Overview

overview

10

Static

static

10

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    297s
  • max time network
    293s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-09-2024 05:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b59309ab12f1859a94fb2ce1c98639b2a538e6e098ffac127e45c29733bd993.exe

  • Size

    94KB

  • MD5

    db5717fd494495eea3c8f7d4ab29d6b0

  • SHA1

    39ba82340121d9b08e9cf3d4ba6dfcb12eb6c559

  • SHA256

    6b59309ab12f1859a94fb2ce1c98639b2a538e6e098ffac127e45c29733bd993

  • SHA512

    b16c7bffc8418a0349e5189d61439df325d2ab33a42c720380a305decde00348f83d96b6c263a95dc253128eb0e47b1a3dc96f8f115da868ff9227b9a40882de

  • SSDEEP

    1536:1z8H8uTSHKoKlDeE0C3shB1ueVby8EXEFA4Xib6TWcgMfAOISZsw61EmS:+c/q/l6EP3mvuwby8EXuhX6cgXOI0stE

Score
10/10
stormkittyxwormexecutionpersistenceratstealertrojan

Malware Config

Extracted

Family

xworm

C2

exonic-hacks.com:1920

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Windows.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 2 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b59309ab12f1859a94fb2ce1c98639b2a538e6e098ffac127e45c29733bd993.exe
    "C:\Users\Admin\AppData\Local\Temp\6b59309ab12f1859a94fb2ce1c98639b2a538e6e098ffac127e45c29733bd993.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4236
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6b59309ab12f1859a94fb2ce1c98639b2a538e6e098ffac127e45c29733bd993.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2344
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '6b59309ab12f1859a94fb2ce1c98639b2a538e6e098ffac127e45c29733bd993.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1136
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Windows.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3540
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:2816
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows" /tr "C:\Users\Admin\Windows.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:352
  • C:\Users\Admin\Windows.exe
    C:\Users\Admin\Windows.exe
    1⤵
    • Executes dropped EXE
    PID:4100
  • C:\Users\Admin\Windows.exe
    C:\Users\Admin\Windows.exe
    1⤵
    • Executes dropped EXE
    PID:4260
  • C:\Users\Admin\Windows.exe
    C:\Users\Admin\Windows.exe
    1⤵
    • Executes dropped EXE
    PID:4680
  • C:\Users\Admin\Windows.exe
    C:\Users\Admin\Windows.exe
    1⤵
    • Executes dropped EXE
    PID:2992
  • C:\Users\Admin\Windows.exe
    C:\Users\Admin\Windows.exe
    1⤵
    • Executes dropped EXE
    PID:1136

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows.exe.log
    Filesize

    654B

    MD5

    16c5fce5f7230eea11598ec11ed42862

    SHA1

    75392d4824706090f5e8907eee1059349c927600

    SHA256

    87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

    SHA512

    153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    8592ba100a78835a6b94d5949e13dfc1

    SHA1

    63e901200ab9a57c7dd4c078d7f75dcd3b357020

    SHA256

    fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

    SHA512

    87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    0cf5f35977161dc3aeb7d26bce13b2b1

    SHA1

    00627c8495a608003488f3ed7a0fb64832ca6c50

    SHA256

    278af1627bdb2b9431b2b8f15a3267fe6d2547006a928a09c7181b81c49bde2a

    SHA512

    db47b2281c87f2fcb58dbfa7fc844ec782930217eacc9016af59e448e4cfe03a65a4f9c77be3a1a90165a27140746104af2b19cea9f6235f12d6d8d7cd6ef1f7

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    6d3266681efaa78fb713e4f42b662b2b

    SHA1

    9dc83714f5136fb7c8dc66a8f85f380cc523eaeb

    SHA256

    67b4cb7e1149fa332ce1d9ea48991649d4156b727d5459e0225e7a5c8f22bc5f

    SHA512

    78ee79d9af4066995ba5ccf04af14ebbc4911979cac7150dfd75cc38e4d6c987a0fe45e06055027213a1938243ef7d8c4023b0873af6248fc969e21d5eaa2698

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    ac93bc54d35c821994548e1488cfce7d

    SHA1

    8aa80b32a5e639ed72b25a1206ddfb9601243af1

    SHA256

    e21901fe8cc7b9f94d8f776d56c6006ca4d495e76aa0205d1fe78b62afa4b5bc

    SHA512

    f45f063b0793e0f5c9cbe4d8304c07bc11a2bfad7336d86d78e00d3fdffbe1a2b71609bfd7a6212d18df0e87ef549ef8647d8b52b23759c8bfefec0e1cc31939

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kt2q2keu.4i2.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • C:\Users\Admin\Windows.exe
    Filesize

    94KB

    MD5

    db5717fd494495eea3c8f7d4ab29d6b0

    SHA1

    39ba82340121d9b08e9cf3d4ba6dfcb12eb6c559

    SHA256

    6b59309ab12f1859a94fb2ce1c98639b2a538e6e098ffac127e45c29733bd993

    SHA512

    b16c7bffc8418a0349e5189d61439df325d2ab33a42c720380a305decde00348f83d96b6c263a95dc253128eb0e47b1a3dc96f8f115da868ff9227b9a40882de

    Download Submit

  • memory/2344-10-0x000001AAF18C0000-0x000001AAF18E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2344-13-0x000001AAF1AF0000-0x000001AAF1B66000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2344-50-0x00007FFFD3120000-0x00007FFFD3B0C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2344-9-0x00007FFFD3120000-0x00007FFFD3B0C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2344-8-0x00007FFFD3120000-0x00007FFFD3B0C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4236-3-0x00007FFFD3120000-0x00007FFFD3B0C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4236-2-0x00007FFFD3123000-0x00007FFFD3124000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4236-183-0x00007FFFD3120000-0x00007FFFD3B0C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4236-184-0x000000001ADF0000-0x000000001ADFE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4236-185-0x000000001C9F0000-0x000000001CB0E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4236-0-0x00007FFFD3123000-0x00007FFFD3124000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4236-1-0x00000000001D0000-0x00000000001EE000-memory.dmp

    Filesize

    120KB

    Download