Overview

overview

10

Static

static

3

SecuriteIn...77.exe

windows7-x64

10

SecuriteIn...77.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    10/07/2024, 00:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.PWSX-gen.24441.7577.exe

  • Size

    551KB

  • MD5

    e30e2fe91be631b7bb50916d7b521c29

  • SHA1

    7174d5827f6a97e102ed84dc4083a535eb101dc3

  • SHA256

    5251566d0b8a27c5399efb9e5298c1c50fda246e3f15c8ebccf7d21282edede3

  • SHA512

    9ebe8208832e63efce3c0d8e158695e2b308852dfa07525b74b38a29ee1245f035395b8e17e2a5f4c4afbb6d39cadd619425ed9e67f1348aa01a1e89c83afece

  • SSDEEP

    12288:/B7jZhysUp6eR1QBNHDt11EpWrcKIx6AB/PX6BPLAzibNv0dY:/xZETp6eoNHDt1mmbroPX6BLoihv0C

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

rwanco.duckdns.org:1515

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24441.7577.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24441.7577.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UhDXQPNrTOujT.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2428
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UhDXQPNrTOujT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2858.tmp"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2584
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24441.7577.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24441.7577.exe"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.24441.7577.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2900
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecuriteInfo.com.Win32.PWSX-gen.24441.7577.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1140
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SecuriteInfo.com.Win32.PWSX-gen.24441.7577.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp2858.tmp
    Filesize

    1KB

    MD5

    159c83c0ad167467cf4386fc66fa9721

    SHA1

    f2ad3ea9273a98c53f3bb5b1bbb18616c04ed00d

    SHA256

    7e3cb325fe50fe8adbc422d7f6624357e6855f1b9a384e5ad56cf9f1379eb706

    SHA512

    7507381c0c5060944181654c343ea4a066b24d4e6623b36a5f1a6a39f1e0e3ca0350b812fe990a7eb461d793ab678db11438092b99b41eb5ab55c70635a1b8b2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    18106e5e2963b1c1301b7402f9f3e3f0

    SHA1

    b87f0c7696243a9fd6d2b8d8cbdfee73df0e22d5

    SHA256

    c5d43ee0e8712359e06ff0116c6370d3767f274e7b1dab3cb5c5f89213f635ce

    SHA512

    739acafe48ef970291de7f2547ae135aeaa5a2e69d3da5c828c179f6ec9e62323534bf8b69cd049f996fcc86072bf0593c3fa80433880b617b2ccc8cfed7540a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SecuriteInfo.com.Win32.PWSX-gen.24441.7577.exe
    Filesize

    551KB

    MD5

    e30e2fe91be631b7bb50916d7b521c29

    SHA1

    7174d5827f6a97e102ed84dc4083a535eb101dc3

    SHA256

    5251566d0b8a27c5399efb9e5298c1c50fda246e3f15c8ebccf7d21282edede3

    SHA512

    9ebe8208832e63efce3c0d8e158695e2b308852dfa07525b74b38a29ee1245f035395b8e17e2a5f4c4afbb6d39cadd619425ed9e67f1348aa01a1e89c83afece

    Download Submit

  • memory/2620-17-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2620-25-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2620-15-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2620-24-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2620-26-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2620-19-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2620-21-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2620-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-4-0x0000000000480000-0x0000000000492000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2824-5-0x0000000000740000-0x0000000000748000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2824-7-0x0000000004F20000-0x0000000004F78000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2824-0-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-6-0x0000000000750000-0x000000000075E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2824-27-0x0000000074E70000-0x000000007555E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2824-3-0x0000000074E70000-0x000000007555E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2824-2-0x00000000047D0000-0x000000000486A000-memory.dmp

    Filesize

    616KB

    Download

  • memory/2824-1-0x0000000000E80000-0x0000000000F0E000-memory.dmp

    Filesize

    568KB

    Download