Overview

overview

10

Static

static

10

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11-09-2024 18:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    774529f26b02e6ac05bafff286f930882b7c8f10b73222b040f7d47430d2a888.exe

  • Size

    50KB

  • MD5

    20e2bdf68c3b6acfda5735422b64cbea

  • SHA1

    181aa68712a5e2f06f136e065291f083c35f32dc

  • SHA256

    774529f26b02e6ac05bafff286f930882b7c8f10b73222b040f7d47430d2a888

  • SHA512

    188c77234438a34673cc2b2164c180ff0b3d9f35ff2b17c704b36acb655d47a2a034632a59a3ed4945daae692316774c8a6fd53e80ffc53217c8045f7bc88b36

  • SSDEEP

    1536:Tf05a/CTjo89wFc9UR68OMuodS1EAd8IIm:Tf05a/CTD9wFc9U3OMhgEA6IIm

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

103.216.158.119:7000

Mutex

gjV5QKceVphN17zl

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    VLC_media.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\774529f26b02e6ac05bafff286f930882b7c8f10b73222b040f7d47430d2a888.exe
    "C:\Users\Admin\AppData\Local\Temp\774529f26b02e6ac05bafff286f930882b7c8f10b73222b040f7d47430d2a888.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\774529f26b02e6ac05bafff286f930882b7c8f10b73222b040f7d47430d2a888.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1880
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '774529f26b02e6ac05bafff286f930882b7c8f10b73222b040f7d47430d2a888.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\VLC_media.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1748
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_media.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    627073ee3ca9676911bee35548eff2b8

    SHA1

    4c4b68c65e2cab9864b51167d710aa29ebdcff2e

    SHA256

    85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

    SHA512

    3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    1a9fa92a4f2e2ec9e244d43a6a4f8fb9

    SHA1

    9910190edfaccece1dfcc1d92e357772f5dae8f7

    SHA256

    0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

    SHA512

    5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    57c07e55b603c3d93f770c75322f1bd7

    SHA1

    c12bdfa4442b8c5dedf36ed58c3bb602facd9d25

    SHA256

    6ed11d21b1a7902a2f9062c4a6f103b1ccae6ab844b28b32aa5add1f7003b143

    SHA512

    44b432712877e2b62eda98e3311068d556031bf60324813b214d8e96db45903b32ed727e63573424edadecd84e3587d1f96fd92558f90504439e1cd9158e045d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    e1406e40bc90234838ab278843448a11

    SHA1

    7e056692cfcf53a92ba8582a5fc0d2a418ef0c81

    SHA256

    fdc53165753f599dd5a22b0bd229f8e4c63e73dc47aece0b475c79a7255b1d10

    SHA512

    8ada81e44b16bfca0141dfe52a0b63e3cc7827b8dc45bfea87f834ffb759eeac87426c722b75fd76a447ab5efb69e0053b9fb34bd42d40b413a48f702eb70ab7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q44ewqrl.5al.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1392-1-0x0000000000280000-0x0000000000292000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1392-2-0x00007FFD6B680000-0x00007FFD6C142000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1392-3-0x00007FFD6B683000-0x00007FFD6B685000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1392-4-0x00007FFD6B680000-0x00007FFD6C142000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1392-0-0x00007FFD6B683000-0x00007FFD6B685000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1880-15-0x00007FFD6B680000-0x00007FFD6C142000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1880-18-0x00007FFD6B680000-0x00007FFD6C142000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1880-21-0x00007FFD6B680000-0x00007FFD6C142000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1880-17-0x00007FFD6B680000-0x00007FFD6C142000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1880-16-0x00007FFD6B680000-0x00007FFD6C142000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1880-14-0x000001BCCE380000-0x000001BCCE3A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1880-5-0x00007FFD6B680000-0x00007FFD6C142000-memory.dmp

    Filesize

    10.8MB

    Download