Overview

overview

10

Static

static

10

агу агу.exe

windows7-x64

10

агу агу.exe

windows10-1703-x64

10

агу агу.exe

windows10-2004-x64

10

агу агу.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    316s
  • max time network
    1592s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    17-07-2024 19:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    агу агу.exe

  • Size

    66KB

  • MD5

    5c434aad5f00636f72eacd2629bd94d3

  • SHA1

    97d58aa930ca9033c03225f227643c0d3f363565

  • SHA256

    6fc07b159dc07440be552269b3744451ffb4de70d31cbb42ac26e153c02c57c2

  • SHA512

    aa193cc01233441f47e57b447b53fc337da9d93e4e4b012d2f298e0899e474e06ef678098cad6d31d47d4c208702d6a4953f34eb228fd71569d0e7f1959f87ac

  • SSDEEP

    1536:pumiy1u+SnmhVvUdp6S7rbxIsaM26/OkDBUs0:Dw+S6Od4YrbxI8OsBUx

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

positive-you.gl.at.ply.gg:16734

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7343225892:AAGJ-_TVGwSK_6PGyafbOWbFKwsijptXrto/sendMessage?chat_id=944774411

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\агу агу.exe
    "C:\Users\Admin\AppData\Local\Temp\агу агу.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5060
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\агу агу.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3060
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'агу агу.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4520
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3876
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:4224
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4388
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "svchost"
      2⤵
        PID:4612
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF107.tmp.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4528
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:3136

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      ad5cd538ca58cb28ede39c108acb5785

      SHA1

      1ae910026f3dbe90ed025e9e96ead2b5399be877

      SHA256

      c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

      SHA512

      c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      4a3f55af3cd097738f59bd00c380e56c

      SHA1

      3b01adc6d12cd95b3b24dcd3058943f0ab6f5009

      SHA256

      710a077f1119790588e5d74a6e6e0c947dd1df33ee746e52452a28a6be44e41d

      SHA512

      a1ebd64ec1b7b9eacef347289947fea3fa09cf9b1f6a438198ac206ac8d849e555d7313fe9f076f8fa0fae8e8fe65344cd9a710cb0e077b0b25c8434442a77e3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      434df5698af0e0f7515d2c8bd0053e6f

      SHA1

      ac213e2a9f941c1ab39f7b509d18aeedc0dbda41

      SHA256

      d148742ea23d95bd7356a37758b7b78ca4eb3a2a50a78ddad90a75d6866d5495

      SHA512

      8d1902011e79f607a2e59a5542ddf3de1e5224859e8bda486fa6b621e941510635fe7c29d3bf9c3ef754302c9ec18fb711bdd57fb5ca9966a4f6abc0069585f2

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      e6c391993304a6607b93c6d2e6c8451a

      SHA1

      0190e42af69da77262dd40e48043cff2e3c147ec

      SHA256

      e2c230671177725ed3709cb3c95eefd5dadd707a4dfe77af1e3026448345729a

      SHA512

      bfd663ccc6f7337b6a77d6c2766caafb563a3ce228e5a3106f576961b65dc93ac28cad0b2c8d487278b9d8fe824b55bd2d901e395c51af8bf6ce38582ac1cd02

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bkv44uwj.cpo.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpF107.tmp.bat
      Filesize

      165B

      MD5

      e4e5620b9d83091d798918559f5d25f7

      SHA1

      f36fa3802079179e9b9c044f3e41e996088d5949

      SHA256

      201625b09d72d5205054233d047f016767403036cde748436e17afa91e9bb902

      SHA512

      1a33d97bd59a9d3d73d6baab2dc8b4e42e4f16d5ad668067c4a1d83ae7dd255a8e8dd74cb35929f6d839afb75a9be9d4b1f10ca91497027b04d3f106b9d7cf92

      Download Submit

    • memory/3060-8-0x000002327E910000-0x000002327E932000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3060-12-0x000002327EBF0000-0x000002327EC66000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3060-13-0x00007FFE32140000-0x00007FFE32B2C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3060-51-0x00007FFE32140000-0x00007FFE32B2C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3060-10-0x00007FFE32140000-0x00007FFE32B2C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3060-7-0x00007FFE32140000-0x00007FFE32B2C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/5060-0-0x0000000000EC0000-0x0000000000ED6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/5060-2-0x00007FFE32140000-0x00007FFE32B2C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/5060-183-0x00007FFE32143000-0x00007FFE32144000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5060-184-0x00007FFE32140000-0x00007FFE32B2C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/5060-1-0x00007FFE32143000-0x00007FFE32144000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5060-190-0x00007FFE32140000-0x00007FFE32B2C000-memory.dmp

      Filesize

      9.9MB

      Download