Overview

overview

10

Static

static

10

uihelper.exe

windows7-x64

10

uihelper.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    15/06/2024, 20:23

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    uihelper.exe

  • Size

    71KB

  • MD5

    dffb74f4ddf0aa77581c3115bccffe96

  • SHA1

    f80ccede44a4f6298ed9cbbbe5173ec177653984

  • SHA256

    fb1129f10e3378b7a24603728a3242db30b43ce7fb818803de66e26a8048518a

  • SHA512

    16fcec0f7c2fdcb8f81f6863ba327dffe4818e5e3a09f84008617ba5ab70d4112b80d82282bf0644b223cd2dbc0a7335a53c4794447c20c2664bb2681d7e9668

  • SSDEEP

    1536:aL7csa/kywL0cbUr5U68wZPiJqbqvHZARS3eOQ6h5mdOyXx8Nc:Q7HaMywAN5U6BPiAbqvakeMmdOGxmc

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

final-consequently.gl.at.ply.gg:10334

Attributes
  • Install_directory

    %AppData%

  • install_file

    COM Surrogate.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\uihelper.exe
    "C:\Users\Admin\AppData\Local\Temp\uihelper.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\uihelper.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2824
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'uihelper.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2536
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\COM Surrogate.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1200
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'COM Surrogate.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2828

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          f70cb662e1e0db651193131b0c02d444

          SHA1

          bdfaa7c8377314f970deb499e0790e918b8ec0ba

          SHA256

          ffe804935eb17dd570e01ac94ab251ed77da434a921fae44fe85cfbad0a362e9

          SHA512

          ecfd0a2c47ccc829562fd83e363ed14e7c0fcf41c4bb7c2992ec08d74bc9aee68cfb3e7cd296be4138a6803af6d4653594ae60b510a18e1b64f780ef1fb85f4a

          Download Submit

        • memory/2116-0-0x000007FEF5753000-0x000007FEF5754000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2116-1-0x0000000000320000-0x0000000000338000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2116-2-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2116-7-0x000007FEF5753000-0x000007FEF5754000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2116-33-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2536-17-0x00000000027D0000-0x00000000027D8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2536-16-0x000000001B660000-0x000000001B942000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2824-8-0x00000000029D0000-0x0000000002A50000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2824-9-0x000000001B470000-0x000000001B752000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2824-10-0x00000000022C0000-0x00000000022C8000-memory.dmp

          Filesize

          32KB

          Download