Overview

overview

10

Static

static

3

main.exe

windows10-2004-x64

10

main.exe

windows11-21h2-x64

1

Analysis

  • max time kernel
    10s
  • max time network
    31s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/07/2024, 16:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    main.exe

  • Size

    43KB

  • MD5

    ad4efdfce404977b56d0f104188f325b

  • SHA1

    015f68788843c6d8f2d8a89151ae96f19732f506

  • SHA256

    7b6328329414fa681a268fbda25b3ee454bf1dcb3706e29d724d1038c700b9ab

  • SHA512

    1f114d722200bd7bb1b87e487330d7065b4d6da3cfe9f02f699503d263a547857ecfe89cef4e04f6f981af12325863b39aa19b5f550357d35b3aea69f3fb35b6

  • SSDEEP

    768:oIIrUKPPi2ojXLkL+Dj3jV9sTi/UJrOaqBbxA63/nlea:oIWpP62oTLk2jTLsO/mqj/nlea

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

193.161.193.99:41402

Attributes
  • Install_directory

    %AppData%

  • install_file

    Teams.exe

  • telegram

    https://api.telegram.org/bot7251026627:AAFe7iqGz4Cd2IluTlmdghq0XQUzAYL6FpY

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\proxy.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4520
      • C:\Windows\system32\cscript.exe
        cscript //nologo temp.vbs
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:208
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\proxy.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1692
          • C:\Windows\system32\findstr.exe
            findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\proxy.bat"
            5⤵
              PID:3204
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell "$d = wmic diskdrive get model;if ($d -like '*DADY HARDDISK*' -or $d -like '*QEMU HARDDISK*') { taskkill /f /im cmd.exe }"
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:856
              • C:\Windows\System32\Wbem\WMIC.exe
                "C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2404
              • C:\Windows\system32\taskkill.exe
                "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
                6⤵
                • Kills process with taskkill
                PID:3008
      • C:\Users\Admin\AppData\Local\Temp\Teams.exe
        "C:\Users\Admin\AppData\Local\Temp\Teams.exe"
        2⤵
          PID:1948
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Teams" /tr "C:\Users\Admin\AppData\Roaming\Teams.exe"
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2500

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Teams.exe
        Filesize

        174KB

        MD5

        5b0b34c692864a86067b8dd7cfe9279f

        SHA1

        57df0126235d5ede2c0f069e90488792a13f6b9f

        SHA256

        3a111ab1f2d61a9a2e4be2a37657b9d7627a55c414fb5885e3ece64f5f18a2a8

        SHA512

        20b076be2e23ef09a25e697e81c60645a0217fcb31695c50a533d32a35bb3b9fa73e15b1559ef21bed888c49b37a58cd4664da7eb5ce1517797c9655d42c46e4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bx0r2oiu.3ma.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\kdotZhVstg.bat
        Filesize

        172B

        MD5

        77b306681eb30f5c0b0ed03bc452918d

        SHA1

        66ec571ecb739fae0ddafabd6e252831168ff14d

        SHA256

        e2796d978e3f0b205ac1f9951f5689db8322955bff5aa5f7377c245c5076388e

        SHA512

        50d3e76e8b1fc7b90db5c461bace88604195aeddee17238b7124494969f4ae8b802b868c476962bb316ba818be36a120ca849dc15e18cfee1a7b40fc0f224690

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\proxy.bat
        Filesize

        3.4MB

        MD5

        768430c61888f6865e096ff1095d5013

        SHA1

        fadd8fb1c3bc5b76f5c5a1894e8aa7e1aca46624

        SHA256

        979a8c58e1589fcda32d1dd95ad199826ee5f9e05af33956f76fd632566ca44a

        SHA512

        125345722ecee2c89327ed1e2bf44c6f9872fa07b7406371751e5125ea3b09573f262720e94431564da075d6cd4eafdd61950fa87080b7f384683bd36554ea7a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\temp.vbs
        Filesize

        93B

        MD5

        846dde9e8c14ebae4e11d791674c8008

        SHA1

        d3779c868307680070cfd752bc64ee07cb88ed9f

        SHA256

        8f9f145d06f96fcd364e4ffc7942816cd717c679745f6db9ae51054e4dbeb945

        SHA512

        99c496241db187980b4e6d92d4c986475c8b5b341590be9b33ea8cc428a5ddcb18314508f36b8738c3856dc4a658370f1703df066c2c9609525b5b68a26a5149

        Download Submit

      • memory/856-32-0x000002DC210F0000-0x000002DC21112000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1948-53-0x0000000000C20000-0x0000000000C52000-memory.dmp

        Filesize

        200KB

        Download