Overview

overview

10

Static

static

3

LabyMod4.exe

windows10-1703-x64

10

LabyMod4.exe

windows7-x64

10

LabyMod4.exe

windows10-2004-x64

10

LabyMod4.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    247s
  • max time network
    257s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15-06-2024 20:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LabyMod4.exe

  • Size

    4.0MB

  • MD5

    0bbe495d506dc3f4aa6ddfeab3b2621d

  • SHA1

    a3d1a753a89d65347f1f6693dfc15753612ccb64

  • SHA256

    cf5a0372c0667be70f46d879e0ed82af2423f7a08d80b65c6f8adb44a8586e9c

  • SHA512

    a66afe1bbbbcbf9e10c30989afeadd6ea1ce3b3c67e2e464ab95616b602e9851e1ebc33c6356dd0241099781558b069f135ffcb021e399df9064fd01638925b9

  • SSDEEP

    98304:8wz+aVyehU7iYSMF5cbP/5kJsPZ6NdZRM+9ylG5Mi:7+AbhU7iY9FQ5kSYX7MllGt

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

cameras-happen.gl.at.ply.gg:23386

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LabyMod4.exe
    "C:\Users\Admin\AppData\Local\Temp\LabyMod4.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3380
    • C:\Users\Admin\AppData\Local\Temp\Ratka.exe
      "C:\Users\Admin\AppData\Local\Temp\Ratka.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5092
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Ratka.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3036
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ratka.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2284
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3016
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3756
    • C:\Users\Admin\AppData\Local\Temp\Laby_Mod_4.exe
      "C:\Users\Admin\AppData\Local\Temp\Laby_Mod_4.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:5024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    627073ee3ca9676911bee35548eff2b8

    SHA1

    4c4b68c65e2cab9864b51167d710aa29ebdcff2e

    SHA256

    85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

    SHA512

    3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    d0a4a3b9a52b8fe3b019f6cd0ef3dad6

    SHA1

    fed70ce7834c3b97edbd078eccda1e5effa527cd

    SHA256

    21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

    SHA512

    1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    5b705b4839f481b2485f2195c589cad0

    SHA1

    a55866cd9e6fedf352d0e937101755ea61a50c86

    SHA256

    f6a3b94a63de605bbbcf1e95cb2d743166f44ea7e9d0d2bfa0e88c94c26e37c6

    SHA512

    f228eccd5646068a81e79baeaf7e8bfa470b30d503bf0ca8cc746c009510ab609b5c091cadf08fab1e3581900cdb7834c775c61a95a29c2d73ccd0dcbd851bab

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    80707036df540b6657f9d443b449e3c3

    SHA1

    b3e7d5d97274942164bf93c8c4b8a9b68713f46f

    SHA256

    6651e5f976619cef991deef61776cf43d4c4b3d7c551dd2192b647df71586ab0

    SHA512

    65e41e9e730fed4f7a7d3f6f35875a16948b897f87c8c70b371fd0ac7f0951814f6a75e7698665194bbc65a3665a684e7be229e7e24193b50483ae7e55eebf4f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Laby_Mod_4.exe
    Filesize

    4.5MB

    MD5

    ff808f2bcef1b2d33eeee8678fa2c42d

    SHA1

    c1f640a45ee396f4dc70bb50ead02b0899a66122

    SHA256

    357d5e993e6ff9d91b2c49d4bc01a0aea465b737c0e8bc21b4cf21ff1a6824bb

    SHA512

    dff690c735b63fcadb0f981f792eed77f7c5af58b0f11f03d365bf3b75da04fb2898d48ab6621e979f5a81aa27856ddedef0949ef2e9bc1dcc98daf98b536b87

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ratka.exe
    Filesize

    192KB

    MD5

    28b6f6405702915c6873e97bb0c2b9ca

    SHA1

    6ecbf035654ac5758073e15e1dba611397e5adad

    SHA256

    367f6ada7daf79724aa888bf211cd0a6f46fc082795456d67addeef8576ca431

    SHA512

    c2e93e96f5b537fe1919ca4a67ca02bb28c7bfa895148872d0df39a4a45aeb5433487784be930cc4b50e39ce7a24e9389c49e600e70f1d961fa5d0138f85cd0d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_epjbipru.mzp.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/3036-42-0x0000020475860000-0x0000020475882000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5024-27-0x00000000009F0000-0x0000000000E74000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/5024-26-0x00000000745EE000-0x00000000745EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5024-32-0x0000000005B10000-0x0000000005B1A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5024-33-0x00000000745E0000-0x0000000074D91000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5024-31-0x00000000745E0000-0x0000000074D91000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5024-35-0x00000000745EE000-0x00000000745EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5024-36-0x00000000745E0000-0x0000000074D91000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5024-30-0x0000000005A60000-0x0000000005B10000-memory.dmp

    Filesize

    704KB

    Download

  • memory/5024-29-0x0000000005920000-0x00000000059B2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5024-28-0x0000000005FA0000-0x0000000006546000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5092-34-0x000000001B9F0000-0x000000001BA00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5092-17-0x0000000000B40000-0x0000000000B76000-memory.dmp

    Filesize

    216KB

    Download

  • memory/5092-12-0x00007FFF14263000-0x00007FFF14265000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5092-83-0x000000001B9F0000-0x000000001BA00000-memory.dmp

    Filesize

    64KB

    Download