Overview

overview

10

Static

static

10

2 лдшуте.exe

windows7-x64

10

2 лдшуте.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-06-2024 21:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2 лдшуте.exe

  • Size

    77KB

  • MD5

    632ab73920e2e8e8100d927ab00e12a5

  • SHA1

    4676f206bb580f87589bb2e1cfa0270959534ae6

  • SHA256

    a4ee1f41eada056a3c1802839d549de40fdbd7995a5940a8f7cb9fb9785b0e87

  • SHA512

    21df86d3316712979b995844516bb12f86823cb96977e52c05b9b855aece6c9917ffee31d5ba4d415babc8290fa2a364ba3cb501b5724208676d077469a829db

  • SSDEEP

    1536:Lo34pW06sYLtjyzCLfvbpdyqD546KMhb/ujSOHSNdEn:YrTo0vbpY85ca/CSOHS4n

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

word-belize.gl.at.ply.gg:1678

Attributes
  • Install_directory

    %AppData%

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2 лдшуте.exe
    "C:\Users\Admin\AppData\Local\Temp\2 лдшуте.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2 лдшуте.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2528
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2 лдшуте.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2548
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\system'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2392
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2800
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system" /tr "C:\Users\Admin\AppData\Roaming\system"
      2⤵
      • Creates scheduled task(s)
      PID:936
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {26402487-3F77-42E8-B845-1101BD5D0181} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2804
    • C:\Users\Admin\AppData\Roaming\system
      C:\Users\Admin\AppData\Roaming\system
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1228
    • C:\Users\Admin\AppData\Roaming\system
      C:\Users\Admin\AppData\Roaming\system
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2928
    • C:\Users\Admin\AppData\Roaming\system
      C:\Users\Admin\AppData\Roaming\system
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2196

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZYVOCEIJDTDNLY4N8D3L.temp
    Filesize

    7KB

    MD5

    5473e95f5a3ac54c33ec0b81e729de29

    SHA1

    16f540afbe75f5aea9f7991aa00e1e84fe1e1c8e

    SHA256

    139b0e7509c92b80c60d7680d55cb4165351c360a6bf257f4bbef9237f4e8123

    SHA512

    90afb64651fc81eb458a8d424037296803fa88b7222ae0ae7ed6be10e3667bec37a2ff0d41d24f3785aa63caaf8538eca22fdd6d6b615d27a31a32faa00012dd

    Download Submit
  • C:\Users\Admin\AppData\Roaming\system
    Filesize

    77KB

    MD5

    632ab73920e2e8e8100d927ab00e12a5

    SHA1

    4676f206bb580f87589bb2e1cfa0270959534ae6

    SHA256

    a4ee1f41eada056a3c1802839d549de40fdbd7995a5940a8f7cb9fb9785b0e87

    SHA512

    21df86d3316712979b995844516bb12f86823cb96977e52c05b9b855aece6c9917ffee31d5ba4d415babc8290fa2a364ba3cb501b5724208676d077469a829db

    Download Submit
  • memory/1228-33-0x0000000000E50000-0x0000000000E6A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2196-38-0x0000000000080000-0x000000000009A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2528-7-0x000000001B370000-0x000000001B652000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2528-8-0x0000000001EB0000-0x0000000001EB8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2548-14-0x000000001B350000-0x000000001B632000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2548-15-0x0000000002010000-0x0000000002018000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2684-1-0x00000000010A0000-0x00000000010BA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2684-2-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2684-29-0x000007FEF4E43000-0x000007FEF4E44000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2684-34-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2684-0-0x000007FEF4E43000-0x000007FEF4E44000-memory.dmp
    Filesize

    4KB

    Download