Overview

overview

10

Static

static

3

AlphaBlendTextBox.dll

windows11-21h2-x64

10

Aspose.Zip.dll

windows11-21h2-x64

1

Bunifu_UI_v1.5.3.dll

windows11-21h2-x64

1

RC7.exe

windows11-21h2-x64

10

System.Run...fe.dll

windows11-21h2-x64

1

System.Tex...es.dll

windows11-21h2-x64

1

bin/Monaco.html

windows11-21h2-x64

3

bin/MonacoEditor.html

windows11-21h2-x64

3

bin/vs/bas...ain.js

windows11-21h2-x64

3

bin/vs/bas...bat.js

windows11-21h2-x64

3

bin/vs/bas...fee.js

windows11-21h2-x64

3

bin/vs/bas...cpp.js

windows11-21h2-x64

3

bin/vs/bas...arp.js

windows11-21h2-x64

3

bin/vs/bas...csp.js

windows11-21h2-x64

3

bin/vs/bas...css.js

windows11-21h2-x64

3

bin/vs/bas...ile.js

windows11-21h2-x64

3

bin/vs/bas...arp.js

windows11-21h2-x64

3

bin/vs/bas.../go.js

windows11-21h2-x64

3

bin/vs/bas...ars.js

windows11-21h2-x64

3

bin/vs/bas...tml.js

windows11-21h2-x64

3

bin/vs/bas...ini.js

windows11-21h2-x64

3

bin/vs/bas...ava.js

windows11-21h2-x64

3

bin/vs/bas...ess.js

windows11-21h2-x64

3

bin/vs/bas...lua.js

windows11-21h2-x64

3

bin/vs/bas...own.js

windows11-21h2-x64

3

bin/vs/bas...dax.js

windows11-21h2-x64

3

bin/vs/bas...sql.js

windows11-21h2-x64

3

bin/vs/bas...e-c.js

windows11-21h2-x64

3

bin/vs/bas...sql.js

windows11-21h2-x64

3

bin/vs/bas...php.js

windows11-21h2-x64

3

bin/vs/bas...ats.js

windows11-21h2-x64

3

bin/vs/bas...ell.js

windows11-21h2-x64

3

Analysis

  • max time kernel
    133s
  • max time network
    139s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    05-10-2024 18:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AlphaBlendTextBox.dll

  • Size

    24KB

  • MD5

    e6b8735ea19da68d9baa23f945a6fad3

  • SHA1

    65ae6742bf4106ce56d57d3ab427bd3e379f9ca3

  • SHA256

    48541be9ed6be56e4ee61dd48ce6b237b7a83a3be4db5a54ce350a042c77ecfe

  • SHA512

    ca3f3945406b9dc64b67f78cb75687b487203f177f4d3a96ae070f5aafa01ef43c733dd69847c095d6484a616abfe85f37568f8b289564693b6a3947fcac4585

  • SSDEEP

    192:iDGJzcLqS+q+obtogcv7QZYU+Am6+cfX/huI1Ps1YK2c5PkDVX:iKqHtobQZYU+Al+8XAI1q2c5PkDVX

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:22612

bay-husband.gl.at.ply.gg:22612
Attributes
  • Install_directory

    %AppData%

  • install_file

    WebRuntime.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Executes dropped EXE 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\AlphaBlendTextBox.dll,#1
    1⤵
      PID:4624
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4024
      • C:\Users\Admin\AppData\Local\Temp\RC7.exe
        "C:\Users\Admin\AppData\Local\Temp\RC7.exe"
        1⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4700
        • C:\Users\Admin\AppData\Local\Temp\Extracted\Temp.exe
          "C:\Users\Admin\AppData\Local\Temp\Extracted\Temp.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1332
      • C:\Users\Admin\AppData\Local\Temp\RC7.exe
        "C:\Users\Admin\AppData\Local\Temp\RC7.exe"
        1⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4684
        • C:\Users\Admin\AppData\Local\Temp\Extracted\Temp.exe
          "C:\Users\Admin\AppData\Local\Temp\Extracted\Temp.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1092
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 3016
          2⤵
          • Program crash
          PID:1424
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4684 -ip 4684
        1⤵
          PID:4012
        • C:\Users\Admin\AppData\Local\Temp\Extracted\Temp.exe
          "C:\Users\Admin\AppData\Local\Temp\Extracted\Temp.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4648
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\SyncSwitch.gif
          1⤵
          • Modifies Internet Explorer settings
          PID:2636
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Downloads\ResetSkip.html
          1⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:1840
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffede623cb8,0x7ffede623cc8,0x7ffede623cd8
            2⤵
              PID:4380
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,17971962364037955816,5104821721383350664,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
              2⤵
                PID:2824
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,17971962364037955816,5104821721383350664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:408
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,17971962364037955816,5104821721383350664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
                2⤵
                  PID:2624
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17971962364037955816,5104821721383350664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
                  2⤵
                    PID:2172
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17971962364037955816,5104821721383350664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
                    2⤵
                      PID:124
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    1⤵
                      PID:4596
                    • C:\Windows\System32\CompPkgSrv.exe
                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                      1⤵
                        PID:4048

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RC7.exe.log
                        Filesize

                        1KB

                        MD5

                        cfd3e129aab8d7705fac8e79f6f1e5c3

                        SHA1

                        47d5b1be14052df8c44cf79ad4bd60f60d503349

                        SHA256

                        78c511a52b663ea82323dcaa35a8cf1fd32ae8c8a7bd707d7dd2dd71284b0c7a

                        SHA512

                        076785a368da4d4d6b1a25260aad1c86dfc406389e5953ba440cf7ab4b0de09f758dac340f87bc2c97192d57bb4fba2f0cd8f0f51bbd9940a9249c3d70f65710

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                        Filesize

                        152B

                        MD5

                        c4a10f6df4922438ca68ada540730100

                        SHA1

                        4c7bfbe3e2358a28bf5b024c4be485fa6773629e

                        SHA256

                        f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02

                        SHA512

                        b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                        Filesize

                        152B

                        MD5

                        4c3889d3f0d2246f800c495aec7c3f7c

                        SHA1

                        dd38e6bf74617bfcf9d6cceff2f746a094114220

                        SHA256

                        0a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4

                        SHA512

                        2d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                        Filesize

                        5KB

                        MD5

                        069fb81475a9b8c796d0db731c39603f

                        SHA1

                        c1bcd285a847dc1ece9da6914979e249e0dd7d5a

                        SHA256

                        8a81b844e1fba470ddfa30a844030b80602b426318286735bc6dd7e942bcf285

                        SHA512

                        ddb909d3921182bb00fcf3cd6f7e737d9124dc9767d9bf63dcc16a878dc0b6592dfa88a258b565a07cab834711bae9a33e299d113dd9190a984c4ac8e83c7c91

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                        Filesize

                        5KB

                        MD5

                        a00d5d6b445bb88f12ab33a3678a96e8

                        SHA1

                        ec0919529a0810ae6588a0a6ff82a93d2cc0db9a

                        SHA256

                        5bc13ab7042944411637ecfbb72723d044b34bf57df6aa4bb50395ec71a22e9a

                        SHA512

                        c230401ea715b9cbd8a334f7ebbabe129563c8eb9e46bfb5bb1d19aa39d455824676581a50d24b3cee021263bcf7bb58a3e400531ab0d0b9ef54fabec104d68f

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                        Filesize

                        16B

                        MD5

                        6752a1d65b201c13b62ea44016eb221f

                        SHA1

                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                        SHA256

                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                        SHA512

                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                        Filesize

                        10KB

                        MD5

                        62d01ac6e9c6d21effe2cb146665d586

                        SHA1

                        4b1050b59cf35cff41b5e9f2d9c6ed06b3364255

                        SHA256

                        c876048bfd80190d83a218f387011a65d5fb0f8ab0dfe8db348c60829dd3d5e3

                        SHA512

                        64fc0152956af1e152d24d024f008cb1d56185bf66f99e115ffe69ec076563c5e68654ed2f0ae46cc08cdc382026ec891be1c7f536995636b5e135b433beafeb

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\Extracted\Temp.exe
                        Filesize

                        66KB

                        MD5

                        57d1cfd1a2f8d248c6e18c903127452a

                        SHA1

                        746dc1af18c021dd5c9f8446155f75b891381f37

                        SHA256

                        4fd418e12de833bd0bfc5ec23ebbe5f37e12f0e40b96613a53ba013221f1915b

                        SHA512

                        8aef885aec60c0f6bb0b9df9f3ddb194e39e0afc025f46767272b711bf0aeac1e186ee47fd70b07ce575e9feca88f38157ac2c92f7de3c80532845921165ec36

                        Download Submit

                      • memory/1332-25-0x0000000000A40000-0x0000000000A56000-memory.dmp

                        Filesize

                        88KB

                        Download

                      • memory/1332-22-0x00007FFED0863000-0x00007FFED0865000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/4684-46-0x0000000009DC0000-0x0000000009E02000-memory.dmp

                        Filesize

                        264KB

                        Download

                      • memory/4700-0-0x000000007471E000-0x000000007471F000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4700-27-0x0000000074710000-0x0000000074EC1000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/4700-23-0x0000000007090000-0x000000000709A000-memory.dmp

                        Filesize

                        40KB

                        Download

                      • memory/4700-24-0x00000000070A0000-0x00000000070AA000-memory.dmp

                        Filesize

                        40KB

                        Download

                      • memory/4700-5-0x0000000074710000-0x0000000074EC1000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/4700-4-0x0000000005BE0000-0x0000000005C72000-memory.dmp

                        Filesize

                        584KB

                        Download

                      • memory/4700-3-0x0000000006260000-0x0000000006806000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/4700-2-0x00000000056E0000-0x00000000059FC000-memory.dmp

                        Filesize

                        3.1MB

                        Download

                      • memory/4700-1-0x0000000000A90000-0x0000000000B60000-memory.dmp

                        Filesize

                        832KB

                        Download