Overview

overview

10

Static

static

10

Windows Defender.exe

windows7-x64

10

Windows Defender.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2024, 05:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Windows Defender.exe

  • Size

    30KB

  • MD5

    56f2800f481b53f41d8660aa4360ee07

  • SHA1

    918be96734e92154a312314e551120c8222f9090

  • SHA256

    dcdbab06fc3b63e2a98ebc834205dc4d50f108051a473d002f9d5affe780e694

  • SHA512

    468e4188a0c18e69d8050d066efb9d049fa0cf78b9391aa5d33461611617ec7fdce170cb7c517df96906726c14ed1fb76beb3555bc5fcb20f9ad52246da7284c

  • SSDEEP

    384:N7wTA+5OfPgEBQqWvfcQLZe3sn0hYACSqReAw2uRugtFuBLTIOZw/WVnvn9IkVun:lrgECfLHnMYAoReJ2uBFE9RJLOqhMbx

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

vehicle-wed.gl.at.ply.gg:2355

Mutex

irsMqnBPdMlT0tEE

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4484
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp16EE.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3292
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2276

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp16EE.tmp.bat
          Filesize

          168B

          MD5

          edf3bf1db56455ad86fce6e0bfdb993a

          SHA1

          53d4af130f0a8e26c29fe4485946ba2309e978cc

          SHA256

          43db072c92556afb15ef75c459f331ce4b8305dade92e89b65aa807b860a1942

          SHA512

          b70dba00e7e382502d1dedcace7be4f407538a2568b295a22672ecbc897f0ed898e283442fe6a8713716047f587fd250ce8532f976a46d7c1b074869b4d46916

          Download Submit

        • memory/4484-0-0x00007FFE73913000-0x00007FFE73915000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4484-1-0x0000000000990000-0x000000000099E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4484-2-0x00007FFE73910000-0x00007FFE743D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4484-3-0x00007FFE73913000-0x00007FFE73915000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4484-4-0x00007FFE73910000-0x00007FFE743D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4484-9-0x00007FFE73910000-0x00007FFE743D1000-memory.dmp

          Filesize

          10.8MB

          Download