Analysis

  • max time kernel
    145s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2024 21:28

General

  • Target

    4a29205d5c7853d089ed8faebc6d412f0c58f782eba05d70b2a2cfc7ee3e2500.exe

  • Size

    75KB

  • MD5

    2fdfdc28bc8f362cc5f8c011d42d0a1e

  • SHA1

    67d6b431dfa75f02219dbee35c72f8d3636e21da

  • SHA256

    4a29205d5c7853d089ed8faebc6d412f0c58f782eba05d70b2a2cfc7ee3e2500

  • SHA512

    2694c1e44285d9e8d98e1b3762a6d83b27e4eaa0a5b71441e920154904aadde4b6d831c16ad573b2d978b57859c06d37f1eb8cdf48a4427489f04141c6bffb82

  • SSDEEP

    1536:rgc6J73fHqXWZ16J452BapyWhabisdvojWVQ8GNQ9t6kut3Ov9K97B:rgr7PlnyWobisslquxOFKVB

Malware Config

Extracted

Family

xworm

C2

rent-pas.gl.at.ply.gg:25215

Attributes
  • Install_directory

    %Temp%

  • install_file

    NvidiaPanel.exe

Signatures

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Detects Windows executables referencing non-Windows User-Agents 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a29205d5c7853d089ed8faebc6d412f0c58f782eba05d70b2a2cfc7ee3e2500.exe
    "C:\Users\Admin\AppData\Local\Temp\4a29205d5c7853d089ed8faebc6d412f0c58f782eba05d70b2a2cfc7ee3e2500.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4a29205d5c7853d089ed8faebc6d412f0c58f782eba05d70b2a2cfc7ee3e2500.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2532
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '4a29205d5c7853d089ed8faebc6d412f0c58f782eba05d70b2a2cfc7ee3e2500.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NvidiaPanel.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2528
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NvidiaPanel.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1516
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NvidiaPanel" /tr "C:\Users\Admin\AppData\Local\Temp\NvidiaPanel.exe"
      2⤵
      • Creates scheduled task(s)
      PID:2640
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {F5C0C3F4-DA9F-402A-854D-2F98EC8B3FBF} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Users\Admin\AppData\Local\Temp\NvidiaPanel.exe
      C:\Users\Admin\AppData\Local\Temp\NvidiaPanel.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1016
    • C:\Users\Admin\AppData\Local\Temp\NvidiaPanel.exe
      C:\Users\Admin\AppData\Local\Temp\NvidiaPanel.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1060
    • C:\Users\Admin\AppData\Local\Temp\NvidiaPanel.exe
      C:\Users\Admin\AppData\Local\Temp\NvidiaPanel.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:780

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NvidiaPanel.exe

    Filesize

    75KB

    MD5

    2fdfdc28bc8f362cc5f8c011d42d0a1e

    SHA1

    67d6b431dfa75f02219dbee35c72f8d3636e21da

    SHA256

    4a29205d5c7853d089ed8faebc6d412f0c58f782eba05d70b2a2cfc7ee3e2500

    SHA512

    2694c1e44285d9e8d98e1b3762a6d83b27e4eaa0a5b71441e920154904aadde4b6d831c16ad573b2d978b57859c06d37f1eb8cdf48a4427489f04141c6bffb82

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    17feeb28459a274e901c2fb5ff7660b7

    SHA1

    f1662e0d4a3a646adcd38156fe5edf1d10295be7

    SHA256

    9dba91122170b76e2b27c9e7e6b3006c52e64cd91f93e666a1cb31a2d79c5d6f

    SHA512

    6164677c359de8a44ec23d5d436eacb62db4022528b3c788215fff25d9cbec892fc18d52b397237eb5f1a9f0cdb30692fbcbe5eb633d373f55958d439941aa14

  • \??\PIPE\srvsvc

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • memory/780-42-0x0000000001370000-0x000000000138A000-memory.dmp

    Filesize

    104KB

  • memory/1016-36-0x00000000003B0000-0x00000000003CA000-memory.dmp

    Filesize

    104KB

  • memory/1060-40-0x0000000000A80000-0x0000000000A9A000-memory.dmp

    Filesize

    104KB

  • memory/1964-1-0x0000000000B90000-0x0000000000BAA000-memory.dmp

    Filesize

    104KB

  • memory/1964-2-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

    Filesize

    9.9MB

  • memory/1964-0-0x000007FEF54F3000-0x000007FEF54F4000-memory.dmp

    Filesize

    4KB

  • memory/1964-37-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

    Filesize

    9.9MB

  • memory/1964-32-0x000007FEF54F3000-0x000007FEF54F4000-memory.dmp

    Filesize

    4KB

  • memory/2532-8-0x000000001B540000-0x000000001B822000-memory.dmp

    Filesize

    2.9MB

  • memory/2532-9-0x0000000002990000-0x0000000002998000-memory.dmp

    Filesize

    32KB

  • memory/2532-7-0x00000000028E0000-0x0000000002960000-memory.dmp

    Filesize

    512KB

  • memory/2868-16-0x00000000023C0000-0x00000000023C8000-memory.dmp

    Filesize

    32KB

  • memory/2868-15-0x000000001B600000-0x000000001B8E2000-memory.dmp

    Filesize

    2.9MB