Overview

overview

10

Static

static

10

FunCheker.exe

windows10-1703-x64

10

Resubmissions

02/02/2025, 23:14

250202-275k8stmfq 10

23/07/2024, 16:49

240723-vbvb3azcqj 10

19/07/2024, 18:30

240719-w5nl2sxgkd 10

Analysis

  • max time kernel
    120s
  • max time network
    110s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19/07/2024, 18:30

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    FunCheker.exe

  • Size

    58KB

  • MD5

    e1037ff08530e97f312f2c5cae895646

  • SHA1

    0439ffa576cec17918ed1e83144fdecd5bb5292e

  • SHA256

    1321a9ac30ec543ff79880144cf9358153122b0a7cb554ae5e1ef68d4dc010ed

  • SHA512

    980298958868a71505fd7c81f773430b5687f8f76a06aa6b64dfe321e2ebefae04ec36c09bdde4f6a9fe8a6970688a693ea4ace3e320cc884b4a8ff00532671a

  • SSDEEP

    768:V1/DUdf/Y8SI23anp2mWJre5vwR9TR6/b4PEmkCPBXg9p9kiViehWCmgzSI:V1/Eb5nwLapCTRkb4PGCPm9TtVQyeI

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

grand-ad.gl.at.ply.gg:21277

Attributes
  • Install_directory

    %AppData%

  • install_file

    FunCheker.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\FunCheker.exe
    "C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FunCheker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3212
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FunCheker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2168
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\FunCheker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FunCheker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:3452
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "FunCheker" /tr "C:\Users\Admin\AppData\Roaming\FunCheker.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4852
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4260
  • C:\Users\Admin\AppData\Roaming\FunCheker.exe
    C:\Users\Admin\AppData\Roaming\FunCheker.exe
    1⤵
    • Executes dropped EXE
    PID:2228
  • C:\Users\Admin\AppData\Roaming\FunCheker.exe
    C:\Users\Admin\AppData\Roaming\FunCheker.exe
    1⤵
    • Executes dropped EXE
    PID:2828

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FunCheker.exe.log
          Filesize

          654B

          MD5

          16c5fce5f7230eea11598ec11ed42862

          SHA1

          75392d4824706090f5e8907eee1059349c927600

          SHA256

          87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

          SHA512

          153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          3KB

          MD5

          ad5cd538ca58cb28ede39c108acb5785

          SHA1

          1ae910026f3dbe90ed025e9e96ead2b5399be877

          SHA256

          c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

          SHA512

          c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          bb8cc8fcc5cbeec54503863e20a9ae0f

          SHA1

          05b6d2b609ef4752380b64cdafb3796610527f07

          SHA256

          6d28086db8927fab4ce46375d61154cfa69b2bedd58676ea3ffe15f5403141db

          SHA512

          e2703270ed38cab81136643443d1fb740d2483b7032db21b1a2af0fe4f2473c7f63664d81b56d7929d411eed9afbf625b4372ba11125a9faec5b1ebcb467638d

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          146dc0d704ff972887a9f34742fa6fd9

          SHA1

          c235c477ac80877e9474f63642e1811e55d93514

          SHA256

          f2fea4cf1ccc5ca4ed4f6ec2dfa319c7bed235423ad8ad6933a52c2b8a2a7725

          SHA512

          a9b6f44aaab6f68050a6f1ac85a9c3ad3bdee197aa8acbe1a1bb5c3f56487368ad37fe6d0bf192835baf8b0105eda23b17e8582ba630a68f1faa0acab9c68bdd

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          7820cec15d3fd44740084c1fd449bbe8

          SHA1

          8bb0463f9c092119f34ba2dbc5d223d7160daae6

          SHA256

          062fc423c4c366e32fb0a20146203a2d0de873b870ee4d6d1d10476768cd9241

          SHA512

          7dc9fd65b122a601f4d5256d6d4ee28b952b4259f089dd836f8469adba548414b16e47443b1e04e3cd8bd476a7b348499cbe94b20f8e113bb84b6a8d45922620

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_riaukwlw.csw.ps1
          Filesize

          1B

          MD5

          c4ca4238a0b923820dcc509a6f75849b

          SHA1

          356a192b7913b04c54574d18c28d46e6395428ab

          SHA256

          6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

          SHA512

          4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\FunCheker.exe
          Filesize

          58KB

          MD5

          e1037ff08530e97f312f2c5cae895646

          SHA1

          0439ffa576cec17918ed1e83144fdecd5bb5292e

          SHA256

          1321a9ac30ec543ff79880144cf9358153122b0a7cb554ae5e1ef68d4dc010ed

          SHA512

          980298958868a71505fd7c81f773430b5687f8f76a06aa6b64dfe321e2ebefae04ec36c09bdde4f6a9fe8a6970688a693ea4ace3e320cc884b4a8ff00532671a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FunCheker.lnk
          Filesize

          783B

          MD5

          71430e7138b3d542bb7e461fc6c96f00

          SHA1

          f17490c09ecc5f3f85187177754f859487d44755

          SHA256

          fd363a31481907260616eebdc9e83608a4e30c03c7b194f00c747f8cbe6bec49

          SHA512

          8c851f9c4e7c7cad5d2039c440f5544d39871bdab86fd58f5da18b9ff5fe7f901f7595c79b14a5795ce61d173769ca288678d6bea04b2ac7e23132619124ee1e

          Download Submit

        • memory/2100-2-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2100-1-0x00007FFCC9C13000-0x00007FFCC9C14000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2100-0-0x00000000009E0000-0x00000000009F4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2100-194-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2100-192-0x00007FFCC9C13000-0x00007FFCC9C14000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3212-56-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3212-7-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3212-8-0x0000022B28860000-0x0000022B28882000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3212-9-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3212-13-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3212-12-0x0000022B28990000-0x0000022B28A06000-memory.dmp

          Filesize

          472KB

          Download