Overview

overview

10

Static

static

3

Luxury Crypter‌.exe

windows10-1703-x64

10

Luxury Crypter‌.exe

windows7-x64

10

Luxury Crypter‌.exe

windows10-2004-x64

10

Luxury Crypter‌.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    293s
  • max time network
    292s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05-10-2024 17:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Luxury Crypter‌.exe

  • Size

    7.0MB

  • MD5

    f52edee9472d973f7aedaa58baed96e6

  • SHA1

    dee4734806f0a47e81627a66b2c75e5ec37b6b1a

  • SHA256

    56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260

  • SHA512

    1568f66ea43208900e1800ac59946f92d426d05d00783decdce31eb088ec54cd467adf640e5b2a5388f5ee6ccd2840dfe551f9ae18c06b168a469ec18a85ef0b

  • SSDEEP

    98304:bmurSHFk4vh9IWa/LP3Nm9Zlxne1uxetbDEgovbddnY6Jy3yH/O:b6m7P3Nm9ZWiADEp5F0R

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

146.190.110.91:3389

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 3 IoCs
  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Luxury Crypter‌.exe
    "C:\Users\Admin\AppData\Local\Temp\Luxury Crypter‌.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe
      "C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:212
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 700
        3⤵
        • Program crash
        PID:3316
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2364
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4988
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4876
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:760
    • C:\ProgramData\msedgewebview2.exe
      "C:\ProgramData\msedgewebview2.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:984
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks.exe" /create /tn msedgewebview2 /tr "C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe" /st 17:57 /du 23:59 /sc daily /ri 1 /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3328
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\ACCApi'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1476
      • C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe
        "C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        PID:828
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC10E.tmp.cmd""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4416
        • C:\Windows\system32\timeout.exe
          timeout 6
          4⤵
          • Delays execution with timeout.exe
          PID:872
  • C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe
    C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe
    1⤵
    • Executes dropped EXE
    PID:4236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedgewebview2.exe.log
    Filesize

    660B

    MD5

    6f8201778bb230fb0ac7c8b78a134a12

    SHA1

    06570db78997747dd80e558a483d29af167f43c5

    SHA256

    984fcdb20fcd38e921511def1e720e36c7a20887010f4f5035b0a6b24c75148f

    SHA512

    86ebbb74d94c382073f4481bb3a4c0747b801753adba15ee36c97dc8b09827e7a29b46209b559c1ab4fa836fbbe6a90b0339e97ed9d5d4856179604e380f2254

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    ad5cd538ca58cb28ede39c108acb5785

    SHA1

    1ae910026f3dbe90ed025e9e96ead2b5399be877

    SHA256

    c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

    SHA512

    c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    7239d990aa52025e40fd42acfe5214c4

    SHA1

    4fb62afab54b95c0d06e836ae4dbaecddfc60fd3

    SHA256

    99c45caac633ae4eebdb1243f729ce6a54a9f0229913830b8c500c120916cdad

    SHA512

    c53e0eff839d3bb12d5692805c148d50d642083d38f5ef0c273f04e2c6c41a4656b980bdae9dad7d438021dd76dcb4c1118e11f1486c9b4ba4313a774ba6fc26

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    11b6511c0ca29fcfff13f0bc4a57ef6d

    SHA1

    00e221c11d27fbfcd0c32a628cb69eeebe927116

    SHA256

    04571f4823c89ad36b1ad416e9d98222f603fa37eebbbd4914edf9248b8e102d

    SHA512

    5cdad62e62452abac4f8a19dbc816a7db37afcc0a47ed1e40813fc6a5600f431789cc040f1990d4e9d391945e3cc5011b152b875a863b3e46db1c7b61dcfe312

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    fad4e55913a3f37bbc17e86f9cc8be25

    SHA1

    96e81d722a7b47690f686c2b39ac4fa0a69801ac

    SHA256

    4b4ffc92138dcf42a4dec4d6e707f19e5c53b55de93a1aa75097ab72048352a1

    SHA512

    b2c9e040178f1a0f638ec01a089863bfc79c9a3492f20ff372ffb8ad88f29e98128ddb553b3025a8877514aa852ea3153066b55fad7225370b527cfa76b44f14

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    d9b6645e99293eb9127d883997861652

    SHA1

    0c01f8cf9a9e4ab8f175cf64a4c5a175d5ffa318

    SHA256

    b2e042e19659de6cbb334f3f37317e4cb2fa0fce1d8d501c4a4490f1775c0a5b

    SHA512

    46c0304708d27cfaa88cc37d54cde7176a2ececb0e9f3425d436a1dbb58caef30c512a36f4a305a01deafa9a0d82bd625a59ae7cc4a09afe7e00e6aecef4c8f7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe
    Filesize

    8.8MB

    MD5

    9c55d8c0b720f652e4ad3753e9939b99

    SHA1

    ee69da72e65d44638f352791b2114887e2110384

    SHA256

    44a220f92ce2822d3d8e9c7ded429c9e53f650224759c8ec75c49706716fda77

    SHA512

    ea88bcf9b289ef4b2ba34f3b7818aee672867418d4e8fb29d5fac99688e30babfc21a7279151397ef47f8d852b8129ed63a42eec7e1a5bd598c744af9da320b7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k0haz44s.53i.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpC10E.tmp.cmd
    Filesize

    147B

    MD5

    e836bc45d98cc54431172ca3ca9bc586

    SHA1

    c653ea82e187bcdfe551f68a08e1d6f63f786473

    SHA256

    bec3cd71626cd3b66a74d3b8eebf33695f3aeb51524acaaddb3c39ae513ed20f

    SHA512

    e39c1af633b2c991d87cd170bcabf57b1e2fbb94ef74559102815f0afa1a736696a7bb062a6a5d6bc07b120b74ce518663abc036325ab9ca3f292920a7dc9726

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    67KB

    MD5

    39f4793e3bd69fde3059e02b84875bef

    SHA1

    4ae174ff10e05e7946c6220b2ef7565830596b3c

    SHA256

    eee698d53132459d85ad39ef66c6b33769dbf69469a346a1ea26c13eebfb4102

    SHA512

    4642ba370d794ffc0dac13a84f8ea3501f9a88a0d2584daecbb340b92cce1dd14c46b7d9d5f4a27a60c1365584f995aa7e93fdc70c4775425f5b3590f6eeec50

    Download Submit

  • memory/212-17-0x000000007320E000-0x000000007320F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/212-18-0x0000000000CF0000-0x00000000015CA000-memory.dmp

    Filesize

    8.9MB

    Download

  • memory/984-205-0x0000016B59AB0000-0x0000016B59AF2000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1316-15-0x0000000000A30000-0x0000000000A46000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1316-254-0x000000001BD00000-0x000000001BE00000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1316-263-0x0000000002F30000-0x0000000002F3C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1316-16-0x00007FFF34730000-0x00007FFF3511C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1316-199-0x000000001BD00000-0x000000001BE00000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1316-207-0x00007FFF34730000-0x00007FFF3511C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2364-23-0x000002C0C4E20000-0x000002C0C4E42000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2364-26-0x000002C0DD430000-0x000002C0DD4A6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4024-0-0x00007FFF34733000-0x00007FFF34734000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4024-206-0x00007FFF34730000-0x00007FFF3511C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4024-200-0x00007FFF34730000-0x00007FFF3511C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4024-2-0x00007FFF34730000-0x00007FFF3511C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4024-1-0x00000000007E0000-0x0000000000EE8000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/4024-149-0x00007FFF34733000-0x00007FFF34734000-memory.dmp

    Filesize

    4KB

    Download