Overview

overview

10

Static

static

10

avg.exe

windows7-x64

10

avg.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    377s
  • max time network
    379s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-10-2024 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    avg.exe

  • Size

    51KB

  • MD5

    c523062e513acd24dcc7e9359f34bffb

  • SHA1

    5aa43c875ee2e8645ef4206df755dd22013c0173

  • SHA256

    02fdfbf888ed7f389c70d2afd74f6f04e4cf78ad35afa4ad5cd117899e8fcb74

  • SHA512

    2c953d6337a7b932a66146034082d2f58894895ed798ed0e8d417690458319ab776bc381e1aa2d45574d1e35b1b1c04c3f990c21adbe4f587bbbaa5ba165cacf

  • SSDEEP

    768:mdKpmtBsOH18MjV/WybXgxXbkb03OTSi/yuxwoQOphA3W1t9:my6T3/rbXskb03O1/yuxXQOpm3A9

Score
10/10
stormkittyxwormdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.16:40164

147.185.221.20:40164
Attributes
  • install_file

    System Volume Information Prefetch.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\avg.exe
    "C:\Users\Admin\AppData\Local\Temp\avg.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD560.tmp.bat""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2160
  • C:\Program Files\7-Zip\7zG.exe
    "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap24357:90:7zEvent27713
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1452
  • C:\Users\Admin\Desktop\Compiled_Project\TheDropper.exe
    "C:\Users\Admin\Desktop\Compiled_Project\TheDropper.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpD560.tmp.bat
    Filesize

    155B

    MD5

    42ef117fa697bfea1e4fa1af2ded02be

    SHA1

    31f5aa793daf2987b46700ce67688123a72191e0

    SHA256

    9a6d8035f0027ef2b70db9ed0247a53656ee4c7f279ec8e21108935af9595fd9

    SHA512

    1fc3efe85a1e31f8483b884f8605d1547b12d9830a97d942271ac2f0844e8d49f982482c6ff37481711a454bf730e7ced4b80d8de4cd240593b0d819a8424dbe

    Download Submit

  • C:\Users\Admin\Desktop\Compiled_Project.zip
    Filesize

    52KB

    MD5

    ef33fc09ca18c8d3e01ae1dd7ce1f7da

    SHA1

    f74e2a033c4ca904c86a37eb536ca77c42db3b8a

    SHA256

    94460534a0d75a84ba6adbc657fc112a2e8d13924b377bfb295a8a98f6cf5683

    SHA512

    80e5701ca4dbe46bd1602a275223dc0014cfc21293823df348f613058aaaa3f415c4482cb5c0135300a4a66754693091db91851b315d2b421d56171928d01edd

    Download Submit

  • C:\Users\Admin\Desktop\Compiled_Project\TheDropper.exe
    Filesize

    149KB

    MD5

    95861defb10a7d2a8012c3e0b1b9447d

    SHA1

    e959f88bcb26bde9074fa5a8e447a77a57514b41

    SHA256

    80e8b7030e205c526c5d0eea0abd680d8cacaf3f86d6dc6a3e7081f927b13215

    SHA512

    ddbdc019baed346abc3d8518f19228826d4656b668808134cc710f82b60d2f337683f794c5e0a6036e272077d02abff51d1d03a4c5852eda5ac2f19ebf27320c

    Download Submit

  • memory/684-41-0x0000000073C0E000-0x0000000073C0F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/684-40-0x00000000012A0000-0x00000000012CC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/684-39-0x0000000073C0E000-0x0000000073C0F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2168-3-0x000007FEF5623000-0x000007FEF5624000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2168-30-0x000000001B8C0000-0x000000001B970000-memory.dmp

    Filesize

    704KB

    Download

  • memory/2168-6-0x000000001C6C0000-0x000000001C7DE000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2168-5-0x000000001CBD0000-0x000000001CF20000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2168-4-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2168-0-0x000007FEF5623000-0x000007FEF5624000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2168-2-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2168-1-0x0000000000190000-0x00000000001A4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2168-50-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

    Filesize

    9.9MB

    Download