Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    30-05-2024 10:51

General

  • Target

    dde.exe

  • Size

    71KB

  • MD5

    d5af9923e3015fc2cd381797720e84ec

  • SHA1

    8a11d55d97ad484897fd8da7c7e36543184ef23d

  • SHA256

    7f71385d6a2745866497ffd421c23698a4ba6e0be811d5728d7c0318539ae607

  • SHA512

    11fc191532a6a8a643531aeb90b30a18830bb904b898cb66d6e068cd887b0658b3e6edc75a6c2c622fe0bc0329fac720af43a933a724ccab4c27fa92865307cb

  • SSDEEP

    1536:FTIATUQ2TVMAQuPjcg0OPhb8YUzQjDb6TyBmcOrdzBLvVKhy2:FPuaAPPqOpb88jD0yJOhBzQz

Malware Config

Extracted

Family

xworm

C2

registered-martial.gl.at.ply.gg:62460

Attributes
  • Install_directory

    %Temp%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 44 IoCs
  • Suspicious use of SendNotifyMessage 44 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dde.exe
    "C:\Users\Admin\AppData\Local\Temp\dde.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3308
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dde.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dde.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1104
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2308
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:4720
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:504
    • C:\Users\Admin\AppData\Local\Temp\dde.exe
      "C:\Users\Admin\AppData\Local\Temp\dde.exe"
      1⤵
        PID:4676
      • C:\Users\Admin\AppData\Local\Temp\dde.exe
        "C:\Users\Admin\AppData\Local\Temp\dde.exe"
        1⤵
          PID:1348
        • C:\Users\Admin\AppData\Local\Temp\dde.exe
          "C:\Users\Admin\AppData\Local\Temp\dde.exe"
          1⤵
            PID:2136
          • C:\Windows\system32\taskmgr.exe
            "C:\Windows\system32\taskmgr.exe" /4
            1⤵
            • Drops file in Windows directory
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:4712

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dde.exe.log

            Filesize

            654B

            MD5

            16c5fce5f7230eea11598ec11ed42862

            SHA1

            75392d4824706090f5e8907eee1059349c927600

            SHA256

            87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

            SHA512

            153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

            Filesize

            3KB

            MD5

            ad5cd538ca58cb28ede39c108acb5785

            SHA1

            1ae910026f3dbe90ed025e9e96ead2b5399be877

            SHA256

            c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

            SHA512

            c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            7d945eba6be7a48afb6f8a29c03b33bf

            SHA1

            c8efdf30b07d7df3ee09307b7fc7fba536f67b38

            SHA256

            420d68de51d5a84752893b6ddfa25a214eaffa4534f9648d80411434a946cbc6

            SHA512

            4fd88fa37901bef3a9eaeeaad754be94b3b39ddc2fb43bbbf28e2f2e18f3912626f0ac4748b1360b049f34a013ad37be203d62b74359765fc550e8d73280a7a4

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            dde2ecae6449edcea6c29ae9e1f0f66e

            SHA1

            215c8519e5f781a6df1efac38f3ca618f48aeee6

            SHA256

            89dac7cc6a5910f29b9c202dca2107b45c2b16c4b414bc5e053c95317d1117a5

            SHA512

            48a49d5eddccd07d7ffc63feb40476db3773580c67a226bce0b01e0fc33bb9b5c4204ea223c161e5d29b106ba745b9894bd36d27f7abc8895e8c631142953caa

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            86540a0c5e167e40926a4a794714b54d

            SHA1

            4e5307f3d83ee3ff3d3ec1400d62d1a945dc425a

            SHA256

            b4f3f14f03e953894c3306fa07e776ef16f96ada85b4ca6f587cb6dfb9569b0c

            SHA512

            506fea68ccc3bb8c990cf9beea8f3b84a4186cce0f28a3e3f1236d434d23877bbc704c9e8435f8ab95a3dac97b554bb60ea6d98b43d2890463d1b36a67897a02

          • C:\Users\Admin\AppData\Local\Temp\XClient.exe

            Filesize

            71KB

            MD5

            d5af9923e3015fc2cd381797720e84ec

            SHA1

            8a11d55d97ad484897fd8da7c7e36543184ef23d

            SHA256

            7f71385d6a2745866497ffd421c23698a4ba6e0be811d5728d7c0318539ae607

            SHA512

            11fc191532a6a8a643531aeb90b30a18830bb904b898cb66d6e068cd887b0658b3e6edc75a6c2c622fe0bc0329fac720af43a933a724ccab4c27fa92865307cb

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nnjrbmeg.aof.ps1

            Filesize

            1B

            MD5

            c4ca4238a0b923820dcc509a6f75849b

            SHA1

            356a192b7913b04c54574d18c28d46e6395428ab

            SHA256

            6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

            SHA512

            4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

          • memory/1000-21-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

            Filesize

            9.9MB

          • memory/1000-51-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

            Filesize

            9.9MB

          • memory/1000-12-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

            Filesize

            9.9MB

          • memory/1000-11-0x00000234397B0000-0x0000023439826000-memory.dmp

            Filesize

            472KB

          • memory/1000-9-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

            Filesize

            9.9MB

          • memory/1000-7-0x0000023439600000-0x0000023439622000-memory.dmp

            Filesize

            136KB

          • memory/3308-0-0x00007FFF7A123000-0x00007FFF7A124000-memory.dmp

            Filesize

            4KB

          • memory/3308-183-0x00007FFF7A123000-0x00007FFF7A124000-memory.dmp

            Filesize

            4KB

          • memory/3308-184-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

            Filesize

            9.9MB

          • memory/3308-2-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

            Filesize

            9.9MB

          • memory/3308-1-0x00000000009E0000-0x00000000009F8000-memory.dmp

            Filesize

            96KB