Analysis

  • max time kernel
    91s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-09-2024 17:21

General

  • Target

    XWORMV5.4.exe

  • Size

    14.2MB

  • MD5

    741b1f2ee5826897af2ba2ec765296e4

  • SHA1

    706534d9c6a16354974b3b6fd6d1f620524b7dd1

  • SHA256

    0b142a5773fcd9ae5cbb967f748e8da9a89e74aa50a0e1cd52f3aaa313bc749d

  • SHA512

    a0b14ab280d906a8ad1681e335d30a457b02355cc941d12208f2ef460a9b1f700b84789749ee2080fb4351cce09e3cceeb9fea94478c3c81ae1fb184892de03a

  • SSDEEP

    196608:q1X5v7sGYYHDZH3OrlZPtgLklkC9sSJP/rSzQHvWSpdUorPr/kvmXhJ9aCD:qHqDVgV+9kQH+SfLdrnD

Malware Config

Extracted

Family

xworm

Version

5.0

C2

45.141.26.197:7000

Mutex

9nYi5R05H806aXaO

Attributes
  • Install_directory

    %AppData%

  • install_file

    VLC_Media.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWORMV5.4.exe
    "C:\Users\Admin\AppData\Local\Temp\XWORMV5.4.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3480
    • C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe
      "C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:2540
    • C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe
      "C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4888
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3624
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:740
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\VLC_Media.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3460
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    d28a889fd956d5cb3accfbaf1143eb6f

    SHA1

    157ba54b365341f8ff06707d996b3635da8446f7

    SHA256

    21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

    SHA512

    0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    dcac476fa19b9b7e00d97d937daf7e9f

    SHA1

    2753854fb9097e0c50667c4df11e336bada512e2

    SHA256

    ebbf20b0c098d467090c4115109b5f707b559a8006e9c17f00235a5d23d60399

    SHA512

    81d587000267413d0b829d783aa2ea4d6f7dfdf991d0463cd49bae3090f36db0b16a63b1ca28ae9a8e52fe2a516bffbad3ff624d5b55e8956d728bb44ed5ea4f

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    481e5a63ab627f474e7406859a742abc

    SHA1

    adf952634978d42e343896ac546763cc6e7635fa

    SHA256

    ce32fe7b6fec708c52b5293b3ea0de2f0030be59644c9a635882bb7273b664a6

    SHA512

    8d3d8329276e6fac80fbc4d6cf4ca0d05cd336c7a0e85cafe2fd121e783af1c013347909454aab63bd0c51b6f37317958f23608b980d4a5764d23cdc9aa12f95

  • C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe

    Filesize

    176KB

    MD5

    a9376f54dd83bf547f6188f8904ae3af

    SHA1

    85bb802b0ade5b2136c83e6217a2aaace3735edc

    SHA256

    44661d9d0df9aa2e03844719c9e6963a738e431c565f0983d309a0e113508d17

    SHA512

    71a4e6251e201441ccc1ae9633790b977a898e6f42b0d25f4c54d66d99311dad5b63e25f7ac703e932db5a526290f95e9abfe2158b72cd21e8564ac1942a48a9

  • C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe

    Filesize

    13.8MB

    MD5

    efb0528d6978337e964d999dacb621df

    SHA1

    244979b8495d3d173a4359d62ad771f99a0033fc

    SHA256

    4786ac3ceb9ecdcb98bdd19a0e93750e6c9c0df460751994840f8ea9733cc491

    SHA512

    4b16aca5638094741a9e5f0e4581b5c3cdbd77835035362468d2a0e077fba0f96b8dd98c4a4ea853b3b623d5b525fe64091daa1b761597b660840a371fbae0df

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1zluff0a.45i.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\ogpXG\ogpXG.dll

    Filesize

    112KB

    MD5

    2f1a50031dcf5c87d92e8b2491fdcea6

    SHA1

    71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

    SHA256

    47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

    SHA512

    1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

  • memory/2540-26-0x0000029B10430000-0x0000029B11210000-memory.dmp

    Filesize

    13.9MB

  • memory/2540-35-0x00007FF973F30000-0x00007FF9749F1000-memory.dmp

    Filesize

    10.8MB

  • memory/2540-37-0x0000029B2C5E0000-0x0000029B2D1CE000-memory.dmp

    Filesize

    11.9MB

  • memory/2540-27-0x00007FF973F30000-0x00007FF9749F1000-memory.dmp

    Filesize

    10.8MB

  • memory/2540-61-0x00007FF973F30000-0x00007FF9749F1000-memory.dmp

    Filesize

    10.8MB

  • memory/3480-0-0x00007FF973F33000-0x00007FF973F35000-memory.dmp

    Filesize

    8KB

  • memory/3480-1-0x0000000000290000-0x00000000010C0000-memory.dmp

    Filesize

    14.2MB

  • memory/3624-47-0x0000022CF2A90000-0x0000022CF2AB2000-memory.dmp

    Filesize

    136KB

  • memory/4888-36-0x00007FF973F30000-0x00007FF9749F1000-memory.dmp

    Filesize

    10.8MB

  • memory/4888-28-0x00007FF973F30000-0x00007FF9749F1000-memory.dmp

    Filesize

    10.8MB

  • memory/4888-25-0x00000000000B0000-0x00000000000E2000-memory.dmp

    Filesize

    200KB

  • memory/4888-89-0x00007FF973F30000-0x00007FF9749F1000-memory.dmp

    Filesize

    10.8MB

  • memory/4888-90-0x00007FF973F30000-0x00007FF9749F1000-memory.dmp

    Filesize

    10.8MB