Overview

overview

10

Static

static

10

1/0178b79b...bd.exe

windows7-x64

10

1/0178b79b...bd.exe

windows10-2004-x64

10

1/0280cde4...60.exe

windows7-x64

10

1/0280cde4...60.exe

windows10-2004-x64

10

1/08b76206...65.exe

windows7-x64

10

1/08b76206...65.exe

windows10-2004-x64

10

1/0e4fc438...91.exe

windows7-x64

3

1/0e4fc438...91.exe

windows10-2004-x64

10

1/0fb86a8b...05.exe

windows7-x64

1/0fb86a8b...05.exe

windows10-2004-x64

10

1/25898c73...8f.exe

windows7-x64

10

1/25898c73...8f.exe

windows10-2004-x64

10

1/2c2e9491...3c.exe

windows7-x64

3

1/2c2e9491...3c.exe

windows10-2004-x64

10

1/2ef0f582...2e.exe

windows7-x64

3

1/2ef0f582...2e.exe

windows10-2004-x64

10

1/39884fc0...82.exe

windows7-x64

10

1/39884fc0...82.exe

windows10-2004-x64

10

1/3a72ecec...8a.exe

windows7-x64

10

1/3a72ecec...8a.exe

windows10-2004-x64

10

1/3bfcb4f7...71.exe

windows7-x64

10

1/3bfcb4f7...71.exe

windows10-2004-x64

10

1/4103411f...f5.exe

windows7-x64

10

1/4103411f...f5.exe

windows10-2004-x64

10

1/4e0fdb84...95.exe

windows7-x64

3

1/4e0fdb84...95.exe

windows10-2004-x64

7

1/5297372f...33.exe

windows7-x64

3

1/5297372f...33.exe

windows10-2004-x64

5

1/68292f38...e4.exe

windows7-x64

3

1/68292f38...e4.exe

windows10-2004-x64

10

1/6da4696b...e5.exe

windows7-x64

7

1/6da4696b...e5.exe

windows10-2004-x64

7

Resubmissions

11-12-2024 15:32

241211-sy44nssrdm 10

09-08-2024 21:57

240809-1t1vfs1cpm 10

06-08-2024 13:01

240806-p9f97szdlm 10

06-08-2024 12:52

240806-p3672stdkg 10

06-08-2024 12:29

240806-ppa8fsygqr 10

06-08-2024 12:26

240806-pmc92ashlh 10

Analysis

  • max time kernel
    146s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    06-08-2024 12:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1/3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe

  • Size

    487KB

  • MD5

    f451292bbe0b4c16d244c251105de16a

  • SHA1

    a527d277ccc25ad97ae64fb76767f1e2cda66ff2

  • SHA256

    3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a

  • SHA512

    d53a9cd31a3a98eb88af0c5454007adf8c897db53b6518a9f0c019af0bdcb906bf9fbca616b5ee03d7adfa397a16af06bbfbbbf36d15b89fdf3b96fb79fd439a

  • SSDEEP

    6144:MNDD+bHpEiGXQ4rnc+UI73whSk7MIhWI3tf5Jx/R7ZCe7w4uoVLdaPYZHuW31bZ+:MNncp0jUI73F0DhHbbzCMwI11b

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

schools-copper.gl.at.ply.gg:14154

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot6887301557:AAE2e7AcjyzPeaHQb_2XBthrT3TTCKt7jCs/sendMessage?chat_id=7045481276

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1\3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe
    "C:\Users\Admin\AppData\Local\Temp\1\3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:588
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1\3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2856
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2660
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1444
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2468
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\svchost.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:804
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {7F039CD9-F871-4411-B25C-F459CBE3F867} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Users\Admin\svchost.exe
      C:\Users\Admin\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2032
    • C:\Users\Admin\svchost.exe
      C:\Users\Admin\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2140
    • C:\Users\Admin\svchost.exe
      C:\Users\Admin\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    7d72734b0492c63d099d61aa75e6b806

    SHA1

    d960326f3a7d0321c99bea272814e6ebf47efa4a

    SHA256

    fd0e1c787e6adad8993659d8187e32244b72a4571f9b16a624ead1ec81b93703

    SHA512

    183fe384e03542220e926e34cd9d303627c121041439598e9e9b599c35f6d7f365bae39e5ef9c1720100470e919549c12b6c4cfc0e06abdfeb7e61a0ee24252b

    Download Submit

  • C:\Users\Admin\svchost.exe
    Filesize

    487KB

    MD5

    f451292bbe0b4c16d244c251105de16a

    SHA1

    a527d277ccc25ad97ae64fb76767f1e2cda66ff2

    SHA256

    3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a

    SHA512

    d53a9cd31a3a98eb88af0c5454007adf8c897db53b6518a9f0c019af0bdcb906bf9fbca616b5ee03d7adfa397a16af06bbfbbbf36d15b89fdf3b96fb79fd439a

    Download Submit

  • memory/588-2-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/588-1-0x0000000000EF0000-0x0000000000F6E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/588-0-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/588-35-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/588-36-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2032-34-0x0000000000A50000-0x0000000000ACE000-memory.dmp

    Filesize

    504KB

    Download

  • memory/2140-39-0x0000000001350000-0x00000000013CE000-memory.dmp

    Filesize

    504KB

    Download

  • memory/2660-15-0x000000001B600000-0x000000001B8E2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2660-16-0x0000000002810000-0x0000000002818000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2856-7-0x0000000002CA0000-0x0000000002D20000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2856-8-0x000000001B500000-0x000000001B7E2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2856-9-0x0000000002320000-0x0000000002328000-memory.dmp

    Filesize

    32KB

    Download