Overview

overview

10

Static

static

10

Microsoft ...on.exe

windows7-x64

10

Microsoft ...on.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    08-06-2024 19:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Microsoft Network Realtime inspection.exe

  • Size

    79KB

  • MD5

    5c888eddae30076bd7aaa2e5d5fea097

  • SHA1

    6a5b5c290d24bcd984a7083f934dbf35f56ec888

  • SHA256

    267d1802344caba41d174d5e9750695c446724e6c480bee1b79100a64931e788

  • SHA512

    4a17d517772d0efff6fea2074af232c90f47b370fa9269d36970bec3a8204e1e3df8f273f21287f712d26117a803b428ffd3683581b85498515e1d908c5b3dd1

  • SSDEEP

    1536:y8p4oJOu7J3c+Fj4zo+ib+8qn36NOuCYh0uxqau:y5oJLJM5zJib+sOeh0uVu

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

listing-trackbacks.gl.at.ply.gg:15337

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe
    "C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Network Realtime inspection.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1992
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\TLauncher'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2620
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TLauncher'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2924
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TLauncher" /tr "C:\Users\Admin\AppData\Roaming\TLauncher"
      2⤵
      • Creates scheduled task(s)
      PID:2704
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "TLauncher"
      2⤵
        PID:2088
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB9DD.tmp.bat""
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:324
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:2236
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {822891B7-F6C7-44E3-8295-A785748D804D} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Users\Admin\AppData\Roaming\TLauncher
        C:\Users\Admin\AppData\Roaming\TLauncher
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1924
      • C:\Users\Admin\AppData\Roaming\TLauncher
        C:\Users\Admin\AppData\Roaming\TLauncher
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1768

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpB9DD.tmp.bat
      Filesize

      189B

      MD5

      4d1c5c1d6a78553844e835e1705b9c5c

      SHA1

      befe85ad4033405a23b60f99dd5f5e28ef45a6f1

      SHA256

      de340a3f63cf3586cff5b6710f428f0ccdbd95fe1060a1b2a411f1b685e6ddc2

      SHA512

      62ce72ff76248fbfc125c6ba57bb9c23aa393a388e9c78df61a44dc4409aa94b67407ba9db9a723ff146e1847888024c965bcb97fc6dcea00764847707f7394e

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      67c8b66e269034e56458c07aa9d2efff

      SHA1

      048405c4596b452ff1cdeaf0d9b2839cc351f0bb

      SHA256

      e50efaadf48ab4a2d17d2f6ded07eabbcef5f5f472dffcbc5a9cf35c3739e560

      SHA512

      12c4acaf1062cd8bd08cfda1f91c1baf8732321d84a604b16dbecd53752bc3f595791603ce1e7580a8576fc0c1a19d18004590f4ae6f3f5392d56d7606f42f39

      Download Submit
    • C:\Users\Admin\AppData\Roaming\TLauncher
      Filesize

      79KB

      MD5

      5c888eddae30076bd7aaa2e5d5fea097

      SHA1

      6a5b5c290d24bcd984a7083f934dbf35f56ec888

      SHA256

      267d1802344caba41d174d5e9750695c446724e6c480bee1b79100a64931e788

      SHA512

      4a17d517772d0efff6fea2074af232c90f47b370fa9269d36970bec3a8204e1e3df8f273f21287f712d26117a803b428ffd3683581b85498515e1d908c5b3dd1

      Download Submit
    • memory/1732-1-0x0000000000EC0000-0x0000000000EDA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1732-2-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/1732-49-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/1732-0-0x000007FEF50D3000-0x000007FEF50D4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1732-30-0x000007FEF50D3000-0x000007FEF50D4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1732-31-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/1768-38-0x0000000000900000-0x000000000091A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1924-35-0x00000000002B0000-0x00000000002CA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1992-16-0x0000000001EF0000-0x0000000001EF8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1992-15-0x000000001B610000-0x000000001B8F2000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/2688-9-0x0000000001E00000-0x0000000001E08000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2688-8-0x000000001B800000-0x000000001BAE2000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/2688-7-0x0000000002C80000-0x0000000002D00000-memory.dmp
      Filesize

      512KB

      Download