Overview

overview

10

Static

static

10

injector.exe

windows11-21h2-x64

10

injector.exe

windows7-x64

10

injector.exe

windows10-1703-x64

10

injector.exe

windows10-2004-x64

10

injector.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    136s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04/07/2024, 23:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    injector.exe

  • Size

    49KB

  • MD5

    37fbd83271e9f0a2dbe4372ec015c23f

  • SHA1

    7deaca82f648bc67b5cc86e20696fff3a6a957a9

  • SHA256

    b6a0c0000264b84cffcf9fd20e7a6321a6ca97be8babf2092805fbb5ae577809

  • SHA512

    a3eff87bf8f4d8265706aa366060b661628a8621441762078356e029ea23f6369bf3d807e33b4ca8ff0adb84f8ab17cd46fd7a5387237c2be81ba57d83c7d300

  • SSDEEP

    768:ZWO7VMyjFxpyKlSFyx9DKx6YOjhNOKEkzbwonH8wSpO1bNX:ggVMy/sBFU9DU6YOjq1EwoH865F

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

https://pastebin.com/raw/r8P3Ngmc:324

Mutex

LrtSM6IVyhGy1fuw

Attributes
  • Install_directory

    %AppData%

  • install_file

    injector.exe

  • pastebin_url

    https://pastebin.com/raw/r8P3Ngmc

aes.plain
1
5xpPAVLsjVHY711wcqbL/w==

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\injector.exe
    "C:\Users\Admin\AppData\Local\Temp\injector.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4588
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\injector.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1940
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'injector.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2748
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\injector.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4132
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'injector.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:3000

Network

  • flag-us
    DNS
    pastebin.com
    injector.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
    Response
    pastebin.com
    IN A
    104.20.4.235
    pastebin.com
    IN A
    104.20.3.235
    pastebin.com
    IN A
    172.67.19.24
  • flag-us
    GET
    https://pastebin.com/raw/r8P3Ngmc
    injector.exe
    Remote address:
    104.20.4.235:443
    Request
    GET /raw/r8P3Ngmc HTTP/1.1
    Host: pastebin.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Thu, 04 Jul 2024 23:11:30 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 210
    Last-Modified: Thu, 04 Jul 2024 23:08:00 GMT
    Server: cloudflare
    CF-RAY: 89e2cb76ceeb77b2-LHR
  • flag-us
    DNS
    235.4.20.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    235.4.20.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    20.ip.gl.ply.gg
    injector.exe
    Remote address:
    8.8.8.8:53
    Request
    20.ip.gl.ply.gg
    IN A
    Response
    20.ip.gl.ply.gg
    IN A
    147.185.221.20
  • flag-us
    DNS
    20.221.185.147.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.221.185.147.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 20.231.121.79:80
    46 B
     1
  • 104.20.4.235:443
    https://pastebin.com/raw/r8P3Ngmc
    tls, http
    injector.exe
    720 B
     3.8kB
     8
    8

    HTTP Request

    GET https://pastebin.com/raw/r8P3Ngmc

    HTTP Response

    200
  • 147.185.221.20:58343
    20.ip.gl.ply.gg
    injector.exe
    852 B
     528 B
     10
    11
  • 8.8.8.8:53
    pastebin.com
    dns
    injector.exe
    58 B
     106 B
     1
    1

    DNS Request

    pastebin.com

    DNS Response

    104.20.4.235
    104.20.3.235
    172.67.19.24

  • 8.8.8.8:53
    235.4.20.104.in-addr.arpa
    dns
    71 B
     133 B
     1
    1

    DNS Request

    235.4.20.104.in-addr.arpa

  • 8.8.8.8:53
    20.ip.gl.ply.gg
    dns
    injector.exe
    61 B
     77 B
     1
    1

    DNS Request

    20.ip.gl.ply.gg

    DNS Response

    147.185.221.20

  • 8.8.8.8:53
    20.221.185.147.in-addr.arpa
    dns
    73 B
     130 B
     1
    1

    DNS Request

    20.221.185.147.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    ad5cd538ca58cb28ede39c108acb5785

    SHA1

    1ae910026f3dbe90ed025e9e96ead2b5399be877

    SHA256

    c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

    SHA512

    c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    f9db1383d522155506432a20ea7c54e2

    SHA1

    1660a5a066c2a26393ce3b34d6a8af5e7971988c

    SHA256

    37eef42208d2a9bbebbb33c89019767dd6c174aefbe8418325a1a35c71d8b201

    SHA512

    43ef8de0cf06dbc272a60c4d2d059dce3cd83623dc0710a2e7beee1af0b4119d6199295694c6c5815f0e04dbb079a1cb2b30c40607165f1522c8ba1a0bbb3eab

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    0a3b4c8627c2eb142bdca79039dbfb7a

    SHA1

    2ac7226d22c2737ce12033525006fae371de5167

    SHA256

    6f5346d0ffbf8cc3810d36214830203560de3ea476261468b7b62393df1c0c55

    SHA512

    4de0cfc110f57e039270df7870a9f4dd5ebce9c7c7530a0e01679cc01d9554a25303df943b186fa97bcdb8c080de3052ef9d8c0634587323614da65ba1f40005

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    8e68d0b1881b9084b62529aacdfda63b

    SHA1

    6e94ca42a8c817aa94b6f204212bde71b71927b6

    SHA256

    0876f27a62ea7970aadd4f3468bfe3f3c8823b557ec940dfd4aebb3ff434de02

    SHA512

    6c7e1198f1e27815c5c90bf10c2f93f3ff20d96e1054d55b1b8835c260db0173f388430dbe4b35dca918be575f58226506b1d3e53142b87a8c18f9723dc0612a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qxeate4v.ckg.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • memory/1940-10-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1940-11-0x000001AD7DCB0000-0x000001AD7DD26000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1940-12-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1940-41-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1940-48-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1940-52-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1940-9-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1940-6-0x000001AD7D9B0000-0x000001AD7D9D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4588-0-0x0000000000140000-0x0000000000152000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4588-1-0x00007FFE25063000-0x00007FFE25064000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4588-187-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4588-188-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4588-191-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

    Filesize

    9.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.