Analysis

  • max time kernel
    582s
  • max time network
    592s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    15-06-2024 08:55

General

  • Target

    avatar item sorter.exe

  • Size

    50.1MB

  • MD5

    338c27e3009f0b68ea08a59dfcfcc7a8

  • SHA1

    e80dbdb1dcc4de61d650007e2cd75bdddac7a646

  • SHA256

    cfcc874c9a678ef45a12f2efe9ebbf3a26b38a2595ae297ee3033ecd908207b7

  • SHA512

    fa3431b5a31e7d0f041aef1115ad231e4e3caee135e6b051a6797870e62443ebbf00ea70ae9c3f627dfaad2997a8d03ce0f8559d2670dfa9f2c38ea2a5800958

  • SSDEEP

    786432:XDaEEB9qdKDxQQbtxlmvA+3il5cE7Dt0q0zJalrASE8QfEA5zD8pggBPRry:XOnB9qexTJxlv15cEAgBABfEA5U/r

Malware Config

Extracted

Family

xworm

C2

192.168.0.113:7000

:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    crome.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\avatar item sorter.exe
    "C:\Users\Admin\AppData\Local\Temp\avatar item sorter.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Users\Admin\AppData\Roaming\champ.exe
      "C:\Users\Admin\AppData\Roaming\champ.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Users\Admin\AppData\Local\Temp\onefile_1744_133629169494372000\GPUpdate.exe
        "C:\Users\Admin\AppData\Roaming\champ.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:108
    • C:\Users\Admin\AppData\Roaming\ggjjgjg.exe
      "C:\Users\Admin\AppData\Roaming\ggjjgjg.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\onefile_1744_133629169494372000\GPUpdate.exe
    Filesize

    42.2MB

    MD5

    11f84190e93c21ff6ff85d718f9aa9de

    SHA1

    d80b01909be910a07cfe4db032a39fdfb9fac58c

    SHA256

    2bdc427b432bd06d34fc3cbb8ad41f6c6e5cfd99e2905eed607dd4b240bd30d6

    SHA512

    3329e381409289dee862a00db315185b81229a8ff597739f40373295fb1b07d3a36f1e703329ab1d30b94ebd80514d68b68af4a68b8abb16153a1a98beade60a

  • C:\Users\Admin\AppData\Local\Temp\onefile_1744_133629169494372000\python311.dll
    Filesize

    5.5MB

    MD5

    9a24c8c35e4ac4b1597124c1dcbebe0f

    SHA1

    f59782a4923a30118b97e01a7f8db69b92d8382a

    SHA256

    a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

    SHA512

    9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

  • C:\Users\Admin\AppData\Roaming\ggjjgjg.exe
    Filesize

    72KB

    MD5

    3797b630bd5b95c2eebaaa8c0b839533

    SHA1

    3a3b49e8d28e2b42a80fbebd93540d03ac630f32

    SHA256

    83963780e6ee3859749031fc283ee8c9ebb1ef804c37daa2999f2773d6552b12

    SHA512

    e8e4e77cee9008ae4a1173fab694dc66e1761b13065a8943f968874f0bc01c5c45b04f155aed1ad99270c6429d25dbc6e2a23a255b90a46167374af5212c2e13

  • \Users\Admin\AppData\Roaming\champ.exe
    Filesize

    49.9MB

    MD5

    1e6812b75e75f7295249d7f0990796bc

    SHA1

    6445b991e65e435485066a68eab09ad9e5c7aa5b

    SHA256

    d5e771d2748fb8d0377dcb6897b2583176487d6973ed21da51ddc101e2a8c42f

    SHA512

    a9a58649802402fa717cf13a8c6a0ad5623473c3363e3f4a56605f615d10f072b40228ab9f488f64eda2924579af217ad782957cde146eb38f7fe963a28350d4

  • memory/108-103-0x000000013F320000-0x0000000141DE9000-memory.dmp
    Filesize

    42.8MB

  • memory/1744-188-0x000000013FAA0000-0x0000000142C9E000-memory.dmp
    Filesize

    50.0MB

  • memory/1988-33-0x0000000001200000-0x0000000001218000-memory.dmp
    Filesize

    96KB

  • memory/1996-0-0x000007FEF5263000-0x000007FEF5264000-memory.dmp
    Filesize

    4KB

  • memory/1996-1-0x0000000000220000-0x000000000343A000-memory.dmp
    Filesize

    50.1MB