Overview

overview

10

Static

static

10

9858b58784...0N.exe

windows7-x64

10

9858b58784...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24-08-2024 19:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9858b58784c5c31cb009b460f358dbe0N.exe

  • Size

    59KB

  • MD5

    9858b58784c5c31cb009b460f358dbe0

  • SHA1

    4071b7d709faf8e420a8f42977c99fcf40fd5eb2

  • SHA256

    1d9d5421af5c484e34ba49a9a7ec61e1dfdef6c41b0017ff761342589dacccfb

  • SHA512

    ceeb63003184857240e1a670cbea6f8c469dfc134f066f771944518a3de32550877032661d14bf8a11c61b6445d35c9658be619d1aa35841c1ee6c723b439167

  • SSDEEP

    1536:5gkAOwHZCiQnb5k0wLCzlcaH9nSHi9dS1EAd8IIu:5QYnb5Cuz9SHi3gEA6IIu

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:43771

y-drives.gl.at.ply.gg:43771:43771
Attributes
  • Install_directory

    %AppData%

  • install_file

    dllhuy.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9858b58784c5c31cb009b460f358dbe0N.exe
    "C:\Users\Admin\AppData\Local\Temp\9858b58784c5c31cb009b460f358dbe0N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9858b58784c5c31cb009b460f358dbe0N.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2928
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '9858b58784c5c31cb009b460f358dbe0N.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\dllhuy.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2200
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhuy.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40BMLDEITNCNHO0H1C6X.temp
    Filesize

    7KB

    MD5

    d2c8793551f13b4dd1faf0f513916d22

    SHA1

    fcd47d4647684242361db5208f241f47069fe5a4

    SHA256

    fa650227d0651d8e19ac53b830cea0effc21c211dfb79e40a6990355daec7088

    SHA512

    349e60aa960667c0d68a25e06ac2224e9def5c426f2730edad14710354d0d35b1f40e112d91d3bf15d4e9890629f861d2f1e8dc93c7442f9b32fea8ebc96bdbf

    Download Submit

  • memory/1908-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1908-1-0x0000000000B40000-0x0000000000B54000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1908-2-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1908-28-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1908-33-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2612-15-0x000000001B670000-0x000000001B952000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2612-16-0x0000000002860000-0x0000000002868000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2928-7-0x0000000002840000-0x00000000028C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2928-8-0x000000001B610000-0x000000001B8F2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2928-9-0x0000000002790000-0x0000000002798000-memory.dmp

    Filesize

    32KB

    Download