Resubmissions

30-05-2024 14:51

240530-r8l56scb6z 10

30-05-2024 14:49

240530-r65vhadb99 10

Analysis

  • max time kernel
    597s
  • max time network
    599s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    30-05-2024 14:51

General

  • Target

    chrome.exe

  • Size

    183KB

  • MD5

    2b26b084c03ef96db3cda61ec42b9780

  • SHA1

    d285abb4911dbb747b8cc0fb61d90c424905d71f

  • SHA256

    21dcb388ee5eeb9ff54802794de0a765b7a4613d93dd6564694e88e48a75c798

  • SHA512

    9fff7138ce7101c78e67e2f41181876b67d76c134757c61e151af5ffbca647b6fe965d60a41666f0dabf3508e0c43f6a56126c048ffc00bfe5909221732d2271

  • SSDEEP

    3072:k0SK4dXl19I2pbXwo5MObaQ04NpVq8BxFRzaqF+o2GQJ7/JzqVfGvc:34dFI2pbgeM/gVqwlL

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/0hUbjRaB

  • telegram

    https://api.telegram.org/bot7166866838:AAHZkNz5kuPxP-6aLkd_O3PTozWCCuLQp-w/sendMessage?chat_id=6817832744

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\chrome.exe
    "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3780
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\chrome.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:192
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'chrome.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5104
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\chrome'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4312
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'chrome'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:3860
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "chrome" /tr "C:\Users\Admin\chrome"
      2⤵
      • Creates scheduled task(s)
      PID:756
  • C:\Users\Admin\chrome
    C:\Users\Admin\chrome
    1⤵
    • Executes dropped EXE
    PID:2040
  • C:\Users\Admin\chrome
    C:\Users\Admin\chrome
    1⤵
    • Executes dropped EXE
    PID:3404
  • C:\Users\Admin\chrome
    C:\Users\Admin\chrome
    1⤵
    • Executes dropped EXE
    PID:2460
  • C:\Users\Admin\chrome
    C:\Users\Admin\chrome
    1⤵
    • Executes dropped EXE
    PID:3100
  • C:\Users\Admin\chrome
    C:\Users\Admin\chrome
    1⤵
    • Executes dropped EXE
    PID:4280
  • C:\Users\Admin\chrome
    C:\Users\Admin\chrome
    1⤵
    • Executes dropped EXE
    PID:2620
  • C:\Users\Admin\chrome
    C:\Users\Admin\chrome
    1⤵
    • Executes dropped EXE
    PID:3928
  • C:\Users\Admin\chrome
    C:\Users\Admin\chrome
    1⤵
    • Executes dropped EXE
    PID:4856
  • C:\Users\Admin\chrome
    C:\Users\Admin\chrome
    1⤵
    • Executes dropped EXE
    PID:1536
  • C:\Users\Admin\chrome
    C:\Users\Admin\chrome
    1⤵
    • Executes dropped EXE
    PID:4248

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome.log

    Filesize

    654B

    MD5

    16c5fce5f7230eea11598ec11ed42862

    SHA1

    75392d4824706090f5e8907eee1059349c927600

    SHA256

    87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

    SHA512

    153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    ad5cd538ca58cb28ede39c108acb5785

    SHA1

    1ae910026f3dbe90ed025e9e96ead2b5399be877

    SHA256

    c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

    SHA512

    c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    68a1eec0cc923c6e7d7b83422ffc08b4

    SHA1

    4091f5622f97103d0501f220452699cdf329cb35

    SHA256

    26e337536d5aaa4683bb85e317778d02954eb076a4898f8e8a1a38c0c70c423a

    SHA512

    42e55d34ad8e0a65e5f00ce26c9b0e6c914278c8d03cece7ddbb2fef0ee0a7c229547acd7ca9ed6e54df545c8f28b6b982c28b9b45eb0aff723bcd440ba91980

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    9ab0d79b6ea2fb17b006c4c2c5c05084

    SHA1

    238d7803bf6d67dfd6cb45d4c3f4a20a804f230a

    SHA256

    7ebbda07e65800a519800abfbbcafa1af50cff28db3674b0b2ae9361674fc156

    SHA512

    4ffb6af87dbb9c102c062c95e843c25c97bf8f8d616863347d3d58f6eb7cfabe4aa2d848c3dfb421558aaeb0ea069820fe5f480f97e4576bcceb4324c830eb6b

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    62c8561f755430780a652d626c597227

    SHA1

    c30910319267f5bd2942d20334f29f8117788a2f

    SHA256

    e2ef29f0c46e5e534cf2e39c70f9be50ba0fc248b009015c1d768a7892c6b75b

    SHA512

    12e52c18417f2b77db9d34f9b043cc962c3806ecf7ddd2f915280d173a0803e6a880cf5f6243bbd65cbe377a52d335f704d0b0cb38f48d2defe6752aaf72d3b8

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nq1lgmhj.4se.ps1

    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

  • C:\Users\Admin\chrome

    Filesize

    183KB

    MD5

    2b26b084c03ef96db3cda61ec42b9780

    SHA1

    d285abb4911dbb747b8cc0fb61d90c424905d71f

    SHA256

    21dcb388ee5eeb9ff54802794de0a765b7a4613d93dd6564694e88e48a75c798

    SHA512

    9fff7138ce7101c78e67e2f41181876b67d76c134757c61e151af5ffbca647b6fe965d60a41666f0dabf3508e0c43f6a56126c048ffc00bfe5909221732d2271

  • memory/192-8-0x00007FF8AEEC0000-0x00007FF8AF09B000-memory.dmp

    Filesize

    1.9MB

  • memory/192-51-0x00007FF8AEEC0000-0x00007FF8AF09B000-memory.dmp

    Filesize

    1.9MB

  • memory/192-12-0x00000291EA340000-0x00000291EA3B6000-memory.dmp

    Filesize

    472KB

  • memory/192-9-0x00000291EA180000-0x00000291EA1A2000-memory.dmp

    Filesize

    136KB

  • memory/192-7-0x00007FF8AEEC0000-0x00007FF8AF09B000-memory.dmp

    Filesize

    1.9MB

  • memory/3780-0-0x0000000000340000-0x0000000000374000-memory.dmp

    Filesize

    208KB

  • memory/3780-187-0x00007FF8AEEC0000-0x00007FF8AF09B000-memory.dmp

    Filesize

    1.9MB

  • memory/3780-2-0x00007FF8AEEC0000-0x00007FF8AF09B000-memory.dmp

    Filesize

    1.9MB

  • memory/3780-1-0x00007FF8AEEC0000-0x00007FF8AF09B000-memory.dmp

    Filesize

    1.9MB