Analysis

  • max time kernel
    121s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-09-2024 17:21

General

  • Target

    XWORMV5.4.exe

  • Size

    14.2MB

  • MD5

    741b1f2ee5826897af2ba2ec765296e4

  • SHA1

    706534d9c6a16354974b3b6fd6d1f620524b7dd1

  • SHA256

    0b142a5773fcd9ae5cbb967f748e8da9a89e74aa50a0e1cd52f3aaa313bc749d

  • SHA512

    a0b14ab280d906a8ad1681e335d30a457b02355cc941d12208f2ef460a9b1f700b84789749ee2080fb4351cce09e3cceeb9fea94478c3c81ae1fb184892de03a

  • SSDEEP

    196608:q1X5v7sGYYHDZH3OrlZPtgLklkC9sSJP/rSzQHvWSpdUorPr/kvmXhJ9aCD:qHqDVgV+9kQH+SfLdrnD

Malware Config

Extracted

Family

xworm

Version

5.0

C2

45.141.26.197:7000

Mutex

9nYi5R05H806aXaO

Attributes
  • Install_directory

    %AppData%

  • install_file

    VLC_Media.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWORMV5.4.exe
    "C:\Users\Admin\AppData\Local\Temp\XWORMV5.4.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe
      "C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2296 -s 668
        3⤵
          PID:2672
      • C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe
        "C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe"
        2⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2492
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2172
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2592
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\VLC_Media.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3016
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1844

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe

      Filesize

      176KB

      MD5

      a9376f54dd83bf547f6188f8904ae3af

      SHA1

      85bb802b0ade5b2136c83e6217a2aaace3735edc

      SHA256

      44661d9d0df9aa2e03844719c9e6963a738e431c565f0983d309a0e113508d17

      SHA512

      71a4e6251e201441ccc1ae9633790b977a898e6f42b0d25f4c54d66d99311dad5b63e25f7ac703e932db5a526290f95e9abfe2158b72cd21e8564ac1942a48a9

    • C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe

      Filesize

      13.8MB

      MD5

      efb0528d6978337e964d999dacb621df

      SHA1

      244979b8495d3d173a4359d62ad771f99a0033fc

      SHA256

      4786ac3ceb9ecdcb98bdd19a0e93750e6c9c0df460751994840f8ea9733cc491

      SHA512

      4b16aca5638094741a9e5f0e4581b5c3cdbd77835035362468d2a0e077fba0f96b8dd98c4a4ea853b3b623d5b525fe64091daa1b761597b660840a371fbae0df

    • C:\Users\Admin\AppData\Local\Temp\ogpXG\ogpXG.dll

      Filesize

      112KB

      MD5

      2f1a50031dcf5c87d92e8b2491fdcea6

      SHA1

      71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

      SHA256

      47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

      SHA512

      1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      261184ed87142fb10b5a5eed3d2b43d9

      SHA1

      1b97ef044d82271b6b2d44474b019f4b70becda6

      SHA256

      5a8f45b94954ff6c78607890026c5e572ea78914821579c583f2b14ca2236a72

      SHA512

      c5b655584b2435c73136811a6ee61ff8f5b7b196cc50387bbc2f9c7964a75ed5e2a2f1dc9ccae11dc865fd2e7acc29e15268eb9bd63e364e23556cd665a093bc

    • memory/2172-27-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

      Filesize

      32KB

    • memory/2172-26-0x000000001B680000-0x000000001B962000-memory.dmp

      Filesize

      2.9MB

    • memory/2296-13-0x0000000000EA0000-0x0000000001C80000-memory.dmp

      Filesize

      13.9MB

    • memory/2296-14-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

      Filesize

      9.9MB

    • memory/2296-21-0x000000001D1A0000-0x000000001DD8E000-memory.dmp

      Filesize

      11.9MB

    • memory/2296-49-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

      Filesize

      9.9MB

    • memory/2352-0-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp

      Filesize

      4KB

    • memory/2352-1-0x0000000000A80000-0x00000000018B0000-memory.dmp

      Filesize

      14.2MB

    • memory/2492-12-0x0000000001310000-0x0000000001342000-memory.dmp

      Filesize

      200KB

    • memory/2592-34-0x00000000028E0000-0x00000000028E8000-memory.dmp

      Filesize

      32KB

    • memory/2592-33-0x000000001B610000-0x000000001B8F2000-memory.dmp

      Filesize

      2.9MB