Overview

overview

10

Static

static

1

order_docu...642.js

windows7-x64

10

order_docu...642.js

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/06/2024, 11:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    order_document_sheet#PO35642.js

  • Size

    576KB

  • MD5

    da2a00db4ad85a7c84c8e3bdd158ed5b

  • SHA1

    fac36df9615e08267ca51c5c32db76b5d5a3b047

  • SHA256

    0ffef02908f711dc3b01b83a439e2aeaafa58b021a4c930ed47772e6d958931e

  • SHA512

    e09e36d25ccbc7b443c215adcd013c40da9d78c82ae479326c4f92b8fabc26b8fa3f6c937fdd2b717f37330999d03928c02cd98ba0c0987245e9118770976e66

  • SSDEEP

    12288:p68zPt15vj0FBKG5UmvOvhdvHVJwvPRjgTC7oS8Qo/A5Ih:p68zPRIFBOdvHvwXyTC7o5bh

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

107.175.101.198:7000

Mutex

dvNrQCwanoQ9ouuD

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
      "C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3304
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hmpDqhdDQk.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1984
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmpDqhdDQk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE000.tmp"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2764
      • C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
        "C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    0b88e4fd7c9a97b290cc24dfa4170818

    SHA1

    fb4627e105ca824ce58adb064210464907168bad

    SHA256

    2cf86a5639643a3f04a4faa207d2ec4e4f970ca26b4464901b7d1ebadeedbe0b

    SHA512

    8c7458940939807e24d08a5c6f256831ff8fd86d5ef3addd760b48b42b58255fca58680339b66faabc4a4ddef4b7e042f2c594a59ac853188289a368969c1a44

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hyv4xaus.pnb.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
    Filesize

    432KB

    MD5

    22269c9e26e7aa5d4168bb2b7acad1b3

    SHA1

    9c18f20bceeeb671f745458b4bf4f8d217a84173

    SHA256

    0ca04624018e1b0234ad520ab681fc7357f5dc1b537f860fc9a4849b4c207b11

    SHA512

    a3c0a97eed520fb5bd6578b48bf8992fd62ae913eb5b3940423800a2f913614b5c7eb39d0fd038f4edd98aa5512a16dabcc5f8c601ac93260af8d91dd9350e17

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpE000.tmp
    Filesize

    1KB

    MD5

    9b873a08c845d28ef133c5eca26c933c

    SHA1

    3f275d6640aedc4a7b94aefc4ebf6b526b0ab1ea

    SHA256

    f5fead25a6ec33adf70b9c9d9760e9dc9ce72c77a1b4cd74fafeecac82fbce37

    SHA512

    adb374cc392bb0e78ed4dabf0528cb6b189d9c6fd1d0f771327baf693cd101c44a8ceaa5c1fe19c5be0f3a42b28c101ad341adc752708e0548a623666b1fd9fd

    Download Submit

  • memory/1984-80-0x00000000076B0000-0x0000000007753000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1984-82-0x00000000077E0000-0x00000000077FA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1984-58-0x0000000006AA0000-0x0000000006AD2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1984-69-0x0000000007490000-0x00000000074AE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1984-59-0x00000000750C0000-0x000000007510C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1984-83-0x0000000007850000-0x000000000785A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1984-86-0x0000000007A10000-0x0000000007A1E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1984-45-0x0000000005EB0000-0x0000000006204000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3024-20-0x0000000006A10000-0x0000000006A1C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3024-18-0x0000000005BC0000-0x0000000005BD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3024-11-0x000000007481E000-0x000000007481F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3024-12-0x0000000000D20000-0x0000000000D92000-memory.dmp

    Filesize

    456KB

    Download

  • memory/3024-13-0x0000000005C40000-0x00000000061E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3024-14-0x0000000005780000-0x0000000005812000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3024-21-0x0000000006A30000-0x0000000006A80000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3024-52-0x000000007481E000-0x000000007481F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3024-16-0x0000000074810000-0x0000000074FC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3024-55-0x0000000074810000-0x0000000074FC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3024-15-0x0000000005940000-0x000000000594A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3024-17-0x00000000059F0000-0x0000000005A8C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3024-19-0x0000000006A00000-0x0000000006A08000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3304-26-0x00000000050B0000-0x00000000050E6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3304-84-0x0000000007BF0000-0x0000000007C86000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3304-70-0x00000000750C0000-0x000000007510C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3304-56-0x0000000006640000-0x000000000665E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3304-30-0x0000000005ED0000-0x0000000005F36000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3304-81-0x0000000007FC0000-0x000000000863A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3304-57-0x0000000006680000-0x00000000066CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3304-87-0x0000000007BB0000-0x0000000007BC4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3304-29-0x0000000005E60000-0x0000000005EC6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3304-27-0x0000000005790000-0x0000000005DB8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3304-85-0x0000000007B70000-0x0000000007B81000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3304-88-0x0000000007CB0000-0x0000000007CCA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3304-89-0x0000000007C90000-0x0000000007C98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3304-28-0x0000000005DC0000-0x0000000005DE2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4724-51-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download