Overview

overview

10

Static

static

3

Prism Rele....5.exe

windows7-x64

10

Prism Rele....5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    15-06-2024 11:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Prism Release V1.5.exe

  • Size

    5.1MB

  • MD5

    ac80f970a7ae1c07663abdd11d752d34

  • SHA1

    5ee4c0de86dc91aebb47f3ea6b7e624e861fdfad

  • SHA256

    b61ca7c42fef43547c7892c76a925ec4a846373bfcde20426c913a4390f71001

  • SHA512

    7bd6150976477bec27532e7d7449e8a1ee6997b41359f3b31e2da8db0602f1ac0dfae171d8ebe00a0e18c2c77c7f9e4ed18352f7d8cf76c1cff855166ed6f94b

  • SSDEEP

    98304:crjAG8empOd+SyaREAaOeaD5lWsjvi+ffzwZZHUzItLqbn82rh:3ppcNJQkjvi+ffzwZZJiR1

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

91.92.241.69:5555

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Windows Runtime.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Using powershell.exe command.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe
    "C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAdABtACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAegBnACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcALgBnAGcALwBnAGUAdABwAHIAaQBzAG0AIAAtACAAUgB1AG4AIABBAHMAIABBAGQAbQBpAG4AIABJAGYAIABJAG4AagBlAGMAdABpAG8AbgAgAEYAYQBpAGwAcwAnACwAJwAnACwAJwBPAEsAJwAsACcASQBuAGYAbwByAG0AYQB0AGkAbwBuACcAKQA8ACMAdQBzAGQAIwA+AA=="
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1696
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAdAB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAcQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdQBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAdwBhACMAPgA="
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2668
    • C:\Users\Admin\dllhost.exe
      "C:\Users\Admin\dllhost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\dllhost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3052
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2952
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Runtime.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1584
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Runtime.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2872
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Runtime" /tr "C:\ProgramData\Windows Runtime.exe"
        3⤵
        • Creates scheduled task(s)
        PID:1248
      • C:\Users\Admin\AppData\Local\Temp\gdjciu.exe
        "C:\Users\Admin\AppData\Local\Temp\gdjciu.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1648
        • C:\Users\Admin\AppData\Local\Temp\onefile_1648_133629245954466000\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\gdjciu.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2772
    • C:\Users\Admin\Prism Executor.exe
      "C:\Users\Admin\Prism Executor.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Users\Admin\AppData\Local\Temp\onefile_2848_133629245258238000\nexusloader.exe
        "C:\Users\Admin\Prism Executor.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1068
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {2615D022-5A61-4DA6-975A-027108EAFA55} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]
    1⤵
      PID:888
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1712

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\onefile_2848_133629245258238000\python310.dll
        Filesize

        4.2MB

        MD5

        384349987b60775d6fc3a6d202c3e1bd

        SHA1

        701cb80c55f859ad4a31c53aa744a00d61e467e5

        SHA256

        f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

        SHA512

        6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        832d918812ff479b6f899a4d58f3a918

        SHA1

        17f9f1e7775abd3a4bde5966bd8b12524ba213ca

        SHA256

        b87c8bc193734c49a7743837ad2f7bc6e6f4345be8a7dbfd0132c0b2b9022b30

        SHA512

        d1ebee513cc8acfd1e34c2d0a5a521130889e7c9409109205110dd9eff04b055820fe26a5dff754e9882da4a8a4dc9438548f9913a35d7ccdd1dc65852f9ccc6

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
        Filesize

        7KB

        MD5

        e23363735c0f519580e12f8ecb5dbcda

        SHA1

        62a7a1f99283dd084ac39cb2e52cee6adeb1538d

        SHA256

        49dd42287c79e232da3d10eae0dedb3b5c6ffe1f5ec10ff38f6c2bc8553ae751

        SHA512

        175978edb1ad6bef8750379940c587eba2b2b3f17f5b2fedeac5d26a3cbd6e628dae877fa3042467d9693d45459599a10466bf890064c1a6c59fac177a06fa43

        Download Submit
      • \??\PIPE\srvsvc
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        Download Submit
      • \Users\Admin\AppData\Local\Temp\gdjciu.exe
        Filesize

        32.9MB

        MD5

        32004d8a59efe46298e06798a1a96cb9

        SHA1

        da3c34b6d7d4f692e673e45dacc825b3ef17a2ed

        SHA256

        03ca5525ec9b76e0d61787679977fff9ed515e7c9d30100ba7d8499a8b62a47f

        SHA512

        34c25e4b7ec2f61c6df8da73a720a91ec01762b06be8b12308876711e6a3b44f2633b27a38f2c516ff0925cb5829b70e993167e989ceb9a328d7422f7ab41495

        Download Submit
      • \Users\Admin\AppData\Local\Temp\onefile_1648_133629245954466000\svchost.exe
        Filesize

        38.4MB

        MD5

        473d542fefe26be37736dc09341747bf

        SHA1

        359cadaafa2f5c032cc300a9097467de701a816c

        SHA256

        f88890e37c4d16601fad17152fea87947f4098ac3903f138250fa3482bd3bafc

        SHA512

        01c08a86156b2bc3745c62bea2a787b9635a71a61595b0ddccec976e39fc50ec1547daa15aa301f4109a6bbf99b772f1d427b14a581c5dcfc1a0651e4c79fb16

        Download Submit
      • \Users\Admin\AppData\Local\Temp\onefile_2848_133629245258238000\nexusloader.exe
        Filesize

        3.5MB

        MD5

        58545dc488990ac11872079d119f8284

        SHA1

        dade5c16834d582a5187041697cc5a7c2eae2f88

        SHA256

        6669bd79928492ab626c6cc64de35e3da76d655bbd197b5cc644584014fea5bc

        SHA512

        93d6e3f6a2ff03b4b58db7c04f8ad00e5c5f95eceefd199b73a8af6009ef381f758825ebe3d0d3076f917299c850b2859fb2ec35eeef59126617d2a0ec54dcd7

        Download Submit
      • \Users\Admin\Prism Executor.exe
        Filesize

        5.0MB

        MD5

        fa819e23d8fee4ea89aaaea55e0b28f5

        SHA1

        18335d4e0d140dcab66c7197c57f669251898ce5

        SHA256

        bb4fbbf322982321c56ac48cb7939ef7cb823b510a184c41e284f2cdf1bab68c

        SHA512

        e6170df5c8705e96a76cb3b366c9410c8f8e5c5dd5753de9be87e47a1c989b4723dd655e3355d52096f7acd3185a5469ed5bf284e7765e9519522ae132cef07d

        Download Submit
      • \Users\Admin\dllhost.exe
        Filesize

        78KB

        MD5

        4a7f75343aaa5a4d8d18add50ccf3139

        SHA1

        110c62eee6d7deb4aa9d601c942eae43482d2125

        SHA256

        34be6a934fd45752e788f9ba20943c8e52d91732d76e9f30a5176e98dccd956e

        SHA512

        1f1516fc41e0b90d0d47e306da15a542799425159f4ad476cf4fd88b9b56d200c79c72ce29ca5b0acf2a195cabe803c37c72b8d76e99a69a04dbfe1fb9f9fc79

        Download Submit
      • memory/2624-26-0x0000000001070000-0x000000000108A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/3052-1750-0x000000001B3B0000-0x000000001B692000-memory.dmp
        Filesize

        2.9MB

        Download
      • memory/3052-1789-0x0000000002460000-0x0000000002468000-memory.dmp
        Filesize

        32KB

        Download