Overview

overview

10

Static

static

3

GHInjectorx64.exe

windows7-x64

10

GHInjectorx64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    3s
  • max time network
    1s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2024 04:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GHInjectorx64.exe

  • Size

    35.2MB

  • MD5

    5abc8be3cb3ad48aebf2a63f05341582

  • SHA1

    47e3f6e271fa04748ee1b83afc7d0a21059f9ae5

  • SHA256

    5c8608607a328036d0c4ddde044703033a6b105f62e167fb9abd6739036215c8

  • SHA512

    c8beeba10268f76fb1bfa7036a3094335eb383bcf81010decc5ad2b1fd99075ad57a44196e544fd2e9e83663dab3fc6f121c15eaecf4f5af8c285397e63bee14

  • SSDEEP

    786432:6A6Vk51XxQgLespvvwY0vFfVtMI9aznj381fvKFf+/CfBGkZOHk+:eV6Kfsp50BzMSazrcfvKh+/CpGsS

Score
10/10
xwormpyinstallerrattrojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.21:27469

Attributes
  • Install_directory

    %AppData%

  • install_file

    astroGG.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Detects Pyinstaller 7 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GHInjectorx64.exe
    "C:\Users\Admin\AppData\Local\Temp\GHInjectorx64.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Users\Admin\AppData\Local\Temp\AstroBootStrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\AstroBootStrapper.exe"
      2⤵
      • Executes dropped EXE
      PID:2152
      • C:\Users\Admin\AppData\Local\Temp\AstroBootStrapper.exe
        "C:\Users\Admin\AppData\Local\Temp\AstroBootStrapper.exe"
        3⤵
          PID:1380
      • C:\Users\Admin\AppData\Local\Temp\astroGG.exe
        "C:\Users\Admin\AppData\Local\Temp\astroGG.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2496

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\AstroBootStrapper.exe
      Filesize

      22.6MB

      MD5

      1b11ea5bedcb36af6d7e05a149a78fa7

      SHA1

      4b19c9bec2d7ea82ce8551d6687a932f7043ded4

      SHA256

      40a35d34d949c1e888d34cf780b9ce2c1409bdf79343ec4077c449526d1e0ac9

      SHA512

      260679d3234dbc75be1a32eb29071ef0b80d8203e5eea4ddb2ab1cb1f966ecf2cf96c1d1e10fb0a19f276b068729c923381c74a8d626e18dc64f5120a6130a37

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AstroBootStrapper.exe
      Filesize

      26.2MB

      MD5

      7d31e5fb0fc7ebf55f9df2de1c7ffefa

      SHA1

      2730470b31deff316fdce78bc3a9796cbcbb1d7e

      SHA256

      4ef2b9593aecf2990520689c9e7eefbad1507f59545696fa1116cd7d12ec9e4c

      SHA512

      bb2eaa12e2711ad83dad8a203d7bf38b9b6cd49611d4d2a09cc91fe978e23f61ab03e1c0c9a13adb938710fdf08ce6af22f8be816cc046d0685b0b35d036f4d4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AstroBootStrapper.exe
      Filesize

      24.6MB

      MD5

      1fd7e5c93d284b80ffa60904e05f2b4c

      SHA1

      4155bbb71d03ff6f809c1653512a62477905b5d6

      SHA256

      8ec270b0f9b7cb9ddecad346890fd74ac21ccc8536dd6dd814af7ccbd2dc7f72

      SHA512

      4078a11c87af2ea853a5da07040831fcc0151e40a14424d11c770953c3e2a4becfdbabe745229849ef1fd6bbc46bbacd491b9362cbf7f0af15124d6e2c9cf4f1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI21522\python312.dll
      Filesize

      6.6MB

      MD5

      3c388ce47c0d9117d2a50b3fa5ac981d

      SHA1

      038484ff7460d03d1d36c23f0de4874cbaea2c48

      SHA256

      c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

      SHA512

      e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\astroGG.exe
      Filesize

      60KB

      MD5

      aa214096148443fef487b52dbecee5a4

      SHA1

      ebd815c0faa3cb17f4a6c6c41ef1faaa307c68c8

      SHA256

      05171a217f14814ed567a59e4230ebcb2a552720e8419761016b2ba8677f9a2a

      SHA512

      ae0a44736c385da5119f27190af09e18ce7c2c26ae81fd3b194683cd27da6ea839206348578c4e5ec0cfd428ef89d0c2e318d711a2915fae3df7ab407b74cc0e

      Download Submit

    • \Users\Admin\AppData\Local\Temp\AstroBootStrapper.exe
      Filesize

      22.4MB

      MD5

      26dfeb7388ba1ecd144537ba514b37d5

      SHA1

      9a2e80efb218d74496bd92560ab10a6d809434e5

      SHA256

      89977e76d1c78c9bb8a1918b36bc8626990a3a2f91de590111a8694c0dccf6dc

      SHA512

      f12968a5c41c83d5c68643b638af2b03b47a3c6d1435edafb6a33f4dca38962d6642f0700bb265564c6b035f28042aeaa34782e92001cd9903ecef1e65e280e6

      Download Submit

    • \Users\Admin\AppData\Local\Temp\AstroBootStrapper.exe
      Filesize

      9.9MB

      MD5

      b702612732d516a46d36c70b882d8cd3

      SHA1

      a7de6487b97eebdf77d0ffae66462834af75bc71

      SHA256

      f1cb9acbefef6f4a632cc2f3e098b7fa6e0839780735845eb61dbed7010525df

      SHA512

      b3302ee6b6e37e63b9caf48b0aa938814fe72b2fcb00fc50963895cf5a0d9b186fa336d88e3d454b802de91c0b79f91ace5da38f0a1a266ebc34184ad5c9fe41

      Download Submit

    • \Users\Admin\AppData\Local\Temp\AstroBootStrapper.exe
      Filesize

      10.5MB

      MD5

      f84014f038ffef1127fea96a098d36ef

      SHA1

      f27c6b7970f54f287ac89bcb91a332f5a0bf1467

      SHA256

      32447aa6ea3f7fd56c700486caac9fb058ea5892bef023ef3a4c5eba5c623584

      SHA512

      b6e2a5918e22a6498a2377cf4cd9e04d826602d5c826fde210901eeef1fd1bd3cb72714de509382644c6b66e45acfd9aabb9ecb65a6871354fb725b660abab9c

      Download Submit

    • \Users\Admin\AppData\Local\Temp\AstroBootStrapper.exe
      Filesize

      26.4MB

      MD5

      59bb53999cb5da41a7e99d47859caa93

      SHA1

      c1785eb3a7044c6f70cfc65be8edbb5a0325b79f

      SHA256

      ed4a9db7e382ee80fa487a9b566262b52e11374fac0451027da9c2a3025ac7c2

      SHA512

      365c7b998322439f18fcca87721244ca5b1ed947db09379b7c41d3ef11b59ddb8d8c4ae4e532c96e8d6be33d3e612414cf0715bf06d40a7218f464e3e6687ecb

      Download Submit

    • memory/2340-2-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2340-26-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2340-1-0x0000000000350000-0x0000000002690000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/2340-0-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2496-23-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2496-28-0x0000000000D20000-0x0000000000D36000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2496-154-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

      Filesize

      9.9MB

      Download