Overview

overview

10

Static

static

3

Luxury Crypter‌.exe

windows10-1703-x64

10

Luxury Crypter‌.exe

windows7-x64

10

Luxury Crypter‌.exe

windows10-2004-x64

10

Luxury Crypter‌.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    294s
  • max time network
    296s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-10-2024 17:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Luxury Crypter‌.exe

  • Size

    7.0MB

  • MD5

    f52edee9472d973f7aedaa58baed96e6

  • SHA1

    dee4734806f0a47e81627a66b2c75e5ec37b6b1a

  • SHA256

    56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260

  • SHA512

    1568f66ea43208900e1800ac59946f92d426d05d00783decdce31eb088ec54cd467adf640e5b2a5388f5ee6ccd2840dfe551f9ae18c06b168a469ec18a85ef0b

  • SSDEEP

    98304:bmurSHFk4vh9IWa/LP3Nm9Zlxne1uxetbDEgovbddnY6Jy3yH/O:b6m7P3Nm9ZWiADEp5F0R

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

146.190.110.91:3389

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 3 IoCs
  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Luxury Crypter‌.exe
    "C:\Users\Admin\AppData\Local\Temp\Luxury Crypter‌.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2900
    • C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe
      "C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2164
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2400
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2736
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2724
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2592
    • C:\ProgramData\msedgewebview2.exe
      "C:\ProgramData\msedgewebview2.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\ACCApi'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1904
      • C:\Windows\system32\schtasks.exe
        "schtasks.exe" /create /tn msedgewebview2 /tr "C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe" /st 17:57 /du 23:59 /sc daily /ri 1 /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1900
      • C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe
        "C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        PID:2772
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDF09.tmp.cmd""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2904
        • C:\Windows\system32\timeout.exe
          timeout 6
          4⤵
          • Delays execution with timeout.exe
          PID:1112
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {BC017E15-0F6A-44C9-B28F-D996B4A908DF} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe
      C:\Users\Admin\AppData\Local\ACCApi\msedgewebview2.exe
      2⤵
      • Executes dropped EXE
      PID:2220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Luxury Crypter.exe
    Filesize

    8.8MB

    MD5

    9c55d8c0b720f652e4ad3753e9939b99

    SHA1

    ee69da72e65d44638f352791b2114887e2110384

    SHA256

    44a220f92ce2822d3d8e9c7ded429c9e53f650224759c8ec75c49706716fda77

    SHA512

    ea88bcf9b289ef4b2ba34f3b7818aee672867418d4e8fb29d5fac99688e30babfc21a7279151397ef47f8d852b8129ed63a42eec7e1a5bd598c744af9da320b7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpDF09.tmp.cmd
    Filesize

    147B

    MD5

    6de81bf833c7f1db84a4ec547404e4d1

    SHA1

    0373d43f9d1de573b8d41fc68401a0345a40f985

    SHA256

    956f94a9b9ef4cb133374310584a64082a67357453584e4f4283b7b6b83a0db8

    SHA512

    bb6749a368c133469489f389a4c92601d3edbf9fddd6571af3bff1238726dde1b39be8f30c0147b909903c43ed8ea8bf62575cfd8046b1151383da1235792a9e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HKTGCRC0JAOBU91RFUSB.temp
    Filesize

    7KB

    MD5

    ce4cd5361919c2ba61132f2b3490f901

    SHA1

    dd2a8c33770491ca7d9dabd0c0e22b634c41edcc

    SHA256

    e9e86bbad8625448ac1fec082f13978aae452077158575b652a31f58068063cc

    SHA512

    0f08b0de0a6ea781343de0e1d11c2f0682540d4daa9f514183c84bedd727a644f35a408c1f2646b53b607f3fa543d422127fd5801539ee26db8591ac323a7884

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    67KB

    MD5

    39f4793e3bd69fde3059e02b84875bef

    SHA1

    4ae174ff10e05e7946c6220b2ef7565830596b3c

    SHA256

    eee698d53132459d85ad39ef66c6b33769dbf69469a346a1ea26c13eebfb4102

    SHA512

    4642ba370d794ffc0dac13a84f8ea3501f9a88a0d2584daecbb340b92cce1dd14c46b7d9d5f4a27a60c1365584f995aa7e93fdc70c4775425f5b3590f6eeec50

    Download Submit

  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • memory/1708-16-0x0000000000EE0000-0x0000000000EF6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1708-75-0x0000000000D00000-0x0000000000D0C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1904-59-0x000000001B640000-0x000000001B922000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1904-60-0x00000000028E0000-0x00000000028E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2164-17-0x0000000000B10000-0x00000000013EA000-memory.dmp

    Filesize

    8.9MB

    Download

  • memory/2400-22-0x000000001B760000-0x000000001BA42000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2400-23-0x0000000001E20000-0x0000000001E28000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2592-50-0x0000000002910000-0x0000000002918000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2592-49-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2736-38-0x0000000001E90000-0x0000000001E98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2736-37-0x000000001B580000-0x000000001B862000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2772-73-0x00000000012C0000-0x0000000001302000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2900-2-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2900-31-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2900-0-0x000007FEF5583000-0x000007FEF5584000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2900-1-0x0000000000CB0000-0x00000000013B8000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/3052-30-0x0000000000080000-0x00000000000C2000-memory.dmp

    Filesize

    264KB

    Download