Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2024 17:41

General

  • Target

    Injector.exe

  • Size

    38KB

  • MD5

    424a9e83ab70500a16bc52d86016fffc

  • SHA1

    14dba3bd7d5564f8538a78e4da34a7bc460166d6

  • SHA256

    015d90cb2d696c35b623c2f2283ae931a52fa06eabb162289b183f5bf6c5cafe

  • SHA512

    f53682fd9f668c38cb89682911a98c86d8ac97d6f7f344a3f678abc36a69a504ee54bc0e871136cf4807d253575fae82574ac222f85083d180c7be811535dcd9

  • SSDEEP

    768:scZ7ehfsvhd9vncvL1EZ251TR8FF5Pj9I/OMhd3Ii:scAqv90C08Fh9I/OMXd

Score
10/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

said-webcam.gl.at.ply.gg:64349

Mutex

Cb07KjGDR4pTCEXY

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Deletes itself 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Injector.exe
    "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1FFF.tmp.bat""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp1FFF.tmp.bat

    Filesize

    160B

    MD5

    d8dc004c8343981caa95d4bf509c6d05

    SHA1

    045e943bf7083060edffad0009251b1b2be3be97

    SHA256

    0f6ef40c96167e40cc98d81cf71976f14bef96211fb6fa33134f7986f961351d

    SHA512

    8de89c6110cb0cdf61ed6ae9fa351bf373550ed807d0dfcbdd833587ddd823c35e8214a4a69d25f1aa5fda5f37c5dac7643dbb7f7c01aaf0d05c6d6ac43d5f22

  • memory/2824-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

    Filesize

    4KB

  • memory/2824-1-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

    Filesize

    64KB

  • memory/2824-2-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

    Filesize

    9.9MB

  • memory/2824-3-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

    Filesize

    4KB

  • memory/2824-4-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

    Filesize

    9.9MB

  • memory/2824-14-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

    Filesize

    9.9MB