Analysis

  • max time kernel
    131s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-09-2024 12:17

General

  • Target

    XBinderOutput.exe

  • Size

    334KB

  • MD5

    bd5a99d1a915d183796d52364729242f

  • SHA1

    d0b0913ac86154d9eb6ab8f22b1b6d0e3682aa51

  • SHA256

    5dc9341df08796ab376579f34442247fa6942463974bad85e6d2709a114fe037

  • SHA512

    1b076341992c63268b4ba400fb0ca9b65b49af09c5fb01553cee1e80da2dc18cd53f920bfa9987bd13b9c2f3b42cad54fc573f3a2ca7a1b9d50b98c32671fb91

  • SSDEEP

    6144:v98Spzgs21x/GJqkntASwQvJzp8kRJoKXqwUHrsTB2zs+FAWKiXG/P16fCt3OY:GKgs2X/gDiVBQTB2zI6TO3O

Malware Config

Extracted

Family

xworm

Version

3.0

C2

silver-bowl.gl.at.ply.gg:684

silver-bowl.gl.at.ply.gg:0684

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
    "C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Users\Admin\AppData\Local\Temp\Bootstrapper v4.exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapper v4.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2964 -s 972
        3⤵
        • Loads dropped DLL
        PID:2704
    • C:\Users\Admin\AppData\Local\Temp\Bootstrapper v4c.exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapper v4c.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper v4c.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2972
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Bootstrapper v4c.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:476
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Bootstrapper v4c.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper v4c.exe

    Filesize

    79KB

    MD5

    64553acae30df85c70a7e8c1750a21fa

    SHA1

    a106939b1fdb775c33cfe1ad4007579c0dc8c369

    SHA256

    03c0c0a803543d40715b14afb48eeb2ad5cffb95d78c99f7eb544610e9099cf5

    SHA512

    149867abeba71221b2951dd51c15d6aa27cfec9854a5ff721700bab69b86a60d76eab3918872d8a8079fcaf2314fc5434fd0b5c20749c43f9277e55fe165823b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    31603f6134dfd0751457b62739a0351a

    SHA1

    676b0d462b7a2825dd90e45bde626a9d967b4a02

    SHA256

    9a551363e5067dbfba66311fe033af2ed9c00ea9e3815afd774473e044b0c083

    SHA512

    037dc5c472acec194b1c9dfbe87d376113832f53b4e2847fa4d2d45e460e5cf72793067285f797076a3959024245b29c6441036ad9d1432a8f790cc882bf4b9d

  • \Users\Admin\AppData\Local\Temp\Bootstrapper v4.exe

    Filesize

    796KB

    MD5

    4b94b989b0fe7bec6311153b309dfe81

    SHA1

    bb50a4bb8a66f0105c5b74f32cd114c672010b22

    SHA256

    7c4283f5e620b2506bcb273f947def4435d95e143ae3067a783fd3adc873a659

    SHA512

    fbbe60cf3e5d028d906e7d444b648f7dff8791c333834db8119e0a950532a75fda2e9bd5948f0b210904667923eb7b2c0176140babc497955d227e7d80fb109d

  • memory/476-36-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB

  • memory/476-35-0x000000001B690000-0x000000001B972000-memory.dmp

    Filesize

    2.9MB

  • memory/1884-1-0x000000013F710000-0x000000013F768000-memory.dmp

    Filesize

    352KB

  • memory/1884-4-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

    Filesize

    9.9MB

  • memory/1884-0-0x000007FEF5233000-0x000007FEF5234000-memory.dmp

    Filesize

    4KB

  • memory/1884-18-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

    Filesize

    9.9MB

  • memory/2964-16-0x0000000000170000-0x000000000023E000-memory.dmp

    Filesize

    824KB

  • memory/2972-29-0x0000000001F70000-0x0000000001F78000-memory.dmp

    Filesize

    32KB

  • memory/2972-28-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

    Filesize

    2.9MB

  • memory/3056-14-0x0000000000B00000-0x0000000000B1A000-memory.dmp

    Filesize

    104KB

  • memory/3056-17-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

    Filesize

    9.9MB

  • memory/3056-46-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

    Filesize

    9.9MB