Overview

overview

10

Static

static

10

topwareBetaV2.zip

windows7-x64

8

topwareBetaV2.zip

windows10-2004-x64

1

topwareBet...ms.dll

windows7-x64

1

topwareBet...ms.dll

windows10-2004-x64

1

topwareBet...sk.exe

windows7-x64

5

topwareBet...sk.exe

windows10-2004-x64

5

topwareBet...in.exe

windows7-x64

10

topwareBet...in.exe

windows10-2004-x64

10

topwareBet...se.exe

windows7-x64

10

topwareBet...se.exe

windows10-2004-x64

10

topwareBet...or.dll

windows7-x64

1

topwareBet...or.dll

windows10-2004-x64

1

topwareBet...in.dll

windows7-x64

1

topwareBet...in.dll

windows10-2004-x64

1

topwareBet...rt.dll

windows7-x64

1

topwareBet...rt.dll

windows10-2004-x64

1

topwareBet...ug.exe

windows7-x64

8

topwareBet...ug.exe

windows10-2004-x64

8

topwareBet...ug.log

windows7-x64

1

topwareBet...ug.log

windows10-2004-x64

1

topwareBet...on.dll

windows7-x64

1

topwareBet...on.dll

windows10-2004-x64

1

topwareBet...nt.dll

windows10-2004-x64

3

topwareBetaV2/lz4.dll

windows7-x64

1

topwareBetaV2/lz4.dll

windows10-2004-x64

1

topwareBet...ts.dll

windows7-x64

1

topwareBet...ts.dll

windows10-2004-x64

1

topwareBet...ect.js

windows7-x64

3

topwareBet...ect.js

windows10-2004-x64

3

topwareBet...are.py

windows7-x64

3

topwareBet...are.py

windows10-2004-x64

3

topwareBet...sh.dll

windows7-x64

1

Analysis

  • max time kernel
    134s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    07/07/2024, 14:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    topwareBetaV2/bin/release/release.exe

  • Size

    64KB

  • MD5

    36969de6b4bf8de24684de1bb71f624f

  • SHA1

    0327d7d9d7f739e4b09bab680249ed997a281c9b

  • SHA256

    57035572212814c4666994f1a0d2b6955b0951a8f1e9e1686dead895de5f64cf

  • SHA512

    cd8eae1b19c8ae9a2d22b999e85e86625a1e74630e6f3155ff63965b8f116e62f79dcc23b88c92f51fa42ee26f7bd87cad22a21f32f16306890576e309dfe548

  • SSDEEP

    1536:TTodvW06WoBsscJSbigiYUVkaNW6PmqCO26erLq:UenWissBbigHmkaRmHO26erLq

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

79.110.49.233:4444

Attributes
  • Install_directory

    %AppData%

  • install_file

    VSREDIST.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\topwareBetaV2\bin\release\release.exe
    "C:\Users\Admin\AppData\Local\Temp\topwareBetaV2\bin\release\release.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\topwareBetaV2\bin\release\release.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2788
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'release.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\VSREDIST.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1192
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VSREDIST.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3004

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    a25cd1916a3d7ccffacbaa38ca36e9f3

    SHA1

    e5e33ea69b5f4a2e7f594ae453c81ac024cd0447

    SHA256

    fef87c776c64ca79f92d40a863d35a46ddd71302fdd0d7a041b194becba292ce

    SHA512

    5e6e5affd0023e17f90f2d2f307f6779741d50356ba6f026207844b301538e73147ddf861b3a2208b3eb5611750b699d52300f484bfde009f14cc432ba7e551c

    Download Submit

  • memory/2600-14-0x000000001B640000-0x000000001B922000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2600-15-0x00000000028E0000-0x00000000028E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2788-7-0x000000001B730000-0x000000001BA12000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2788-8-0x00000000027E0000-0x00000000027E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2980-1-0x0000000000C20000-0x0000000000C36000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2980-0-0x000007FEF5123000-0x000007FEF5124000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2980-2-0x000007FEF5120000-0x000007FEF5B0C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2980-31-0x000007FEF5123000-0x000007FEF5124000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2980-32-0x000007FEF5120000-0x000007FEF5B0C000-memory.dmp

    Filesize

    9.9MB

    Download