Analysis

  • max time kernel
    195s
  • max time network
    256s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21-06-2024 21:08

General

  • Target

    LabyMоd4.exe

  • Size

    560KB

  • MD5

    2ae96ec953ccf1e0334f53b423a0f9c5

  • SHA1

    ad213f9355f9eba4b1c93f9134d0cae98508c350

  • SHA256

    910351824ec9121d841b498baca5f57acc383f20e6ab755e5d353a9d281c4fb2

  • SHA512

    9dd0157e71086db20d54741ddd304ffc688d85ff01558c3660050a5471ec7c5933590e7fc79cf40147dc866fb3d3c3c7cacec6140ca2d1ff15313686850fb686

  • SSDEEP

    12288:B2rL+p6X35aAXuxGM7bGNMOddnSIXTHUhI:c735aZMzVjUS

Malware Config

Extracted

Family

xworm

C2

restaurant-equation.gl.at.ply.gg:23887

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LabyMоd4.exe
    "C:\Users\Admin\AppData\Local\Temp\LabyMоd4.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4384
    • C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\labymod4-installer.jar"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3676
      • C:\Windows\system32\icacls.exe
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        3⤵
        • Modifies file permissions
        PID:2148
    • C:\Users\Admin\AppData\Local\Temp\XClient.exe
      "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3844
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4420
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1616
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4260
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:3288
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4ACF.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:4788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

    Filesize

    46B

    MD5

    85beb0ad8a77662c61f86afd1e39702e

    SHA1

    d7e1e72f5c23fe3dded55e7e922151f43f173071

    SHA256

    cf47709f722417a19a6aa4ef955d2498f337f47f1751cf12a17e7ab40a756055

    SHA512

    4a8092e3c8bdce1f2500a0293a1f36a3aa4f49935484f3af7c6dbdb87f4bbcd0fa285e6dfd08c7e0734935a826bb59afc56148724e794ddaa1bb33c88073f577

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    8592ba100a78835a6b94d5949e13dfc1

    SHA1

    63e901200ab9a57c7dd4c078d7f75dcd3b357020

    SHA256

    fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

    SHA512

    87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    bbb673277fae96ee4bc299672085e949

    SHA1

    731ccb1581a06bff2ca36ca46b20c91c9adc468c

    SHA256

    21a0a3c47eb15cec5d37688a67369836fda0164d0cd5afaa9a2aa52fb838685d

    SHA512

    aa0efc1683991ed68027f0fbd1dfcf0616dd0c328bd015cb43987411e454e0583e8cc1a45bc9f689e873007071e0923d9be10a6db689ba268a167f856b6a8425

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    9457428940093c28ba12bd1e0d6923d2

    SHA1

    74d59812b702b52326c5637633c6c9e002598768

    SHA256

    2e95e0a71659267ee67d80481d501e12f8af26bbb57d8b99859d80394da1bd06

    SHA512

    346d7141fe8a33ccc133d8af85bc78c2fa849fd8afd3f26e683bbc055c9d36d02d31bdf8600d06e49b529a33ecd97ce021ae1f162632743a82b25e30670d491c

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    03cca9c43729b7da98f8341f5916e69c

    SHA1

    8c405fd43cc481445f8fa8c5ccd7643489e2355d

    SHA256

    897ce07829843bdd07e0e90b1d7c4ee4984ff61e26566b1356ba8f2352c61488

    SHA512

    25b474d1b1f1a5b7eedf56e0aff9200a64f45545a26470c836c6ca8236b270eb1706cca8cf0afa4281b13f4d7a66f1e8ef6a87685f55f14ea19ea2e2bf02984c

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe

    Filesize

    190KB

    MD5

    f5cd88548481bd61561698c34fb5b94c

    SHA1

    26ccddacd3d767b5b495ab84db5aed5c1eca72bd

    SHA256

    8b721aab9de7fcd5eda8ad61eb2461b8ad4354142629f9589663874ff42f70ef

    SHA512

    295982830cd04b560c35bbdb6bdfc3a343aec8f7a8289c3650cfc1665e788b4aa877b0c8041ee035b2d6304e317623ca2dde52b5cdd5511b932de4a2150419e9

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x0l0ecjx.ho5.ps1

    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

  • C:\Users\Admin\AppData\Local\Temp\labymod4-installer.jar

    Filesize

    341KB

    MD5

    65b10a02e94334034adb7251a1d521e2

    SHA1

    05b4bb293d461d0d2943b0b3209f4cc0afba35b2

    SHA256

    23ddcafd86f95231752b6f2ad7b9532c01c7043fb795ea4faaa3d09ba5ab35bb

    SHA512

    8fcc63df10dc17b9648945a81574a786bfa01db69e63e889dd18e0be0c60c0ee9d222b240d644982e759f79f139a9b573f9d0b03c025e558c15eaebb5fcc596d

  • C:\Users\Admin\AppData\Local\Temp\tmp4ACF.tmp.bat

    Filesize

    159B

    MD5

    0f89235147e5650d508e934b2a4c7268

    SHA1

    08c880a025febfa4c034700510794b9c0db6b46f

    SHA256

    34ed357c961b948ca79d911c1dfe0e43c58d4eee098bfee8ba04421f4e39774e

    SHA512

    079f5cd68b658525b213b58fc17d9986f8e0e33b01048a89bf78f817b0a716b4c397657d97ccbdff815d9ff9fcb5f70f9943d7fc80327df07e075079b6c7f0dc

  • memory/3676-300-0x000002D4CECB0000-0x000002D4CECB1000-memory.dmp

    Filesize

    4KB

  • memory/3676-34-0x000002D4CECB0000-0x000002D4CECB1000-memory.dmp

    Filesize

    4KB

  • memory/3676-14-0x000002D4D0590000-0x000002D4D0800000-memory.dmp

    Filesize

    2.4MB

  • memory/3676-289-0x000002D4CECB0000-0x000002D4CECB1000-memory.dmp

    Filesize

    4KB

  • memory/3676-302-0x000002D4D0590000-0x000002D4D0800000-memory.dmp

    Filesize

    2.4MB

  • memory/3844-11-0x00000000005C0000-0x00000000005F6000-memory.dmp

    Filesize

    216KB

  • memory/3844-10-0x00007FF959C93000-0x00007FF959C94000-memory.dmp

    Filesize

    4KB

  • memory/3844-59-0x000000001B1E0000-0x000000001B1F0000-memory.dmp

    Filesize

    64KB

  • memory/3844-301-0x00007FF959C93000-0x00007FF959C94000-memory.dmp

    Filesize

    4KB

  • memory/3844-303-0x000000001C260000-0x000000001C26C000-memory.dmp

    Filesize

    48KB

  • memory/3844-304-0x000000001B1E0000-0x000000001B1F0000-memory.dmp

    Filesize

    64KB

  • memory/4420-110-0x000001903F5C0000-0x000001903F636000-memory.dmp

    Filesize

    472KB

  • memory/4420-107-0x000001903F0A0000-0x000001903F0C2000-memory.dmp

    Filesize

    136KB