Overview

overview

10

Static

static

7

Security0.exe

windows10-1703-x64

10

Security0.exe

windows11-21h2-x64

Analysis

  • max time kernel
    72s
  • max time network
    78s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23/07/2024, 18:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Security0.exe

  • Size

    10.3MB

  • MD5

    9f5720e13e66729b1e685917c46dd186

  • SHA1

    28593c013c1508dab2e1238fb4bfad88a5f9b619

  • SHA256

    e982016c5ee91104814d98c4fa3f8afbfa21dc7533133e09d7e50e6f64984fc5

  • SHA512

    ec2b173db12db307a5af11753b528d4bfd27ec1997c5425b866d4dd27960c6878c75ccd5e0d7eaaa83071aae79659aca462e4720c3b372b530e5d196ab453da5

  • SSDEEP

    196608:7GIfbVgEplBHgsX7NTlsSe/HEC+q1gkY4uHnaKjNQh4aj:dbVNAavsS0krq3116N64a

Score
10/10
xwormdiscoveryevasionexecutionpersistenceratthemidatrojan

Malware Config

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 53 IoCs
  • Suspicious use of SendNotifyMessage 53 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Security0.exe
    "C:\Users\Admin\AppData\Local\Temp\Security0.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Drops startup file
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3852
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Security0.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1840
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Security0.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WindowsSecurity.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3832
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4876
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSecurity" /tr "C:\Users\Admin\AppData\Local\Temp\WindowsSecurity.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2656
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4568

Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        1
        T1112

        Virtualization/Sandbox Evasion

        1
        T1497

        Credential Access

        Discovery

        Peripheral Device Discovery

        1
        T1120

        Query Registry

        3
        T1012

        System Information Discovery

        4
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Virtualization/Sandbox Evasion

        1
        T1497

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          1c19c16e21c97ed42d5beabc93391fc5

          SHA1

          8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

          SHA256

          1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

          SHA512

          7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          f5b7823f01ea09f2e6d741ed81192d3d

          SHA1

          a26b6d6b68d2f1cc26d650f791eabe7190b23427

          SHA256

          41cd68da873446dd8071c28f2c87bfc3ede880026e75e3e518bfb5646a05bc13

          SHA512

          3ee428b41b666f6df20935a21850841182de06b08c14cf7e19086f07d6bce252563bf1b371822a79cfce93a40a5796bdf5181b36804389b7a2a429eff2222d20

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          69cfd4c881f567c7ceb0fbf5d456dd9b

          SHA1

          36f5341f43d5627940c964ca291e1d9fae954736

          SHA256

          f8294e51dc0e8fbf3de1f817926b99db747f9fa1c584ea1cd66b6bc6de7ac7b7

          SHA512

          431982414c31da3f723a1e6297f9fa6738cf1124f4f67c4c9f3c8f343430ea8e2ff4cf9a85b2227e1373698165a39cc65fd04f99668f0363441950ea82fc0e0d

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          7332374be4c3bc256028b443712b558f

          SHA1

          db14e1ed06671a1b69b89196fb01df780c475625

          SHA256

          4f2b4e45db46001a4d85be7832c53a7704e979a0c02879a7fdebb3d73ee55099

          SHA512

          e31782ad8c4624481a6a1e484c3d68b87234352c23641475608eed1bea8fb482e8255c3bbc247205a2dea52b2a44c9f14935c2e2b4cc56d4acc27eeb9a39289c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\WindowsSecurity.exe
          Filesize

          24.9MB

          MD5

          30748ad61afdac683d8d6289f8c9f9ff

          SHA1

          16ca36e8f64b012c309a7a04d3c06ee4bf37419f

          SHA256

          7456131092374469ac26d7b1d901c202ec6cfb87f82703c3136bc78a93a9529e

          SHA512

          3843b4415e0d5fdd5ea45046d8bc7ede26722377a205ead335e4ec3ed8a8766470fd8000662b2e16ea5f473fb41c4a47925dc6a3a1b45f3edb51dfe45cd07f1a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2w2n1stf.xbv.ps1
          Filesize

          1B

          MD5

          c4ca4238a0b923820dcc509a6f75849b

          SHA1

          356a192b7913b04c54574d18c28d46e6395428ab

          SHA256

          6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

          SHA512

          4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk
          Filesize

          1KB

          MD5

          9bb94f8d61af936572f37557cc506a05

          SHA1

          3919d871b71e64b59445029c10430f27721be200

          SHA256

          7bf5b1deffa5e7986ce63f6b3700189b07ab7e0e6a1664900c87bb5ec91cce11

          SHA512

          542d07216aaae8d49386d2f711f4b74530ac64ba70208aaa17346e700bc1dcebd5c0983516957f3a55ff65024334a9d2e3430ee127743b337491273dd73e1d15

          Download Submit

        • memory/1840-29-0x00000000083A0000-0x00000000083EB000-memory.dmp

          Filesize

          300KB

          Download

        • memory/1840-21-0x00000000777F0000-0x00000000778C0000-memory.dmp

          Filesize

          832KB

          Download

        • memory/1840-50-0x0000000009060000-0x0000000009093000-memory.dmp

          Filesize

          204KB

          Download

        • memory/1840-52-0x0000000009040000-0x000000000905E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1840-274-0x00000000777F0000-0x00000000778C0000-memory.dmp

          Filesize

          832KB

          Download

        • memory/1840-258-0x0000000009510000-0x0000000009518000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1840-17-0x00000000777F0000-0x00000000778C0000-memory.dmp

          Filesize

          832KB

          Download

        • memory/1840-18-0x0000000004690000-0x00000000046C6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1840-19-0x0000000007060000-0x0000000007688000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/1840-253-0x0000000009530000-0x000000000954A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1840-22-0x00000000777F0000-0x00000000778C0000-memory.dmp

          Filesize

          832KB

          Download

        • memory/1840-51-0x000000006F9C0000-0x000000006FA0B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/1840-58-0x00000000095D0000-0x0000000009664000-memory.dmp

          Filesize

          592KB

          Download

        • memory/1840-24-0x0000000007740000-0x0000000007762000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1840-25-0x00000000077E0000-0x0000000007846000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1840-26-0x0000000007850000-0x00000000078B6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1840-27-0x00000000079A0000-0x0000000007CF0000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1840-28-0x0000000007940000-0x000000000795C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1840-57-0x00000000091A0000-0x0000000009245000-memory.dmp

          Filesize

          660KB

          Download

        • memory/1840-30-0x00000000081B0000-0x0000000008226000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2720-296-0x000000006F9C0000-0x000000006FA0B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/3832-531-0x000000006F9C0000-0x000000006FA0B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/3852-42-0x00000000777F0000-0x00000000778C0000-memory.dmp

          Filesize

          832KB

          Download

        • memory/3852-279-0x00000000777F0000-0x00000000778C0000-memory.dmp

          Filesize

          832KB

          Download

        • memory/3852-43-0x00000000777F0000-0x00000000778C0000-memory.dmp

          Filesize

          832KB

          Download

        • memory/3852-39-0x0000000077806000-0x0000000077807000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3852-1-0x0000000077806000-0x0000000077807000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3852-0-0x0000000000400000-0x0000000001C30000-memory.dmp

          Filesize

          24.2MB

          Download

        • memory/3852-20-0x0000000000400000-0x0000000001C30000-memory.dmp

          Filesize

          24.2MB

          Download

        • memory/3852-128-0x00000000777F0000-0x00000000778C0000-memory.dmp

          Filesize

          832KB

          Download

        • memory/3852-23-0x00000000777F0000-0x00000000778C0000-memory.dmp

          Filesize

          832KB

          Download

        • memory/3852-13-0x0000000006110000-0x00000000061AC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/3852-12-0x0000000000400000-0x0000000001C30000-memory.dmp

          Filesize

          24.2MB

          Download

        • memory/3852-3-0x00000000777F0000-0x00000000778C0000-memory.dmp

          Filesize

          832KB

          Download

        • memory/3852-7-0x00000000777F0000-0x00000000778C0000-memory.dmp

          Filesize

          832KB

          Download

        • memory/3852-8-0x00000000777F0000-0x00000000778C0000-memory.dmp

          Filesize

          832KB

          Download

        • memory/3852-11-0x0000000000400000-0x0000000001C30000-memory.dmp

          Filesize

          24.2MB

          Download

        • memory/3852-513-0x00000000777F0000-0x00000000778C0000-memory.dmp

          Filesize

          832KB

          Download

        • memory/3852-4-0x00000000777F0000-0x00000000778C0000-memory.dmp

          Filesize

          832KB

          Download

        • memory/3852-10-0x00000000777F0000-0x00000000778C0000-memory.dmp

          Filesize

          832KB

          Download

        • memory/3852-746-0x00000000777F0000-0x00000000778C0000-memory.dmp

          Filesize

          832KB

          Download

        • memory/3852-6-0x00000000777F0000-0x00000000778C0000-memory.dmp

          Filesize

          832KB

          Download

        • memory/3852-996-0x0000000007660000-0x0000000007B5E000-memory.dmp

          Filesize

          5.0MB

          Download

        • memory/3852-847-0x00000000777F0000-0x00000000778C0000-memory.dmp

          Filesize

          832KB

          Download

        • memory/3852-5-0x00000000777F0000-0x00000000778C0000-memory.dmp

          Filesize

          832KB

          Download

        • memory/3852-2-0x00000000777F0000-0x00000000778C0000-memory.dmp

          Filesize

          832KB

          Download

        • memory/3852-995-0x00000000075C0000-0x0000000007652000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4876-772-0x000000006F9C0000-0x000000006FA0B000-memory.dmp

          Filesize

          300KB

          Download