Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2024, 22:02
Static task
static1
Behavioral task
behavioral1
Sample
X-PROJECT.exe
Resource
win7-20240903-en
General
-
Target
X-PROJECT.exe
-
Size
127KB
-
MD5
967ae47a2ebbc731d6c8b5a92c07f4d9
-
SHA1
5bc6d706c70976c7db73cfc7eb040a9dd6a0d381
-
SHA256
cb30232f405584a8cafc49eb0a44fafa1ef2849d3ebb4281bdad8322258af295
-
SHA512
a393f75acb878e05a5ddc2c2826c84dffd2f7f95cd92a0b0c6ff6048e3a6831dbdc30d0239d7e1a75af50a52272a210dbd368b65c1ff957805178e3682206d32
-
SSDEEP
1536:SvFEDx0o36CRiHNcXasFsdLB74NsK7hoOPHIPILlQTYFWJOIs2cgJFyJy+lDt:SvFE736CUHWTaLu1nZLE/cgJF1+h
Malware Config
Extracted
xworm
185.84.161.64:7000
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x000c000000023b60-9.dat family_xworm behavioral2/memory/4744-17-0x0000000000AB0000-0x0000000000AC8000-memory.dmp family_xworm -
Xworm family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation X-PROJECT.exe -
Executes dropped EXE 1 IoCs
pid Process 4744 svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4744 svchost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4380 wrote to memory of 1140 4380 X-PROJECT.exe 85 PID 4380 wrote to memory of 1140 4380 X-PROJECT.exe 85 PID 4380 wrote to memory of 4744 4380 X-PROJECT.exe 87 PID 4380 wrote to memory of 4744 4380 X-PROJECT.exe 87 PID 1140 wrote to memory of 3464 1140 cmd.exe 88 PID 1140 wrote to memory of 3464 1140 cmd.exe 88 PID 1140 wrote to memory of 1936 1140 cmd.exe 89 PID 1140 wrote to memory of 1936 1140 cmd.exe 89 PID 1140 wrote to memory of 208 1140 cmd.exe 91 PID 1140 wrote to memory of 208 1140 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\X-PROJECT.exe"C:\Users\Admin\AppData\Local\Temp\X-PROJECT.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\X-PROJECT.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"3⤵PID:3464
-
-
C:\Windows\system32\mode.comMode 100,223⤵PID:1936
-
-
C:\Windows\system32\chcp.comchcp 650013⤵PID:208
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD5c88dac6ec8ab0a19fda1d61924e2802d
SHA1d76355d70e0e6e0240b354e32d14579f2d1d05e6
SHA256a89e1d77795e91c62c1157838c6bbff7805ab63b1946039c8ef489237a7c8d86
SHA512d60003601c6069de6930c47a63bcdc3d3216180da3e3d2e8315c8ec19ff117eeba6d8407d8ff1fb7c3fc1e1a1005534f4d9f5cd4c464a6305069674d9ed2e810
-
Filesize
70KB
MD5ae702d156a2ee10aa0df4e5a365654a1
SHA1bad92787d53da53bda2f180f770752e679ba80c0
SHA25607cc6cdf43c5bfa4c7dc097c3abc5a6fcdfbbda8a52db993ed9f397c4a8af716
SHA5123a6daf7b4ee44cfd6c9a15575f9b4bbc54f22192c72ff4380a2fb3f33227645a4c25cd5cfb15445b446d6485c6bfb38fdf6adf94f121b719ed373e2b5c9a0d9c