Overview

overview

10

Static

static

10

svchost.exe

windows7-x64

10

svchost.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    08-06-2024 20:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost.exe

  • Size

    69KB

  • MD5

    3d0f60a06bfead1b3ce9847dbd9ce7e7

  • SHA1

    e79eff9033d46736a876ab3379038a592d8e210f

  • SHA256

    e9dad4f37bdc3e80130637b3b5de29bf78e376cb8b8894a27ab4b727d60dff5b

  • SHA512

    c0eb730f283df54c2f061da019b57879e29b8f5549309d71630fcb541be894d47eab3943d011363dd0a9bd93e07962411454d9e88e6f5d61a4e0babfde62fc08

  • SSDEEP

    768:rOwHIR8aFGww4GZAAjGnlb0fl70xSm9WlYb03o46XeLmsR263Z8O71h80XZBSq:izR845VGaQoHdb03o46uN06OO71Roq

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

inn-ht.gl.at.ply.gg:60031

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2752
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2456
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:636
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Creates scheduled task(s)
      PID:2700
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {76CDC7B0-21ED-4103-8C65-BF2D481D77AE} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1248
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F72HULDSFQV6WHHAZ1NY.temp
    Filesize

    7KB

    MD5

    ca13b5d13c1e88f2b5bf42d9845a0d3b

    SHA1

    01f093f08828142c35f6d7f67da002f1afdf1d5d

    SHA256

    88878380854077fed5e0f4bf0d0117f67e1066ad41a8333135ee3cc259de3ec2

    SHA512

    b4ec2c950b3cbe3164e646bf7d022f76561464ba90ea6686c9e3e13059ea01b7e48d46a884dd6b8e31ef3f55b058c8f2cf8624e32cd835e13b96ef003ac4e675

    Download Submit
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    69KB

    MD5

    3d0f60a06bfead1b3ce9847dbd9ce7e7

    SHA1

    e79eff9033d46736a876ab3379038a592d8e210f

    SHA256

    e9dad4f37bdc3e80130637b3b5de29bf78e376cb8b8894a27ab4b727d60dff5b

    SHA512

    c0eb730f283df54c2f061da019b57879e29b8f5549309d71630fcb541be894d47eab3943d011363dd0a9bd93e07962411454d9e88e6f5d61a4e0babfde62fc08

    Download Submit
  • memory/1248-36-0x0000000000310000-0x0000000000328000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2008-39-0x0000000000EA0000-0x0000000000EB8000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2164-31-0x000007FEF5C93000-0x000007FEF5C94000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2164-0-0x000007FEF5C93000-0x000007FEF5C94000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2164-32-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2164-2-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2164-1-0x0000000000380000-0x0000000000398000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2720-8-0x000000001B5B0000-0x000000001B892000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2720-9-0x0000000001F00000-0x0000000001F08000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2720-7-0x00000000028D0000-0x0000000002950000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2752-16-0x0000000002860000-0x0000000002868000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2752-15-0x000000001B680000-0x000000001B962000-memory.dmp
    Filesize

    2.9MB

    Download