Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
08-06-2024 19:34
General
-
Target
Microsoft Network Realtime inspection.exe
-
Size
79KB
-
MD5
5c888eddae30076bd7aaa2e5d5fea097
-
SHA1
6a5b5c290d24bcd984a7083f934dbf35f56ec888
-
SHA256
267d1802344caba41d174d5e9750695c446724e6c480bee1b79100a64931e788
-
SHA512
4a17d517772d0efff6fea2074af232c90f47b370fa9269d36970bec3a8204e1e3df8f273f21287f712d26117a803b428ffd3683581b85498515e1d908c5b3dd1
-
SSDEEP
1536:y8p4oJOu7J3c+Fj4zo+ib+8qn36NOuCYh0uxqau:y5oJLJM5zJib+sOeh0uVu
Malware Config
Extracted
xworm
listing-trackbacks.gl.at.ply.gg:15337
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 3 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 2 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 28 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 45 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Network Realtime inspection.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\TLauncher'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TLauncher'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TLauncher" /tr "C:\Users\Admin\AppData\Roaming\TLauncher"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\ixsjxa.exe"C:\Users\Admin\AppData\Local\Temp\ixsjxa.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ixsjxaSrv.exeC:\Users\Admin\AppData\Local\Temp\ixsjxaSrv.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2740 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\qvkvtk.exe"C:\Users\Admin\AppData\Local\Temp\qvkvtk.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskeng.exetaskeng.exe {638D7D00-B3D3-48B5-BE39-2421C9BF49D4} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\TLauncherC:\Users\Admin\AppData\Roaming\TLauncher2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\TLauncherC:\Users\Admin\AppData\Roaming\TLauncher2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5087b97134dff0bff6ffc005ac5c0595f
SHA1206f2867b8b479f00076f7c11efa13d64c9d084e
SHA2569dfaae7cf1c51edfa5e3c287604372ed8042e675fb9c7d3e162becc2b607b549
SHA51293bc564b7780027e8b9513ed4118ee8ec70126a6df6d77ca740d18bb41febff0cee44c961f28a48a9f86c2056b416935946fc992c60ae3b863ea6b7fbe6524cc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD50657800df50e5670a5d6b3bfc0dfaff6
SHA1ab83340adac2b304fa3ece9a6e63ec630b502e78
SHA25695a74a91ae0658ba6c4b1d64334c1e0b24ae06778777cf7d0d9718871a1dfbd6
SHA5127513e269f34974d3f97c301d96b3dd4accb80ee232226b3e0d3bb61fd123035feac5a49b157c5db7099d9f34e8211ab4d15c537bc57da9c7a18c9bad799d1603
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5f4cf0683a45e93f2796fafb684ac5f00
SHA1874ead59cd6b3742d52514b3c232463d93917d82
SHA2567b631d26b3d87360891d3ed54a09624e4a6c5a92e874857bde1f065dd4eb16e7
SHA5123ed51b3169afa2ab2490df1c0910371517df0f816b4cfce8be2c20c8b42387828ae99f5778c1ad018e5cca4181753a3fd5a70e5be7b6734ca7b6448aa415987a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5fc545a338b21db34f800d22d2189055a
SHA1ef220f565aec3f5c6a7fc3140757bc203dde8f2e
SHA25647fae85a89e4e7013f184166f863b35dd7d947da0f67d99da961b31c38054630
SHA512781843a5f2a083dc9e53c41d0b133e539fcd8c1d1e2477d2bf6ed2e7e2089fa421ebb831c3197dc7cb5c8c3d3d2cb93f56afa578b1b539c443ddbbf6d58a4eb7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD50a1fb0d3711e03574861d70ed5245b7b
SHA1b2f183e5a24de723b66e33556a4579e203db5ce7
SHA256731add6d6a897bfc25d083b54342b97009a59c1993260ecfb4f0516974c4cce7
SHA512c09ea66b44dfd800f1d661b0187a1ff5305ae4f09568b177717dadd6af89dc5efc0ed4b6be22fec1909f1271a08d9ad8594fe2803a78fca2f933ec2fc83f52f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5e0af77b66a0732a2dd8dba07661e4f91
SHA1ae48bbad8d6e1416510bb2e886e34cf73404b28a
SHA256385bbc646872bf45898b77d495cd28e9ef915f4c2172f345098806b87178fcb4
SHA5124fbd0951725b3564980aecb35d925841194f924eb8049c708a2a753a14a057681af473eee579c1097621a6aad5425c388c692e462ce7547b498f31fc573cffc2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD51e4ac761f7f594fd296837f8fba7d2c7
SHA10093c20721a36d8ad69c8e51d50ee30432ca9643
SHA2564b69a3a14ca09ee4d10c3c1404471606fe64b6b3d8d5997ce3ff38684b5ce4c4
SHA512ad7ef98c56035cd85e1836ecec1b514bb10d432c04f92c02e578622b2d30e2c78536551fc98910b55529832c4632356bd6d7cd958f0f69d49a6e83689ca71b05
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD53a48d65eb6b228879c88d929072153d0
SHA13ce211ebedfe21389cdd378f4050215dc9b30f00
SHA25677841b1dc965c674388410ebd3a0581bf3bbbc17fd642d552a64a4fdfd2789b5
SHA51273f39c097f0d6cb5c364119c4e98a70495b07c81790ade7de9e03645af86a95e5c473a214843bfa9de16fb921df4bc69f34c60d9cfa43cd0aae0f3ec8e0620c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD56374c16c6a992c6329cebc42e0bebcd1
SHA157c2f195e9a0d84a4edbea6b929f564057ab52aa
SHA2565a39a0a8d972c2c20c9ecf28e12e5e34b9080dc193a90b8d3fd30d0da1764539
SHA512c0127e3174c05e8806aba102d853941848f261fe5764064448e6c22f432902a5e98a345372851d50bed76b3c3b7fdc33e9c3c85133de646042bd79b46cdea93e
-
C:\Users\Admin\AppData\Local\Temp\CabBF7A.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\TarC06C.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Local\Temp\ixsjxa.exeFilesize
172KB
MD57eb8c9c1701f6b347721b42ba15c0993
SHA113e62637aa5c402383f5665d20c7491c51bccbdc
SHA2566d5e92ccc9d65e02d8f805e3f4e33841db34a562b3c882a137146461a56bdec2
SHA51222572a6ebf16b5e260c5d99f30aaefabd88a143bc6b6a9a4d7b82a31ffeb7970d3701c697fcb4c692c6f450782982f3e43f74e3b01fe3ebf1957fc0ef0a4a072
-
C:\Users\Admin\AppData\Local\Temp\qvkvtk.exeFilesize
28KB
MD562cbb85434223022a0b0e369b227a3d9
SHA14978b691168f16c678a1ffe53e126ba1d946bce0
SHA256ea3087204e3ed644308a0a96bbf319590a9b2701ac850bb63f2ba3dc4955f1fd
SHA512f76d281ce4c4401315f811dba1512757fa59a9c1ca6486c006f7861aed793a1f196fd66b772405374a751f383b5a234234e64de16f2fe9d613694e354b882f69
-
C:\Users\Admin\AppData\Local\Temp\~DF1E00461333DD8B84.TMPFilesize
16KB
MD5acea6b9b3835b77db3952b6906b0cfca
SHA1f3121a81f4d2d473992ead77ab977faa6c763801
SHA256a920d8ee83952ce665b68d906b67247a5ad8e20c49cac438f4872cb65c12874c
SHA5127c19dbb53dbd8d7caac69ff5127a59b5df4e70cba897f604d83f7159d134ceaaa0e2c99c94540fe4ccf4f253a9ba428ebae1969f4816b81dc2d1a41a76bb3ca3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5d766dc4315e2d36ba0ac07947d904a5c
SHA157b242b7b978f05af641dd777a6fbb5b01fd3602
SHA256378ab568095cfac08a7d3f5e197b89905db219d6007f5c1ba45068690d8b2c77
SHA51259265b60a4ad0571a525c36258db9f49bdbc964ecbcde2a6aacaad5fe164d6c02def8d8b97f5f20d172d4b342cea2e4210d1817c7837e91a0300c47bea731f4f
-
C:\Users\Admin\AppData\Roaming\TLauncherFilesize
79KB
MD55c888eddae30076bd7aaa2e5d5fea097
SHA16a5b5c290d24bcd984a7083f934dbf35f56ec888
SHA256267d1802344caba41d174d5e9750695c446724e6c480bee1b79100a64931e788
SHA5124a17d517772d0efff6fea2074af232c90f47b370fa9269d36970bec3a8204e1e3df8f273f21287f712d26117a803b428ffd3683581b85498515e1d908c5b3dd1
-
\Users\Admin\AppData\Local\Temp\ixsjxaSrv.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
memory/796-58-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/796-54-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/796-56-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1568-547-0x0000000000240000-0x000000000026E000-memory.dmpFilesize
184KB
-
memory/1568-554-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/1568-39-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/1568-46-0x0000000000240000-0x000000000026E000-memory.dmpFilesize
184KB
-
memory/1568-533-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/1728-30-0x000007FEF58C3000-0x000007FEF58C4000-memory.dmpFilesize
4KB
-
memory/1728-31-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmpFilesize
9.9MB
-
memory/1728-0-0x000007FEF58C3000-0x000007FEF58C4000-memory.dmpFilesize
4KB
-
memory/1728-2-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmpFilesize
9.9MB
-
memory/1728-1-0x00000000002F0000-0x000000000030A000-memory.dmpFilesize
104KB
-
memory/1928-47-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2748-8-0x000000001B800000-0x000000001BAE2000-memory.dmpFilesize
2.9MB
-
memory/2748-7-0x0000000002D20000-0x0000000002DA0000-memory.dmpFilesize
512KB
-
memory/2748-9-0x0000000002240000-0x0000000002248000-memory.dmpFilesize
32KB
-
memory/2760-16-0x0000000001F80000-0x0000000001F88000-memory.dmpFilesize
32KB
-
memory/2760-15-0x000000001B570000-0x000000001B852000-memory.dmpFilesize
2.9MB
-
memory/2800-553-0x0000000000B10000-0x0000000000B2A000-memory.dmpFilesize
104KB