Overview

overview

10

Static

static

10

setup loader.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    76s
  • max time network
    67s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15-06-2024 20:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup loader.exe

  • Size

    49KB

  • MD5

    92bc0dad236bed95c0503c72049d7f7b

  • SHA1

    f68dc458b17f797f06fca1b61f058caead9b3560

  • SHA256

    2e40036d668ff96a553bde8c62dab4f7ac024256deaa2e68f1e19fe94a2f98f2

  • SHA512

    95b3710e2e0f7fda6cede8fff283e0918b70cd1251fe24eb24cede0b5f8d59188c82d1575dcd60dfe2a1d2e504ae282e1f37329d223b8073048027e2745dd26f

  • SSDEEP

    768:bShn8azMUFJHlxXmWMvJF5P49O/yt16gOMhV3IOYmn4P3UX8cO0:bavzMUFxzXmRFq94m6gOMbY64fUX8u

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:15560

7.tcp.eu.ngrok.io:15560
Mutex

ZukGNk9bpYNaevaf

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 38 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup loader.exe
    "C:\Users\Admin\AppData\Local\Temp\setup loader.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:380
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\setup loader.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2288
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'setup loader.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4584
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:4132
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:5064
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4764

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      8592ba100a78835a6b94d5949e13dfc1

      SHA1

      63e901200ab9a57c7dd4c078d7f75dcd3b357020

      SHA256

      fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

      SHA512

      87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      ac57d8d28a6ec4a3a647086456354e2e

      SHA1

      fcca558c54d9ac15846b236c87df8203be324b18

      SHA256

      f999bd0e95471b037173bf33201888eb0dfa920a528bd45cb183aeda6a6f70a8

      SHA512

      6a50f8f466c6173ed17f69bf1970135b44cad77601b24d3cef7a6aaa8d40d7c6a54aca0faadaa545de3e8cd19708e0b07188efe964db4723e3a6cca451f22dc2

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      d4f2ec4aedfe3b39c4cf60eb2b4614b5

      SHA1

      f0936cc5bbd692e595e12b1c8af3656b634e59fa

      SHA256

      9491f612de062019ee7480b9c4ef561e5a1a21ec38a50e3da3242da4a9669c7b

      SHA512

      bcff0355d4001afa675b72fdbea960d330390a692bfb00bcf0932144cb802b5e7293745e978cdcc83a3ecf82baf7c9e04c835eb5705bcdf8463bd6dccddbd1f6

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      27498612886ec7d2f14ea219b16a4e83

      SHA1

      62d68489b9cf3dae0b96921be8023bd22fc0ba3a

      SHA256

      9e4c452a04debfedc36166f2e4976f900a26c12a3364dfc9efadb856a9c02f1e

      SHA512

      ae3f7f780f14d3dc5eb274c3b2f037c895696dca4d3c1aa2f255a4dfb1abb5ef78dc3262da18755dd3ee16e536dce2a924cdb138f1b32b1eed5442134ae67682

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_poinn2g4.n41.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\XClient.exe
      Filesize

      49KB

      MD5

      92bc0dad236bed95c0503c72049d7f7b

      SHA1

      f68dc458b17f797f06fca1b61f058caead9b3560

      SHA256

      2e40036d668ff96a553bde8c62dab4f7ac024256deaa2e68f1e19fe94a2f98f2

      SHA512

      95b3710e2e0f7fda6cede8fff283e0918b70cd1251fe24eb24cede0b5f8d59188c82d1575dcd60dfe2a1d2e504ae282e1f37329d223b8073048027e2745dd26f

      Download Submit

    • memory/380-0-0x00007FFD9A2E3000-0x00007FFD9A2E4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/380-2-0x00007FFD9A2E0000-0x00007FFD9ACCC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/380-1-0x0000000000950000-0x0000000000962000-memory.dmp

      Filesize

      72KB

      Download

    • memory/380-189-0x00007FFD9A2E3000-0x00007FFD9A2E4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/380-190-0x00007FFD9A2E0000-0x00007FFD9ACCC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2288-9-0x00007FFD9A2E0000-0x00007FFD9ACCC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2288-10-0x00007FFD9A2E0000-0x00007FFD9ACCC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2288-13-0x0000016342B60000-0x0000016342BD6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2288-51-0x00007FFD9A2E0000-0x00007FFD9ACCC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2288-7-0x00007FFD9A2E0000-0x00007FFD9ACCC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2288-8-0x00000163429B0000-0x00000163429D2000-memory.dmp

      Filesize

      136KB

      Download