Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/10/2024, 22:02
Static task
static1
Behavioral task
behavioral1
Sample
X-PROJECT.exe
Resource
win7-20240903-en
General
-
Target
X-PROJECT.exe
-
Size
127KB
-
MD5
967ae47a2ebbc731d6c8b5a92c07f4d9
-
SHA1
5bc6d706c70976c7db73cfc7eb040a9dd6a0d381
-
SHA256
cb30232f405584a8cafc49eb0a44fafa1ef2849d3ebb4281bdad8322258af295
-
SHA512
a393f75acb878e05a5ddc2c2826c84dffd2f7f95cd92a0b0c6ff6048e3a6831dbdc30d0239d7e1a75af50a52272a210dbd368b65c1ff957805178e3682206d32
-
SSDEEP
1536:SvFEDx0o36CRiHNcXasFsdLB74NsK7hoOPHIPILlQTYFWJOIs2cgJFyJy+lDt:SvFE736CUHWTaLu1nZLE/cgJF1+h
Malware Config
Extracted
xworm
185.84.161.64:7000
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/memory/2576-15-0x0000000000820000-0x0000000000838000-memory.dmp family_xworm behavioral1/files/0x0008000000015ed2-14.dat family_xworm -
Xworm family
-
Executes dropped EXE 1 IoCs
pid Process 2576 svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2576 svchost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2712 wrote to memory of 2316 2712 X-PROJECT.exe 31 PID 2712 wrote to memory of 2316 2712 X-PROJECT.exe 31 PID 2712 wrote to memory of 2316 2712 X-PROJECT.exe 31 PID 2712 wrote to memory of 2576 2712 X-PROJECT.exe 32 PID 2712 wrote to memory of 2576 2712 X-PROJECT.exe 32 PID 2712 wrote to memory of 2576 2712 X-PROJECT.exe 32 PID 2316 wrote to memory of 2592 2316 cmd.exe 34 PID 2316 wrote to memory of 2592 2316 cmd.exe 34 PID 2316 wrote to memory of 2592 2316 cmd.exe 34 PID 2316 wrote to memory of 1548 2316 cmd.exe 35 PID 2316 wrote to memory of 1548 2316 cmd.exe 35 PID 2316 wrote to memory of 1548 2316 cmd.exe 35 PID 2316 wrote to memory of 2760 2316 cmd.exe 36 PID 2316 wrote to memory of 2760 2316 cmd.exe 36 PID 2316 wrote to memory of 2760 2316 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\X-PROJECT.exe"C:\Users\Admin\AppData\Local\Temp\X-PROJECT.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\X-PROJECT.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"3⤵PID:2592
-
-
C:\Windows\system32\mode.comMode 100,223⤵PID:1548
-
-
C:\Windows\system32\chcp.comchcp 650013⤵PID:2760
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD5c88dac6ec8ab0a19fda1d61924e2802d
SHA1d76355d70e0e6e0240b354e32d14579f2d1d05e6
SHA256a89e1d77795e91c62c1157838c6bbff7805ab63b1946039c8ef489237a7c8d86
SHA512d60003601c6069de6930c47a63bcdc3d3216180da3e3d2e8315c8ec19ff117eeba6d8407d8ff1fb7c3fc1e1a1005534f4d9f5cd4c464a6305069674d9ed2e810
-
Filesize
70KB
MD5ae702d156a2ee10aa0df4e5a365654a1
SHA1bad92787d53da53bda2f180f770752e679ba80c0
SHA25607cc6cdf43c5bfa4c7dc097c3abc5a6fcdfbbda8a52db993ed9f397c4a8af716
SHA5123a6daf7b4ee44cfd6c9a15575f9b4bbc54f22192c72ff4380a2fb3f33227645a4c25cd5cfb15445b446d6485c6bfb38fdf6adf94f121b719ed373e2b5c9a0d9c