Overview

overview

10

Static

static

10

Steam.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    278s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19-07-2024 14:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Steam.exe

  • Size

    300KB

  • MD5

    0dbaccc9c83071046e7a7b1c5abc0610

  • SHA1

    62dde7edace3b8dabc2181f8db9012e42c74724c

  • SHA256

    b60366dfa799f86b4f07d136d0b7779176fb057e04262435c3ef83478987d451

  • SHA512

    ab454858c86a5dbbd95c951b94c66f21e17dcf16f99d0a9bc1c1447485d42119e1759f5412697a4a61143beab274809b77749c4524c54162bc7e0f46ef220f7e

  • SSDEEP

    3072:G+BKtFU9CHOjQAZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ+ZZZZZZZZZZZZZZ8:GtU98+GIIIIIIIhIIIIIIIIIIIIIIIU

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

decision-published.gl.at.ply.gg:3901

Mutex

Fbub7FdLoEHtTFgW

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Steam.exe
    "C:\Users\Admin\AppData\Local\Temp\Steam.exe"
    1⤵
    • Drops startup file
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp295D.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3608
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp295D.tmp.bat
    Filesize

    157B

    MD5

    9195b2315f6be3aef281751a4f685c5b

    SHA1

    1ec86b2b26d9a2a6f0e0bdf2acbc737a3bf60d89

    SHA256

    f343ff3d511d3cf76fddbd11859b24ee8b96317be40b9101480170cc807b237e

    SHA512

    4ca5eee28139ad33e662847e99c63fa6cc3cf0bc07dcf0c528c34395e6894f3d8f9ecab7a4a574be8bc819408a5e629a934d131b0b8225a7b7e3acbbaed53858

    Download Submit

  • memory/2364-0-0x00007FFCBCFF3000-0x00007FFCBCFF5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2364-1-0x0000000000BD0000-0x0000000000C22000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2364-2-0x00007FFCBCFF0000-0x00007FFCBDAB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2364-6-0x000000001BB60000-0x000000001BB6C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2364-7-0x00007FFCBCFF0000-0x00007FFCBDAB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2364-15-0x00007FFCBCFF0000-0x00007FFCBDAB2000-memory.dmp

    Filesize

    10.8MB

    Download