Overview

overview

10

Static

static

3

1_protected.exe

windows7-x64

10

1_protected.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    321s
  • max time network
    336s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31/05/2024, 19:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1_protected.exe

  • Size

    1.1MB

  • MD5

    0bb46f1aa0f9ec8b6ce4a718a6ffe8a4

  • SHA1

    621449aa1d94f91b30ff7984a7457d6aed2d0075

  • SHA256

    82702da0dadc378e1995679ed5cab6ae3d3c3e189ca7f3401c9b047e53b4648f

  • SHA512

    5cd89e242d980aedc9fb0f0eb28b0202a6a6c5db6c1146d8d7ecebc72235982d9585086e4c9f62c9b0af8d7082c72b7397de468280050da0b438bd6ebbd5d443

  • SSDEEP

    24576:z+S+kx/5Csa5XNTFb4co+R72Rg1wA2Ms3zvFrA8kAbdmxm7y/:5+kxBW5X5Oco+R0c9+DSpAbdmA7y

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/Jt9Xgc6v

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 33 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1_protected.exe
    "C:\Users\Admin\AppData\Local\Temp\1_protected.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1_protected.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2992
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1_protected.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1804
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2872
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:792
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\buex4sba\buex4sba.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES144C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc98F0AC178B014D908F42406DECEBB86D.TMP"
        3⤵
          PID:1492
      • C:\Windows\SysWOW64\CMD.EXE
        "CMD.EXE"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1852
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig
          3⤵
          • Gathers network information
          PID:2716
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x5a4
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2888
    • C:\Windows\system32\SndVol.exe
      SndVol.exe -f 45548697 26098
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1036

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\RES144C.tmp
            Filesize

            1KB

            MD5

            c3fc57e6fe3ca236b61eb644cc20edc7

            SHA1

            fc4bbf10c431f636d12bb31511de9302cab445e1

            SHA256

            2d5951f72a3afec92d951110da8ebb84c070a7eb18564ec953bd419d8050fe1d

            SHA512

            b9c981c941edf21f62ec7926adfdcbfc6909c2ffa82cc46d0db7627f913657282351288d6484f52188854b6b683fe8ce9a7ffd532ef3e95c0b16902063a28a72

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\buex4sba\buex4sba.0.vb
            Filesize

            386B

            MD5

            156a4b3e570d9c7efc0f0094dbceb24e

            SHA1

            ccd7e470b9114884d6e958ab4d8b4c451f493c66

            SHA256

            7443a1bcd15924a389e5da2a0530b6703a35aed61e63cd1a1d7d0699d49a5a77

            SHA512

            90123975819cc2fc3030f94cc8bfce587e8c7efcca8c7ac8a1e99c5f3211c0a50fe16994836fb46fcb3a68b2157259a59f7a5928c19bba2fc3cb4059ecc8efa2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\buex4sba\buex4sba.cmdline
            Filesize

            313B

            MD5

            35373c4c4616ddc09ae128dae9762663

            SHA1

            03b4ceeb6276c9ae31bc1a8139d4b7300b1df9f5

            SHA256

            ab65fecd32fc5b83279c377b6806c3b20f7ab38f029af631abc7eb83f913434a

            SHA512

            e4a81f35489074d3ca3f2df638ad54ca0ce0a67c5a1dae16866aa8ba01be3f01a4adc823bd1331869320fa08762ba2283bb47eb8473650362da1f18d219bf62c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\buex4sba\buex4sba.exe
            Filesize

            6KB

            MD5

            43b54dea13182fc9bda33052e6862d0c

            SHA1

            9dbf487ea8f16961f5acaf16b86813df386e5f6c

            SHA256

            181e4da8d69ee6d9315613ba430cda2a2413a710f10739c85013c61089014d68

            SHA512

            20a2818ade17f8b8f574db91cffd7c419e659401dc57fbd2e95c0729507807eb7ea35beeba1974122f5a38f666d7a232d1bb3558869515217ee6ca0e9c267d68

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\vbc98F0AC178B014D908F42406DECEBB86D.TMP
            Filesize

            1KB

            MD5

            710d3e541335aeb7f7cd952aa48670a0

            SHA1

            32f8229f3699983e612cbcafe9999e3ffc361905

            SHA256

            264d580bf89ae8761e7aee9363d547c1e0c3f08063d1ec5c1dcafc72385dd8e3

            SHA512

            1e11fb7aab8314ec8ae8e1e9dec1d94d8b518ad363aa9b4117dbeb239046b7bf13a800eaf45fa5e149c2b4cae32f43edcda763a9f25dcf41e8e2372a5c4cad8e

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
            Filesize

            7KB

            MD5

            0d8eb4de34b3dec0cbfb3c3e075a1e8a

            SHA1

            9042f65a45cd3c5eec8de84b3a20646d87294b93

            SHA256

            012e9fa2ce6b9f74d656959f684a8ee4547179c8f3917f9913e3b746147c7899

            SHA512

            6f0e5d19736900af32685b9dee8c5d0abd7fb318e7ddabf5979307f2fd57c4cc14b864f9eb8afd2da0900517ba429790dfcb9dbd563de9b6f593debd1fb17184

            Download Submit

          • \Users\Admin\AppData\Roaming\svchost.exe
            Filesize

            1.1MB

            MD5

            0bb46f1aa0f9ec8b6ce4a718a6ffe8a4

            SHA1

            621449aa1d94f91b30ff7984a7457d6aed2d0075

            SHA256

            82702da0dadc378e1995679ed5cab6ae3d3c3e189ca7f3401c9b047e53b4648f

            SHA512

            5cd89e242d980aedc9fb0f0eb28b0202a6a6c5db6c1146d8d7ecebc72235982d9585086e4c9f62c9b0af8d7082c72b7397de468280050da0b438bd6ebbd5d443

            Download Submit

          • memory/2216-3-0x0000000074330000-0x0000000074A1E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2216-2-0x00000000002D0000-0x000000000064C000-memory.dmp

            Filesize

            3.5MB

            Download

          • memory/2216-32-0x0000000002270000-0x0000000002280000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2216-39-0x0000000002290000-0x000000000229C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2216-43-0x0000000005E00000-0x0000000005EB0000-memory.dmp

            Filesize

            704KB

            Download

          • memory/2216-49-0x00000000022E0000-0x00000000022EA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2216-30-0x0000000074330000-0x0000000074A1E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2216-27-0x0000000002270000-0x0000000002280000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2216-29-0x000000007433E000-0x000000007433F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2216-0-0x00000000002D0000-0x000000000064C000-memory.dmp

            Filesize

            3.5MB

            Download

          • memory/2216-65-0x00000000022F0000-0x00000000022F8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2216-1-0x000000007433E000-0x000000007433F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2216-73-0x0000000002EC0000-0x0000000002ECA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2216-78-0x0000000002BF0000-0x0000000002BFA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2216-80-0x0000000002C00000-0x0000000002C0A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2216-82-0x0000000005A20000-0x0000000005AAE000-memory.dmp

            Filesize

            568KB

            Download