Analysis

  • max time kernel
    78s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    24-09-2024 21:12

General

  • Target

    56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe

  • Size

    7.0MB

  • MD5

    f52edee9472d973f7aedaa58baed96e6

  • SHA1

    dee4734806f0a47e81627a66b2c75e5ec37b6b1a

  • SHA256

    56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260

  • SHA512

    1568f66ea43208900e1800ac59946f92d426d05d00783decdce31eb088ec54cd467adf640e5b2a5388f5ee6ccd2840dfe551f9ae18c06b168a469ec18a85ef0b

  • SSDEEP

    98304:bmurSHFk4vh9IWa/LP3Nm9Zlxne1uxetbDEgovbddnY6Jy3yH/O:b6m7P3Nm9ZWiADEp5F0R

Malware Config

Extracted

Family

xworm

C2

146.190.110.91:3389

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe
    "C:\Users\Admin\AppData\Local\Temp\56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe
      "C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:988
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2444
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1360
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2712
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2268
    • C:\ProgramData\msedgewebview2.exe
      "C:\ProgramData\msedgewebview2.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\ACCApi'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1232
      • C:\Windows\system32\schtasks.exe
        "schtasks.exe" /create /tn msedgewebview2 /tr "C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe" /st 21:17 /du 23:59 /sc daily /ri 1 /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2008
      • C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe
        "C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        PID:2228
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3218.tmp.cmd""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1668
        • C:\Windows\system32\timeout.exe
          timeout 6
          4⤵
          • Delays execution with timeout.exe
          PID:400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe

    Filesize

    8.8MB

    MD5

    9c55d8c0b720f652e4ad3753e9939b99

    SHA1

    ee69da72e65d44638f352791b2114887e2110384

    SHA256

    44a220f92ce2822d3d8e9c7ded429c9e53f650224759c8ec75c49706716fda77

    SHA512

    ea88bcf9b289ef4b2ba34f3b7818aee672867418d4e8fb29d5fac99688e30babfc21a7279151397ef47f8d852b8129ed63a42eec7e1a5bd598c744af9da320b7

  • C:\Users\Admin\AppData\Local\Temp\tmp3218.tmp.cmd

    Filesize

    147B

    MD5

    bc486dee4bccddaa61f8c4acdf3dda83

    SHA1

    eafa003d5738ddff14fe831eac347a0f241f873a

    SHA256

    4e6f4951c2c3e3906822f17ef742740ac28bb1ddbcdf1cac86641e5bdad6351b

    SHA512

    8f8124391a772182d5f48e80ee91244cbb26a401e9eb5d7c62f1d7158cba7697be3b1715fe029ae2226bfe52235c2a9dd3f082fb5cdd7f90c237dda1fb5edf05

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    6999f241cfabfa28d34f24337b511bae

    SHA1

    12d67c2ade68686e81f6b9b33386edb4e26f0478

    SHA256

    5721c2a0edf042b3e53b057ab4552f34aae58ac4919a78755407168c0c30425a

    SHA512

    239e7dfa4bf757e3b995bdd9c7c9691ebff0558c76493bfecd8373fea8856e50a041eb2b61247b0ac047e1c29c54a5bcd2be561513b295f59162b0276c2735e5

  • C:\Users\Admin\AppData\Roaming\svchost.exe

    Filesize

    67KB

    MD5

    39f4793e3bd69fde3059e02b84875bef

    SHA1

    4ae174ff10e05e7946c6220b2ef7565830596b3c

    SHA256

    eee698d53132459d85ad39ef66c6b33769dbf69469a346a1ea26c13eebfb4102

    SHA512

    4642ba370d794ffc0dac13a84f8ea3501f9a88a0d2584daecbb340b92cce1dd14c46b7d9d5f4a27a60c1365584f995aa7e93fdc70c4775425f5b3590f6eeec50

  • memory/988-17-0x00000000001A0000-0x0000000000A7A000-memory.dmp

    Filesize

    8.9MB

  • memory/1232-63-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB

  • memory/1232-62-0x000000001B730000-0x000000001BA12000-memory.dmp

    Filesize

    2.9MB

  • memory/1360-29-0x000000001B760000-0x000000001BA42000-memory.dmp

    Filesize

    2.9MB

  • memory/1360-30-0x0000000001D20000-0x0000000001D28000-memory.dmp

    Filesize

    32KB

  • memory/2228-76-0x0000000000D40000-0x0000000000D82000-memory.dmp

    Filesize

    264KB

  • memory/2268-53-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB

  • memory/2268-52-0x000000001B690000-0x000000001B972000-memory.dmp

    Filesize

    2.9MB

  • memory/2380-0-0x000007FEF6323000-0x000007FEF6324000-memory.dmp

    Filesize

    4KB

  • memory/2380-1-0x00000000000E0000-0x00000000007E8000-memory.dmp

    Filesize

    7.0MB

  • memory/2380-2-0x000007FEF6320000-0x000007FEF6D0C000-memory.dmp

    Filesize

    9.9MB

  • memory/2380-46-0x000007FEF6320000-0x000007FEF6D0C000-memory.dmp

    Filesize

    9.9MB

  • memory/2444-22-0x000000001B730000-0x000000001BA12000-memory.dmp

    Filesize

    2.9MB

  • memory/2444-23-0x00000000027E0000-0x00000000027E8000-memory.dmp

    Filesize

    32KB

  • memory/2680-45-0x0000000000240000-0x0000000000282000-memory.dmp

    Filesize

    264KB

  • memory/2712-38-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

    Filesize

    32KB

  • memory/2712-37-0x000000001B710000-0x000000001B9F2000-memory.dmp

    Filesize

    2.9MB

  • memory/2732-16-0x0000000000F70000-0x0000000000F86000-memory.dmp

    Filesize

    88KB