Overview

overview

10

Static

static

3

rstxdhuj.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    97s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15-10-2024 04:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rstxdhuj.exe

  • Size

    963KB

  • MD5

    1ef39c8bc5799aa381fe093a1f2d532a

  • SHA1

    57eabb02a7c43c9682988227dd470734cc75edb2

  • SHA256

    0cced5b50789fca3ad4b2c151b798363d712da04c377bd704dcef4898e66b2b4

  • SHA512

    13a9c267c4ceb2bd176f1339faa035ffeb08936deeeb4e38252ea43cfe487ea1c1876e4cc2a965548e767af02805a1da62885e6538da056be0c6fae33b637682

  • SSDEEP

    24576:6MGVJ/Oap+Bh45LEwaV1QghDHm5GQTSmGg:6NJ/jpi5waVhjm5GQ2m7

Score
10/10
stormkittyxwormdiscoveryexecutionpersistenceratstealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

188.190.10.161:4444

Mutex

TSXTkO0pNBdN2KNw

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 5 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3312
      • C:\Users\Admin\AppData\Local\Temp\rstxdhuj.exe
        "C:\Users\Admin\AppData\Local\Temp\rstxdhuj.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3856
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3244
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3408
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1740
      • C:\Users\Admin\AppData\Local\Temp\rstxdhuj.exe
        "C:\Users\Admin\AppData\Local\Temp\rstxdhuj.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1156
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:7676
      • C:\Users\Admin\AppData\Local\Temp\rstxdhuj.exe
        "C:\Users\Admin\AppData\Local\Temp\rstxdhuj.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:7740
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2116
      • C:\Users\Admin\AppData\Local\Temp\rstxdhuj.exe
        "C:\Users\Admin\AppData\Local\Temp\rstxdhuj.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:7796
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:8148
      • C:\Users\Admin\AppData\Local\Temp\rstxdhuj.exe
        "C:\Users\Admin\AppData\Local\Temp\rstxdhuj.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5708
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2128
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4236
      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3524

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log
        Filesize

        323B

        MD5

        da97fa97f5a70f2cce9eb0f40fdf2611

        SHA1

        ffc7b7cdf6acc7e867cf84475bc5079a25643fd2

        SHA256

        5a21703724079c96376ea062a557affcd7e7e43e01b4f828e7ed16e6faf5abec

        SHA512

        86288c1e84bf83ae823a21b99cd1501f47590c10e41ea9091b3b6f035871a9d9f5667203983913f01ff241ca275bc3bfd5d7865a7b11fdc68d644282428a53c4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        ac4917a885cf6050b1a483e4bc4d2ea5

        SHA1

        b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

        SHA256

        e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

        SHA512

        092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        91a547d6c9a2d417d231a5d99c827444

        SHA1

        fd2989d1a6ee2fada3623fcbac6937f7f0e45739

        SHA256

        08b45bf2b7318b16338f9ae42521ef83344002b3b55f2fa328efa7147955df12

        SHA512

        3070134c14bc8185508f4f0ba3e24e160b5e8a41478c733c0c78eccf536e35539673bf910ebbb464af2eefe73b7143545779bd0c82badd530839b2194656c73b

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
        Filesize

        10KB

        MD5

        96329c73cc49cd960e2485210d01c4d2

        SHA1

        a496b98ad2f2bbf26687b5b7794a26aa4470148e

        SHA256

        4c159cab6c9ef5ff39e6141b0ccb5b8c6251a3d637520609dfbdd852fa94d466

        SHA512

        e98736a879cad24c693d6c5939654b2fd25bf9d348f738668624214f22d541a9b781c967201ab2d43cbac9207946824a0299d482485f4b63c48d5d2a839e5baf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ifup1jre.cdi.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • \??\c:\users\admin\appdata\roaming\ylrdnrwcx.exe
        Filesize

        963KB

        MD5

        1ef39c8bc5799aa381fe093a1f2d532a

        SHA1

        57eabb02a7c43c9682988227dd470734cc75edb2

        SHA256

        0cced5b50789fca3ad4b2c151b798363d712da04c377bd704dcef4898e66b2b4

        SHA512

        13a9c267c4ceb2bd176f1339faa035ffeb08936deeeb4e38252ea43cfe487ea1c1876e4cc2a965548e767af02805a1da62885e6538da056be0c6fae33b637682

        Download Submit

      • memory/1740-1149-0x000000006FC50000-0x000000006FC9C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1740-1143-0x0000000005B50000-0x0000000005EA7000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3244-1217-0x0000000007A80000-0x0000000007DD0000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3244-1174-0x00000000745A0000-0x0000000074D51000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3244-1161-0x0000000005E60000-0x0000000005E6A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3244-1160-0x0000000005BA0000-0x0000000005C32000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3244-1159-0x00000000745A0000-0x0000000074D51000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3244-1175-0x0000000006FA0000-0x00000000070C0000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3244-1148-0x00000000745A0000-0x0000000074D51000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3244-1176-0x0000000007220000-0x0000000007577000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3244-1177-0x00000000075D0000-0x000000000761C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3244-1092-0x00000000745A0000-0x0000000074D51000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3244-1094-0x0000000004F60000-0x0000000004FFC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/3244-1093-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/3244-1218-0x00000000049E0000-0x00000000049EE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3408-1130-0x0000000007C90000-0x0000000007C9E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3408-1112-0x0000000006720000-0x000000000676C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3408-1129-0x0000000007C60000-0x0000000007C71000-memory.dmp

        Filesize

        68KB

        Download

      • memory/3408-1128-0x0000000007CF0000-0x0000000007D86000-memory.dmp

        Filesize

        600KB

        Download

      • memory/3408-1127-0x0000000007AC0000-0x0000000007ACA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3408-1126-0x0000000007A50000-0x0000000007A6A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3408-1125-0x0000000008090000-0x000000000870A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/3408-1124-0x0000000007910000-0x00000000079B4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/3408-1123-0x00000000078E0000-0x00000000078FE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3408-1114-0x000000006FC50000-0x000000006FC9C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3408-1113-0x0000000006CD0000-0x0000000006D04000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3408-1131-0x0000000007CA0000-0x0000000007CB5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/3408-1111-0x00000000066F0000-0x000000000670E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3408-1110-0x0000000006220000-0x0000000006577000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3408-1132-0x0000000007DB0000-0x0000000007DCA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3408-1106-0x00000000061B0000-0x0000000006216000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3408-1105-0x0000000005FB0000-0x0000000006016000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3408-1099-0x0000000005850000-0x0000000005872000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3408-1098-0x00000000745A0000-0x0000000074D51000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3408-1096-0x0000000005980000-0x0000000005FAA000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/3408-1097-0x00000000745A0000-0x0000000074D51000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3408-1095-0x0000000002EF0000-0x0000000002F26000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3408-1133-0x0000000007D90000-0x0000000007D98000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3408-1136-0x00000000745A0000-0x0000000074D51000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3856-6-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-4-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-1087-0x0000000006950000-0x0000000006EF6000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3856-1091-0x00000000745A0000-0x0000000074D51000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3856-1086-0x00000000745A0000-0x0000000074D51000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3856-1085-0x00000000745A0000-0x0000000074D51000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3856-1084-0x00000000745A0000-0x0000000074D51000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3856-1080-0x0000000006010000-0x000000000605C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3856-1079-0x0000000005FA0000-0x0000000006008000-memory.dmp

        Filesize

        416KB

        Download

      • memory/3856-1078-0x00000000745A0000-0x0000000074D51000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3856-40-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-42-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-44-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-48-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-50-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-52-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-54-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-56-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-58-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-60-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-64-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-96-0x00000000745A0000-0x0000000074D51000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3856-66-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-1088-0x00000000060A0000-0x00000000060F4000-memory.dmp

        Filesize

        336KB

        Download

      • memory/3856-0-0x00000000745AE000-0x00000000745AF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3856-30-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-3-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-8-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-10-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-12-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-15-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-16-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-18-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-20-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-22-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-24-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-26-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-28-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-32-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-36-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-38-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-46-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-62-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-34-0x0000000005820000-0x0000000005908000-memory.dmp

        Filesize

        928KB

        Download

      • memory/3856-2-0x0000000005820000-0x000000000590E000-memory.dmp

        Filesize

        952KB

        Download

      • memory/3856-1-0x00000000009A0000-0x0000000000A98000-memory.dmp

        Filesize

        992KB

        Download