Overview

overview

10

Static

static

3

47e602735f...5c.exe

windows7-x64

10

47e602735f...5c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/07/2024, 02:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    47e602735f8059e787b432de5f00575c.exe

  • Size

    1.8MB

  • MD5

    47e602735f8059e787b432de5f00575c

  • SHA1

    fd8dc8ba2b438de30599835d2cfc5b7fbb682c39

  • SHA256

    c5dc5b0b78ffba40847d9ac8c6beca81d20e9678204ac4a8b35c09b0610d47e9

  • SHA512

    06ec7541919fa2623a6a8883a15f8b24c5027a55d482a1aebc5b727a07d92b50feb36a3e80d80656cb6b38e9a69cc334fa5f5db6ff4d8c26b8fec6de82949610

  • SSDEEP

    49152:QH7JbhzwEjVVaQ3Sn7GMYav7syYcONey40vIx3+I1:QH7JVznpVaHtvbOHtwx1

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

17.ip.gl.ply.gg:2351

<Xwormmm>:1234
Mutex

35P7l2L8pEsbVtqa

Attributes
  • Install_directory

    %Temp%

  • install_file

    $77Lol.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\47e602735f8059e787b432de5f00575c.exe
    "C:\Users\Admin\AppData\Local\Temp\47e602735f8059e787b432de5f00575c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4132
    • C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup (1).exe
      "C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup (1).exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3176
    • C:\Users\Admin\AppData\Local\Temp\XClient.exe
      "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1436
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1236
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3168
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\$77Lol.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1608
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77Lol.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4752
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77Lol" /tr "C:\Users\Admin\AppData\Local\Temp\$77Lol.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3600
  • C:\Users\Admin\AppData\Local\Temp\$77Lol.exe
    C:\Users\Admin\AppData\Local\Temp\$77Lol.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4352
  • C:\Users\Admin\AppData\Local\Temp\$77Lol.exe
    C:\Users\Admin\AppData\Local\Temp\$77Lol.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3656

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77Lol.exe.log
          Filesize

          654B

          MD5

          2ff39f6c7249774be85fd60a8f9a245e

          SHA1

          684ff36b31aedc1e587c8496c02722c6698c1c4e

          SHA256

          e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

          SHA512

          1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          d28a889fd956d5cb3accfbaf1143eb6f

          SHA1

          157ba54b365341f8ff06707d996b3635da8446f7

          SHA256

          21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

          SHA512

          0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          ba169f4dcbbf147fe78ef0061a95e83b

          SHA1

          92a571a6eef49fff666e0f62a3545bcd1cdcda67

          SHA256

          5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

          SHA512

          8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          a7cc007980e419d553568a106210549a

          SHA1

          c03099706b75071f36c3962fcc60a22f197711e0

          SHA256

          a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

          SHA512

          b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup (1).exe
          Filesize

          1.8MB

          MD5

          5036e609163e98f3ac06d5e82b677df8

          SHA1

          176db10a4cda7104f24eece2d87e1a664b7fb929

          SHA256

          b2afe799584c913532c673f99ade45113bf5a5b605a964ce9fa837f563b6fc21

          SHA512

          40c4332e2e4132fc7f3a5f0738a67e7725b329c4a4b0643fbc65f5d1de3ca4b6bf7374c2a722ea05f01a5e2ddd458344289fdb39bbb092a0b64e63eb168313e4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\XClient.exe
          Filesize

          38KB

          MD5

          965821262df54392375545c3fd29e693

          SHA1

          27ccc945b2e9d1c7583fc8d9fece02ac9f1428df

          SHA256

          12c05491a92b1f70e28adb05aa1c946aa047e0b6e6f8b972434bc37bf60af0fb

          SHA512

          e837bd4eccea4cac004b858ef847aadf43fdc8392323f81168ab6e5ba97caf1629af4e33cf98f7d2375844aeb8091a2dc6468f68a1724945320070da73a1f908

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cwmenmud.qxv.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nssC0A2.tmp\InstallOptions.dll
          Filesize

          15KB

          MD5

          ece25721125d55aa26cdfe019c871476

          SHA1

          b87685ae482553823bf95e73e790de48dc0c11ba

          SHA256

          c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

          SHA512

          4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nssC0A2.tmp\LangDLL.dll
          Filesize

          5KB

          MD5

          68b287f4067ba013e34a1339afdb1ea8

          SHA1

          45ad585b3cc8e5a6af7b68f5d8269c97992130b3

          SHA256

          18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

          SHA512

          06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nssC0A2.tmp\System.dll
          Filesize

          12KB

          MD5

          cff85c549d536f651d4fb8387f1976f2

          SHA1

          d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

          SHA256

          8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

          SHA512

          531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

          Download Submit

        • memory/1236-56-0x000001B35FC40000-0x000001B35FC62000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1436-26-0x00000000003F0000-0x0000000000400000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1436-46-0x00007FFAF9510000-0x00007FFAF9FD1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1436-27-0x00007FFAF9510000-0x00007FFAF9FD1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1436-109-0x00007FFAF9510000-0x00007FFAF9FD1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4132-25-0x00007FFAF9510000-0x00007FFAF9FD1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4132-0-0x00007FFAF9513000-0x00007FFAF9515000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4132-3-0x00007FFAF9510000-0x00007FFAF9FD1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4132-1-0x0000000000BD0000-0x0000000000DA4000-memory.dmp

          Filesize

          1.8MB

          Download