Overview

overview

10

Static

static

3

RTC_launcher.exe

windows7-x64

10

RTC_launcher.exe

windows10-2004-x64

Analysis

  • max time kernel
    300s
  • max time network
    292s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    05/08/2024, 07:08

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    RTC_launcher.exe

  • Size

    1.5MB

  • MD5

    e0e2f56b736c375d82c1668267f3fed4

  • SHA1

    dd92ef585431f4d4295f05f04a044f84ab799b87

  • SHA256

    2eef3ef0c91c8783544a4ea58131804dce6024fe5569ebdd1a497e0750693d54

  • SHA512

    96ae6a0c5aa214bedc191c8eeb47c7bd17538387456d8af86680aaadf93cb3d2eb07c1714b3a597109789424584b52146ada4b67f9c04aec067c854caec30b68

  • SSDEEP

    24576:kuDXTIGaPhEYzUzA0TgnqeDqWqMthyiAHwve+Gk66CUitNk1cK8FHq79m9+ka8:DDjlabwz9uqWqHiMwmV6SOz8oJi9j

Score
10/10
xwormdefense_evasionexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

connection-arizona.gl.at.ply.gg:65211

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Binary Proxy Execution: Verclsid 1 TTPs 1 IoCs

    Adversaries may abuse Verclsid to proxy execution of malicious code.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\RTC_launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\RTC_launcher.exe"
    1⤵
      PID:2124
    • C:\Windows\system32\verclsid.exe
      "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
      1⤵
      • System Binary Proxy Execution: Verclsid
      PID:2692
    • C:\Users\Admin\AppData\Local\Temp\RTC_launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\RTC_launcher.exe"
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:836
      • C:\Users\Admin\AppData\Roaming\RTC-launcher.exe
        "C:\Users\Admin\AppData\Roaming\RTC-launcher.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1520
        • C:\Users\Admin\AppData\Roaming\svchost.sfx.exe
          "C:\Users\Admin\AppData\Roaming\svchost.sfx.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:860
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            4⤵
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3060
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:984
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1104
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:780
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:764
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1620
        • C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe
          "C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:1068
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1824
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {4A618145-CCBB-4CD5-B637-FAEBE63B74F3} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        C:\Users\Admin\AppData\Roaming\svchost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2248
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        C:\Users\Admin\AppData\Roaming\svchost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2152
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        C:\Users\Admin\AppData\Roaming\svchost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2820

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            e246f27bffb2116d5254b2a1bc2244e0

            SHA1

            5f07298dffa5a09dc118a2540a199e5682f9f4f5

            SHA256

            dfcc42135a9e2e5125109da7b20e8e08467760edfd59bfd991a9d064a2796aa3

            SHA512

            cc02c2d8b7a03145cb289820a484cd96d720970c2a5a33c3122f3b34b07bc990c4ed95bd9726e4975d72dead30eaa8bd99c083c8172a769632640d8471e4086a

            Download Submit

          • C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe
            Filesize

            758KB

            MD5

            cb1929328dea316fcb34f3486697d16e

            SHA1

            8c2db8d4b4644cb356a9283b2fa7bb6a988a5d7b

            SHA256

            7a3deffc327b1e49cbc95dc4c41f1f4c0fd55825cc7c18fd06b96a900e0bf5f9

            SHA512

            90ef1cc19c01c1c0b2b4b802e88d622ff07ffc91273350200cd0589e6acabb63634af2883f6cae554dacab0f401b4294d13291707507c6fa035c282214fc6a28

            Download Submit

          • C:\Users\Admin\AppData\Roaming\svchost.exe
            Filesize

            170KB

            MD5

            b4a592662f351fa139e2b2dbaacb6536

            SHA1

            effc55d139ca4b4fdd4bccce9c754661b626e624

            SHA256

            fae2b33e66e3f661f9ec876e263014cb89e97a66fff8eab2d311fc3ca8b1ec4c

            SHA512

            b31091654adc567b2fddf6e5a1e8f4f2f902d7a9471462070e0b6f5dea65a7bbc1424ddd7e1b618122bcb3310cb6b9e75a09b35e31f6fa50b4d6c563d7952c38

            Download Submit

          • C:\Users\Admin\AppData\Roaming\svchost.sfx.exe
            Filesize

            505KB

            MD5

            0326c9fc30cea37fc3f9dfdc9c017260

            SHA1

            ef2548189632d87afef60c6c5c322daf95a6fe6a

            SHA256

            d88cd37c5dee7ef1a3bd7836150cfb63bee3ba792a71c08685fda46f31f1b9d5

            SHA512

            e7d256931d32502691c8ef9e54ac448b1b38d9574ae78dfcca6764fd3a653b175e01143cfb46f70af662bd8ee1c7521942a4d9dcfd8285e225bf732c4fc8ef7a

            Download Submit

          • \Users\Admin\AppData\Roaming\RTC-launcher.exe
            Filesize

            1.2MB

            MD5

            bfe20aac9317925bcd8621db0946384c

            SHA1

            c739dfce077121bf2f7614210173966b9731cabd

            SHA256

            2d6d57ffff1c26183290ee15d1663283b98fba8c8981b00409bca5ccce49ee54

            SHA512

            3e82fe9df6e037911b6d73bbc38241fd25f96fa1047eafefa543a72e9ea7fa35e232a0e165c39ac5cc4fa864b439743d755545964347b6f9b3b39003dd1d4cb4

            Download Submit

          • memory/984-47-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/984-46-0x000000001B5A0000-0x000000001B882000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/1068-39-0x0000000000A80000-0x0000000000B44000-memory.dmp

            Filesize

            784KB

            Download

          • memory/1104-53-0x000000001B670000-0x000000001B952000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/1104-54-0x00000000022C0000-0x00000000022C8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1824-40-0x0000000140000000-0x00000001405E8000-memory.dmp

            Filesize

            5.9MB

            Download

          • memory/1824-41-0x0000000140000000-0x00000001405E8000-memory.dmp

            Filesize

            5.9MB

            Download

          • memory/1824-66-0x0000000140000000-0x00000001405E8000-memory.dmp

            Filesize

            5.9MB

            Download

          • memory/3060-38-0x0000000001310000-0x0000000001340000-memory.dmp

            Filesize

            192KB

            Download