Analysis

  • max time kernel
    136s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 17:41

General

  • Target

    Injector.exe

  • Size

    38KB

  • MD5

    424a9e83ab70500a16bc52d86016fffc

  • SHA1

    14dba3bd7d5564f8538a78e4da34a7bc460166d6

  • SHA256

    015d90cb2d696c35b623c2f2283ae931a52fa06eabb162289b183f5bf6c5cafe

  • SHA512

    f53682fd9f668c38cb89682911a98c86d8ac97d6f7f344a3f678abc36a69a504ee54bc0e871136cf4807d253575fae82574ac222f85083d180c7be811535dcd9

  • SSDEEP

    768:scZ7ehfsvhd9vncvL1EZ251TR8FF5Pj9I/OMhd3Ii:scAqv90C08Fh9I/OMXd

Score
10/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

said-webcam.gl.at.ply.gg:64349

Mutex

Cb07KjGDR4pTCEXY

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Injector.exe
    "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF1AE.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3808
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:4136
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3092

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpF1AE.tmp.bat

      Filesize

      160B

      MD5

      5514ff68cab0839bb0d24b01cbcc9ab3

      SHA1

      7efb192b3bf450724ceef96f3f22a3d7bf409e3a

      SHA256

      a291a80444885cf70fd44afd73d76f6b560cadf5bb18328d1327287967c1192c

      SHA512

      b21a04858630c7b087b4ab8a2be599602be4174f9ec77cc7aa04737cd3cad92b76b03dc1580c631af9f546b8d85dfe081998d18dd4e4f20892a96aa83667fe20

    • memory/2604-0-0x00007FFA05EA3000-0x00007FFA05EA5000-memory.dmp

      Filesize

      8KB

    • memory/2604-1-0x0000000000530000-0x0000000000540000-memory.dmp

      Filesize

      64KB

    • memory/2604-2-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp

      Filesize

      10.8MB

    • memory/2604-3-0x00007FFA05EA3000-0x00007FFA05EA5000-memory.dmp

      Filesize

      8KB

    • memory/2604-4-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp

      Filesize

      10.8MB

    • memory/2604-9-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp

      Filesize

      10.8MB