Overview

overview

10

Static

static

10

MLClauncher.exe

windows7-x64

10

MLClauncher.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    840s
  • max time network
    919s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    29-05-2024 17:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MLClauncher.exe

  • Size

    66KB

  • MD5

    23e7e5af720dfc90b86294a8a7800c76

  • SHA1

    e674bd73e3c9a496c9b5422f43874fcfc9f5510c

  • SHA256

    1810fc024d4da8c805bdf76c8152ec68615c33676c4bee025d889de89af3724f

  • SHA512

    0bb3731bfd6601b9b903ce93aa3fc493d063d5ddb20b7e2277808205bcde96f5cc7dafc94caf59ec5e7d0b8a44aa6b739cc6f326d29aaa03c3b85c090cab3681

  • SSDEEP

    1536:rttwy1I4PKiFM8tBb1L1JmX2npd6KnXOUVBCIu9BE:BBRPXb1L22pDXOUPCpBE

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:2832

20.ip.gl.ply.gg:2832
Attributes
  • Install_directory

    %Temp%

  • install_file

    svhost.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MLClauncher.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2512
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1780
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2656
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1668
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\cool man.txt
    1⤵
      PID:2116
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\cool man.txt
      1⤵
        PID:2892

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        ccc1a8f954f878f6e666b2ceeef35aef

        SHA1

        c0b974618004d9ea35edef90ff4c9b0dda86a3a5

        SHA256

        93ca17c19dc2f064e725c25408aff84a826db55bfa85a312f0390c34ffba4176

        SHA512

        b52e561c3031e9d4e48adeef84467cdc0818b3c2ba1261a7c3e4ad4818b81efcb28534017f027fe31db757a328106fa6c0bc71880b5a609173589b184bba6700

        Download Submit
      • memory/1624-1-0x0000000000F30000-0x0000000000F46000-memory.dmp
        Filesize

        88KB

        Download
      • memory/1624-2-0x000007FEF5910000-0x000007FEF62FC000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/1624-36-0x0000000000F20000-0x0000000000F2C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1624-0-0x000007FEF5913000-0x000007FEF5914000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1624-31-0x000007FEF5913000-0x000007FEF5914000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1624-32-0x000007FEF5910000-0x000007FEF62FC000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/1668-34-0x0000000140000000-0x00000001405E8000-memory.dmp
        Filesize

        5.9MB

        Download
      • memory/1668-38-0x0000000140000000-0x00000001405E8000-memory.dmp
        Filesize

        5.9MB

        Download
      • memory/1668-37-0x0000000140000000-0x00000001405E8000-memory.dmp
        Filesize

        5.9MB

        Download
      • memory/1668-35-0x0000000140000000-0x00000001405E8000-memory.dmp
        Filesize

        5.9MB

        Download
      • memory/2512-16-0x00000000028A0000-0x00000000028A8000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2512-15-0x000000001B630000-0x000000001B912000-memory.dmp
        Filesize

        2.9MB

        Download
      • memory/2964-9-0x0000000002820000-0x0000000002828000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2964-8-0x000000001B570000-0x000000001B852000-memory.dmp
        Filesize

        2.9MB

        Download
      • memory/2964-7-0x0000000002850000-0x00000000028D0000-memory.dmp
        Filesize

        512KB

        Download