Overview

overview

10

Static

static

10

fix.exe

windows7-x64

10

fix.exe

windows10-2004-x64

10

Resubmissions

01-07-2024 12:05

240701-n9bt2s1akf 10

01-07-2024 11:59

240701-n5w97atdqr 10

Analysis

  • max time kernel
    118s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 11:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fix.exe

  • Size

    35KB

  • MD5

    83bbe29b99a54bad48074efb72ce1fcc

  • SHA1

    421deeba13130a8eebacc8c7f48f28e6fe8485f2

  • SHA256

    99bf031f23b1759702a56ccfc9425f0a063654dcc4a94d8feeb89792c82f3082

  • SHA512

    67fe2ac907c297cd3c4d1af7f80257b468bc4e73cab428568ea1238d41cd8c43262765a0b0d43b2accb003901a66e9e7ec162fefda2fd89040697e1e168ac27f

  • SSDEEP

    768:ChiLce92aOrsQiUy5FyS9ZL6LOjhibold:ChkceWsQi5FT9ZL6LOjGo7

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

20.ip.gl.ply.gg:53765

Mutex

JCfj6Aifpywc6Ul9

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fix.exe
    "C:\Users\Admin\AppData\Local\Temp\fix.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fix.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2584
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fix.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2412
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feefd49758,0x7feefd49768,0x7feefd49778
      2⤵
        PID:1880
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1236,i,10970596290991213600,4635549291737484061,131072 /prefetch:2
        2⤵
          PID:2776
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1436 --field-trial-handle=1236,i,10970596290991213600,4635549291737484061,131072 /prefetch:8
          2⤵
            PID:2896
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1472 --field-trial-handle=1236,i,10970596290991213600,4635549291737484061,131072 /prefetch:8
            2⤵
              PID:2580
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2288 --field-trial-handle=1236,i,10970596290991213600,4635549291737484061,131072 /prefetch:1
              2⤵
                PID:580
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1236,i,10970596290991213600,4635549291737484061,131072 /prefetch:1
                2⤵
                  PID:1396
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1160 --field-trial-handle=1236,i,10970596290991213600,4635549291737484061,131072 /prefetch:2
                  2⤵
                    PID:1952
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3196 --field-trial-handle=1236,i,10970596290991213600,4635549291737484061,131072 /prefetch:1
                    2⤵
                      PID:1428
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3456 --field-trial-handle=1236,i,10970596290991213600,4635549291737484061,131072 /prefetch:8
                      2⤵
                        PID:1668
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3552 --field-trial-handle=1236,i,10970596290991213600,4635549291737484061,131072 /prefetch:8
                        2⤵
                          PID:2664
                      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                        1⤵
                          PID:2372

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\17d7f694-464a-4719-8522-6842ff0ee0ed.tmp
                          Filesize

                          279KB

                          MD5

                          40fca558f0178e1b9bb0771012f09b45

                          SHA1

                          14a23db19bad3eb57e7fbca78203a6d033d88ffa

                          SHA256

                          5cc834a729dafdb7fd80776561b4c3b10ddde2090a609ff58ce7b00061fe1eca

                          SHA512

                          27e2a22a1e4bda4b55fd812850d781aa9b3ad823a6aa1a215399b0bdf337c3f7736b0e438d10524a0fc86de80bff0d58d897d13c943a8470fde7908ab9f576f0

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
                          Filesize

                          264KB

                          MD5

                          f50f89a0a91564d0b8a211f8921aa7de

                          SHA1

                          112403a17dd69d5b9018b8cede023cb3b54eab7d

                          SHA256

                          b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                          SHA512

                          bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
                          Filesize

                          16B

                          MD5

                          18e723571b00fb1694a3bad6c78e4054

                          SHA1

                          afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                          SHA256

                          8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                          SHA512

                          43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                          Filesize

                          7KB

                          MD5

                          f506d563671f69c0685f4f6dae67e6d4

                          SHA1

                          59aef1cb6b0f109e1fa18e7dc7763094af84aa01

                          SHA256

                          ce39d0f4638e1801d64fef449581e5a44ab6fb742f25718f91ea94f4e6a238aa

                          SHA512

                          1a3ec88c2fab02adebd38180f9622eeff76bcdd1c77fa9b599ef46427842456b973bfacecada55349079c262cb863c6fd03df298214caba9d6b2255021171fc0

                          Download Submit

                        • \??\PIPE\srvsvc
                          MD5

                          d41d8cd98f00b204e9800998ecf8427e

                          SHA1

                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                          SHA256

                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                          SHA512

                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                          Download Submit

                        • memory/2584-8-0x00000000028F0000-0x00000000028F8000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/2584-7-0x000000001B510000-0x000000001B7F2000-memory.dmp

                          Filesize

                          2.9MB

                          Download

                        • memory/2584-6-0x00000000027F0000-0x0000000002870000-memory.dmp

                          Filesize

                          512KB

                          Download

                        • memory/2808-14-0x000000001B650000-0x000000001B932000-memory.dmp

                          Filesize

                          2.9MB

                          Download

                        • memory/2808-15-0x0000000001E00000-0x0000000001E08000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/2904-0-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2904-28-0x0000000000C50000-0x0000000000CD0000-memory.dmp

                          Filesize

                          512KB

                          Download

                        • memory/2904-29-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2904-30-0x0000000000B90000-0x0000000000B9C000-memory.dmp

                          Filesize

                          48KB

                          Download

                        • memory/2904-31-0x0000000000C50000-0x0000000000CD0000-memory.dmp

                          Filesize

                          512KB

                          Download

                        • memory/2904-1-0x0000000000F80000-0x0000000000F90000-memory.dmp

                          Filesize

                          64KB

                          Download