Overview

overview

10

Static

static

10

Microsoft ...on.exe

windows7-x64

10

Microsoft ...on.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    108s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-06-2024 19:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Microsoft Network Realtime inspection.exe

  • Size

    79KB

  • MD5

    5c888eddae30076bd7aaa2e5d5fea097

  • SHA1

    6a5b5c290d24bcd984a7083f934dbf35f56ec888

  • SHA256

    267d1802344caba41d174d5e9750695c446724e6c480bee1b79100a64931e788

  • SHA512

    4a17d517772d0efff6fea2074af232c90f47b370fa9269d36970bec3a8204e1e3df8f273f21287f712d26117a803b428ffd3683581b85498515e1d908c5b3dd1

  • SSDEEP

    1536:y8p4oJOu7J3c+Fj4zo+ib+8qn36NOuCYh0uxqau:y5oJLJM5zJib+sOeh0uVu

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

listing-trackbacks.gl.at.ply.gg:15337

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe
    "C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Network Realtime inspection.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3424
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\TLauncher'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TLauncher'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2104
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TLauncher" /tr "C:\Users\Admin\AppData\Roaming\TLauncher"
      2⤵
      • Creates scheduled task(s)
      PID:3932
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "TLauncher"
      2⤵
        PID:2380
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEF5C.tmp.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1588
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:3880
    • C:\Users\Admin\AppData\Roaming\TLauncher
      C:\Users\Admin\AppData\Roaming\TLauncher
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4764
    • C:\Users\Admin\AppData\Roaming\TLauncher
      C:\Users\Admin\AppData\Roaming\TLauncher
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3336

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TLauncher.log
      Filesize

      654B

      MD5

      2ff39f6c7249774be85fd60a8f9a245e

      SHA1

      684ff36b31aedc1e587c8496c02722c6698c1c4e

      SHA256

      e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

      SHA512

      1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      2979eabc783eaca50de7be23dd4eafcf

      SHA1

      d709ce5f3a06b7958a67e20870bfd95b83cad2ea

      SHA256

      006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

      SHA512

      92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      9bc110200117a3752313ca2acaf8a9e1

      SHA1

      fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

      SHA256

      c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

      SHA512

      1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      da5c82b0e070047f7377042d08093ff4

      SHA1

      89d05987cd60828cca516c5c40c18935c35e8bd3

      SHA256

      77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

      SHA512

      7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i3qrh25t.plq.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmpEF5C.tmp.bat
      Filesize

      189B

      MD5

      c51b2ee21e937a0020bcdcc43bb82ec8

      SHA1

      99d11247dcdb2a5bde90c0212bf82ce996d4c6b2

      SHA256

      1c748bcb6e3808b20a74236802b9599004eecf6233189a046891d94e8b07c07d

      SHA512

      e1af5deebd1474850136131d27ee7432f273c70d9e71dcd337642da4b773233b5adb9711480fe71cd8eacacc620e27150e0d3535f9dcff9c2fa161f78d3093d7

      Download Submit
    • C:\Users\Admin\AppData\Roaming\TLauncher
      Filesize

      79KB

      MD5

      5c888eddae30076bd7aaa2e5d5fea097

      SHA1

      6a5b5c290d24bcd984a7083f934dbf35f56ec888

      SHA256

      267d1802344caba41d174d5e9750695c446724e6c480bee1b79100a64931e788

      SHA512

      4a17d517772d0efff6fea2074af232c90f47b370fa9269d36970bec3a8204e1e3df8f273f21287f712d26117a803b428ffd3683581b85498515e1d908c5b3dd1

      Download Submit
    • memory/1964-13-0x00007FFFC7ED0000-0x00007FFFC8991000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1964-14-0x00007FFFC7ED0000-0x00007FFFC8991000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1964-8-0x0000025AC0840000-0x0000025AC0862000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1964-18-0x00007FFFC7ED0000-0x00007FFFC8991000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1964-15-0x00007FFFC7ED0000-0x00007FFFC8991000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2732-0-0x00000000002D0000-0x00000000002EA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/2732-2-0x00007FFFC7ED0000-0x00007FFFC8991000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2732-56-0x00007FFFC7ED3000-0x00007FFFC7ED5000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2732-57-0x00007FFFC7ED0000-0x00007FFFC8991000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2732-1-0x00007FFFC7ED3000-0x00007FFFC7ED5000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2732-70-0x00007FFFC7ED0000-0x00007FFFC8991000-memory.dmp
      Filesize

      10.8MB

      Download