Overview

overview

10

Static

static

3

2jz0am68f-qc2419x.exe

windows7-x64

10

2jz0am68f-qc2419x.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    8s
  • max time network
    1s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01/10/2024, 21:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2jz0am68f-qc2419x.exe

  • Size

    35.2MB

  • MD5

    5abc8be3cb3ad48aebf2a63f05341582

  • SHA1

    47e3f6e271fa04748ee1b83afc7d0a21059f9ae5

  • SHA256

    5c8608607a328036d0c4ddde044703033a6b105f62e167fb9abd6739036215c8

  • SHA512

    c8beeba10268f76fb1bfa7036a3094335eb383bcf81010decc5ad2b1fd99075ad57a44196e544fd2e9e83663dab3fc6f121c15eaecf4f5af8c285397e63bee14

  • SSDEEP

    786432:6A6Vk51XxQgLespvvwY0vFfVtMI9aznj381fvKFf+/CfBGkZOHk+:eV6Kfsp50BzMSazrcfvKh+/CpGsS

Score
10/10
xwormpersistencepyinstallerrattrojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.21:27469

Attributes
  • Install_directory

    %AppData%

  • install_file

    astroGG.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2jz0am68f-qc2419x.exe
    "C:\Users\Admin\AppData\Local\Temp\2jz0am68f-qc2419x.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Users\Admin\AppData\Local\Temp\AstroBootStrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\AstroBootStrapper.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Users\Admin\AppData\Local\Temp\AstroBootStrapper.exe
        "C:\Users\Admin\AppData\Local\Temp\AstroBootStrapper.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2484
    • C:\Users\Admin\AppData\Local\Temp\astroGG.exe
      "C:\Users\Admin\AppData\Local\Temp\astroGG.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:2392

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\_MEI23322\python312.dll
          Filesize

          6.6MB

          MD5

          3c388ce47c0d9117d2a50b3fa5ac981d

          SHA1

          038484ff7460d03d1d36c23f0de4874cbaea2c48

          SHA256

          c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

          SHA512

          e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\astroGG.exe
          Filesize

          60KB

          MD5

          aa214096148443fef487b52dbecee5a4

          SHA1

          ebd815c0faa3cb17f4a6c6c41ef1faaa307c68c8

          SHA256

          05171a217f14814ed567a59e4230ebcb2a552720e8419761016b2ba8677f9a2a

          SHA512

          ae0a44736c385da5119f27190af09e18ce7c2c26ae81fd3b194683cd27da6ea839206348578c4e5ec0cfd428ef89d0c2e318d711a2915fae3df7ab407b74cc0e

          Download Submit

        • \Users\Admin\AppData\Local\Temp\AstroBootStrapper.exe
          Filesize

          35.4MB

          MD5

          a6b9aa5664f3c5a950dea794efa126cb

          SHA1

          b6e3edb436fbc405f78fc2e7e67c03dac5b48a34

          SHA256

          a37a2a94b99d2b16edf07ba60e096d3d7ced427aa9334e92c6c97bb479e7f0e6

          SHA512

          ca3fd8685558446fecab4caf64cbc3f9ca00ce46bfb025ecf5ad27093dfa03568f45d18193197244a6a93c41215a70a2ee334097fc315a8aba5badfaef7b0c6d

          Download Submit

        • memory/2392-18-0x00000000008F0000-0x0000000000906000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2392-19-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2392-153-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3048-0-0x000007FEF5B63000-0x000007FEF5B64000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3048-1-0x0000000000CD0000-0x0000000003010000-memory.dmp

          Filesize

          35.2MB

          Download

        • memory/3048-2-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3048-24-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

          Filesize

          9.9MB

          Download