Extracted

Family

xworm

C2

valid-saint.gl.at.ply.gg:23570

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    GBeta.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Gbeta.exe
    "C:\Users\Admin\AppData\Local\Temp\Gbeta.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Gbeta.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2732
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Gbeta.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2040
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\GBeta.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2500
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GBeta.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2932
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "GBeta" /tr "C:\ProgramData\GBeta.exe"
      2⤵
      • Creates scheduled task(s)
      PID:2764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    68284f1e984dc76dc19e1c7281de9245

    SHA1

    b6f38e74dd08c156d0d5e9453e4aba622431dcf4

    SHA256

    14786a2ad28e2a815eda2b2b5153e75e2e6309535ec3d9a412d86fab0d8f78ce

    SHA512

    3f885908164b6b6495ee7ff600bdec5bf4c30dd39cfeca7f59b41c04d3d68bf7731f83fe17de5f97a64f6c93b5199a7527be8b48a217a5cc37be20dd4dba17ff

  • memory/2040-15-0x000000001B640000-0x000000001B922000-memory.dmp

    Filesize

    2.9MB

  • memory/2040-16-0x0000000001F80000-0x0000000001F88000-memory.dmp

    Filesize

    32KB

  • memory/2268-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

    Filesize

    4KB

  • memory/2268-1-0x0000000000120000-0x00000000001C0000-memory.dmp

    Filesize

    640KB

  • memory/2268-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

    Filesize

    9.9MB

  • memory/2268-31-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

    Filesize

    4KB

  • memory/2268-32-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

    Filesize

    9.9MB

  • memory/2732-7-0x0000000002970000-0x00000000029F0000-memory.dmp

    Filesize

    512KB

  • memory/2732-8-0x000000001B580000-0x000000001B862000-memory.dmp

    Filesize

    2.9MB

  • memory/2732-9-0x0000000002340000-0x0000000002348000-memory.dmp

    Filesize

    32KB