Analysis

  • max time kernel
    30s
  • max time network
    7s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    29/10/2024, 22:03

General

  • Target

    WEAPON BET 100.exe

  • Size

    14.4MB

  • MD5

    ec6587965932d9cea6d50b3f8e49f7b7

  • SHA1

    38208370466942f3951fa6826c7e542257d76023

  • SHA256

    ba927af3496ca0cb71e48e0f402a8b25d59ff78323a0ee82c39a51fbe3d4789b

  • SHA512

    3edd2b01c8d703d7adaab8189dfdc377ff9bf093a432aa5b68b3986876071e72834012fcc5b7559cbfa3535145427e6c4ca218cca7710ca2f08be873ee3fb452

  • SSDEEP

    393216:hxJ8UAUPC1PHnCTBknPW9m/UeSD4u7ttU:hxmUAUK1PHnmCWsX2t

Score
10/10

Malware Config

Extracted

Family

xworm

C2

185.84.161.64:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 24 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WEAPON BET 100.exe
    "C:\Users\Admin\AppData\Local\Temp\WEAPON BET 100.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Users\Admin\AppData\Roaming\WEAPON BET 100.exe
      "C:\Users\Admin\AppData\Roaming\WEAPON BET 100.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:5008
      • C:\Users\Admin\AppData\Local\Temp\onefile_5008_133747129989887877\WEAPON BET 100.exe
        "C:\Users\Admin\AppData\Roaming\WEAPON BET 100.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:4072
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c
          4⤵
            PID:2428
          • C:\Windows\System32\Wbem\wmic.exe
            wmic csproduct get uuid
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1768
          • C:\Windows\System32\Wbem\wmic.exe
            wmic csproduct get uuid
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:656
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3532

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

            Filesize

            82KB

            MD5

            fe499b0a9f7f361fa705e7c81e1011fa

            SHA1

            cc1c98754c6dab53f5831b05b4df6635ad3f856d

            SHA256

            160b5218c2035cccbaab9dc4ca26d099f433dcb86dbbd96425c933dc796090df

            SHA512

            60520c5eb5ccc72ae2a4c0f06c8447d9e9922c5f9f1f195757362fc47651adcc1cdbfef193ae4fec7d7c1a47cf1d9756bd820be996ae145f0fbbbfba327c5742

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

            Filesize

            173KB

            MD5

            eea3e12970e28545a964a95da7e84e0b

            SHA1

            c3ccac86975f2704dabc1ffc3918e81feb3b9ac1

            SHA256

            61f00b0543464bba61e0bd1128118326c9bd0cdc592854dd1a31c3d6d8df2b83

            SHA512

            9bd5c83e7e0ab24d6be40a31ac469a0d9b4621a2a279a5f3ab2fc6401a08c54aec421bc9461aed533a0211d7dbda0c264c5f05aeb39138403da25c8cda0339e6

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_tkinter.pyd

            Filesize

            64KB

            MD5

            ed2305190284e384a31337094c9f5239

            SHA1

            eb8faebf9fe9438541ca65b9892badc2233a405d

            SHA256

            2cad195ba200cd94702403559323c7abf3772a20203a11beae03770a04437de2

            SHA512

            139c83ebf748720e64c7a6a8f00f45755d17cd8f754cadc0804ece5753c02e5c95210a8b96a92fff89148ba34568f8b1bd6c33d1d3ba7a75f881446956876893

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_wmi.pyd

            Filesize

            37KB

            MD5

            fda7d7aada1d15cab2add2f4bd2e59a1

            SHA1

            7e61473f2ad5e061ef59105bf4255dbe7db5117a

            SHA256

            b0ed1c62b73b291a1b57e3d8882cc269b2fcbb1253f2947da18d9036e0c985d9

            SHA512

            95c2934a75507ea2d8c817da7e76ee7567ec29a52018aef195fac779b7ffb440c27722d162f8e416b6ef5d3fd0936c71a55776233293b3dd0124d51118a2b628

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

            Filesize

            292KB

            MD5

            50ea156b773e8803f6c1fe712f746cba

            SHA1

            2c68212e96605210eddf740291862bdf59398aef

            SHA256

            94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

            SHA512

            01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md__mypyc.pyd

            Filesize

            120KB

            MD5

            bf9a9da1cf3c98346002648c3eae6dcf

            SHA1

            db16c09fdc1722631a7a9c465bfe173d94eb5d8b

            SHA256

            4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637

            SHA512

            7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-3.dll

            Filesize

            5.0MB

            MD5

            123ad0908c76ccba4789c084f7a6b8d0

            SHA1

            86de58289c8200ed8c1fc51d5f00e38e32c1aad5

            SHA256

            4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

            SHA512

            80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\tcl86t.dll

            Filesize

            1.7MB

            MD5

            bed46aa40c392c9068aed5f94857d398

            SHA1

            227561d5f6a592dedd7a8b0ffe0c284f9bbf23e8

            SHA256

            22a1746363151a19e02f92f9b7bc4849038783be34c04f311a11df69fdc1a039

            SHA512

            04850421617366faeaa711fd28dcf58ff1bc5aa2b0cb962fbfc47b5ae645b3726f3decc19d0b36b23c6b00210badeefc67f83ba6f0a81d6de57dc27001ac19be

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\tk86t.dll

            Filesize

            1.5MB

            MD5

            6ddb534ef5c74627802ceef0c90b38f3

            SHA1

            ffa3b78435e7a121ba6a3de32a7c3950a3f1cb28

            SHA256

            f44fa94865d17e4f0266c8f9a1dd89825d8a0c6c3a63cf4192fc08c8796acabf

            SHA512

            0cf66eeaa3aef2c7da560c370865bbd84ac2e94536bf751907bf42f36c05b5d0c46f883b1f35daf9e21e8eec1a7fcad439e21a23e114ab0a3a0daf39e8c95eb0

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\zlib1.dll

            Filesize

            143KB

            MD5

            2849986dadc875a7a92889eced861a36

            SHA1

            c723d5e55deb07699f2fc83999b07bd9dab1182e

            SHA256

            84cc14c704067bffd2b4dd411abe752eb492431814cf9ac13417d061a3db0ec3

            SHA512

            b8376fe9ead1f43eebbaee92e649ba528b3eb2d2b774534f46511ea0a1da743438e03bb793b9bc02a59fbadd5ae32e537c29522dd205d2a4d3e584357fa1bdd6

          • C:\Users\Admin\AppData\Local\Temp\onefile_5008_133747129989887877\WEAPON BET 100.exe

            Filesize

            25.8MB

            MD5

            eeb83a4de48e7728200bb54df8af9439

            SHA1

            105519ee0b6fba1ee8e0535dd708ea3a2c73c530

            SHA256

            6e43d6c7080317fdc38815a41c0c124319b287f6263f9b3885457391e3cf1dbb

            SHA512

            5c9dbf542e6ea50a1126344518ebe354bf3f6594402e33feab80f4d05113ee3c5572117b9e5bbc845ab5067f8720c87e7649b03b2cc3c4869ed3346b9bb721ef

          • C:\Users\Admin\AppData\Local\Temp\onefile_5008_133747129989887877\_ctypes.pyd

            Filesize

            122KB

            MD5

            302ddf5f83b5887ab9c4b8cc4e40b7a6

            SHA1

            0aa06af65d072eb835c8d714d0f0733dc2f47e20

            SHA256

            8250b4c102abd1dba49fc5b52030caa93ca34e00b86cee6547cc0a7f22326807

            SHA512

            5ddc2488fa192d8b662771c698a63faaf109862c8a4dd0df10fb113aef839d012df58346a87178aff9a1b369f82d8ae7819cef4aad542d8bd3f91327feace596

          • C:\Users\Admin\AppData\Local\Temp\onefile_5008_133747129989887877\_hashlib.pyd

            Filesize

            64KB

            MD5

            0abfee1db6c16e8ddaff12cd3e86475b

            SHA1

            b2dda9635ede4f2841912cc50cb3ae67eea89fe7

            SHA256

            b4cec162b985d34ab768f66e8fa41ed28dc2f273fde6670eeace1d695789b137

            SHA512

            0a5cae4e3442af1d62b65e8bf91e0f2a61563c2b971bbf008bfb2de0f038ee472e7bfcc88663dc503b2712e92e6a7e6a5f518ddab1fab2eb435d387b740d2d44

          • C:\Users\Admin\AppData\Local\Temp\onefile_5008_133747129989887877\_lzma.pyd

            Filesize

            154KB

            MD5

            e3e7e99b3c2ea56065740b69f1a0bc12

            SHA1

            79fa083d6e75a18e8b1e81f612acb92d35bb2aea

            SHA256

            b095fa2eac97496b515031fbea5737988b18deee86a11f2784f5a551732ddc0c

            SHA512

            35cbc30b1ccdc4f5cc9560fc0149373ccd9399eb9297e61d52e6662bb8c56c6a7569d8cfad85aeb057c10558c9352ae086c0467f684fdcf72a137eadf563a909

          • C:\Users\Admin\AppData\Local\Temp\onefile_5008_133747129989887877\_queue.pyd

            Filesize

            31KB

            MD5

            941a3757931719dd40898d88d04690cb

            SHA1

            177ede06a3669389512bfc8a9b282d918257bf8b

            SHA256

            bbe7736caed8c17c97e2b156f686521a788c25f2004aae34ab0c282c24d57da7

            SHA512

            7cfba5c69695c492bf967018b3827073b0c2797b24e1bd43b814fbbb39d1a8b32a2d7ef240e86046e4e07aa06f7266a31b5512d04d98a0d2d3736630c044546e

          • C:\Users\Admin\AppData\Local\Temp\onefile_5008_133747129989887877\_socket.pyd

            Filesize

            81KB

            MD5

            632336eeead53cfad22eb57f795d5657

            SHA1

            62f5f73d21b86cd3b73b68e5faec032618196745

            SHA256

            ce3090fff8575b21287df5fc69ae98806646fc302eefadf85e369ad3debad92b

            SHA512

            77965b45060545e210cdb044f25e5fd68d6a9150caf1cad7645dbafcf1ce8e1ccbdf8436fbdcbf5f9c293321c8916e114de30ed8897c7db72df7f8d1f98dfb55

          • C:\Users\Admin\AppData\Local\Temp\onefile_5008_133747129989887877\charset_normalizer\md.pyd

            Filesize

            10KB

            MD5

            d9e0217a89d9b9d1d778f7e197e0c191

            SHA1

            ec692661fcc0b89e0c3bde1773a6168d285b4f0d

            SHA256

            ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0

            SHA512

            3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d

          • C:\Users\Admin\AppData\Local\Temp\onefile_5008_133747129989887877\libffi-8.dll

            Filesize

            38KB

            MD5

            0f8e4992ca92baaf54cc0b43aaccce21

            SHA1

            c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

            SHA256

            eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

            SHA512

            6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

          • C:\Users\Admin\AppData\Local\Temp\onefile_5008_133747129989887877\libssl-3.dll

            Filesize

            774KB

            MD5

            4ff168aaa6a1d68e7957175c8513f3a2

            SHA1

            782f886709febc8c7cebcec4d92c66c4d5dbcf57

            SHA256

            2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

            SHA512

            c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

          • C:\Users\Admin\AppData\Local\Temp\onefile_5008_133747129989887877\python312.dll

            Filesize

            6.6MB

            MD5

            b243d61f4248909bc721674d70a633de

            SHA1

            1d2fb44b29c4ac3cfd5a7437038a0c541fce82fc

            SHA256

            93488fa7e631cc0a2bd808b9eee8617280ee9b6ff499ab424a1a1cbf24d77dc7

            SHA512

            10460c443c7b9a6d7e39ad6e2421b8ca4d8329f1c4a0ff5b71ce73352d2e9438d45f7d59edb13ce30fad3b4f260bd843f4d9b48522d448310d43e0988e075fcb

          • C:\Users\Admin\AppData\Local\Temp\onefile_5008_133747129989887877\select.pyd

            Filesize

            30KB

            MD5

            7e871444ca23860a25b888ee263e2eaf

            SHA1

            aa43c9d3abdb1aabda8379f301f8116d0674b590

            SHA256

            dca5e6d39c5094ce599143cb82f6d8470f0c2a4ce4443499e73f32ed13333fd0

            SHA512

            2e260d3123f7ca612901513b90fe40739e85248da913297d4cca3b2ebd398d9697880d148830e168e474ebfc3d30ede10668c7316ed7668f8b39da7bca59e57d

          • C:\Users\Admin\AppData\Local\Temp\onefile_5008_133747129989887877\tcl\encoding\cp1252.enc

            Filesize

            1KB

            MD5

            e9117326c06fee02c478027cb625c7d8

            SHA1

            2ed4092d573289925a5b71625cf43cc82b901daf

            SHA256

            741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e

            SHA512

            d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52

          • C:\Users\Admin\AppData\Local\Temp\onefile_5008_133747129989887877\unicodedata.pyd

            Filesize

            1.1MB

            MD5

            098cc6ad04199442c3e2a60e1243c2dc

            SHA1

            4c92c464a8e1e56e1c4d77cd30a0da474a026aaf

            SHA256

            64a162d6b11ba10cb11509f3cc445f17beb7acfd064f030b4d59faa1c9894b29

            SHA512

            73c28488b42a0bc2f0d2861fed3f5dcccf8959ce19d3121c13c998db496f2822deb40f36f86240c8d3954fd2dc2ba5d63c8a125b62324dcd92fb6c8ba49ff170

          • C:\Users\Admin\AppData\Local\Temp\onefile_5008_133747129989887877\vcruntime140.dll

            Filesize

            117KB

            MD5

            862f820c3251e4ca6fc0ac00e4092239

            SHA1

            ef96d84b253041b090c243594f90938e9a487a9a

            SHA256

            36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

            SHA512

            2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

          • C:\Users\Admin\AppData\Local\Temp\onefile_5008_133747129989887877\vcruntime140_1.dll

            Filesize

            48KB

            MD5

            68156f41ae9a04d89bb6625a5cd222d4

            SHA1

            3be29d5c53808186eba3a024be377ee6f267c983

            SHA256

            82a2f9ae1e6146ae3cb0f4bc5a62b7227e0384209d9b1aef86bbcc105912f7cd

            SHA512

            f7bf8ad7cd8b450050310952c56f6a20b378a972c822ccc253ef3d7381b56ffb3ca6ce3323bea9872674ed1c02017f78ab31e9eb9927fc6b3cba957c247e5d57

          • C:\Users\Admin\AppData\Local\Temp\onefile_5008_133747129989887877\winsound.pyd

            Filesize

            29KB

            MD5

            974b5bd2cdf12789d2ea6f07f19ff964

            SHA1

            2673cf0f86d70e85ac2c01207b699c8b169567c4

            SHA256

            4289c991ae42673c43b4b455b6883e4d2583a145813856727fb4bd5bb3e9019e

            SHA512

            8c060f03734d943ca95f16d612ddb4b8ff326aba2fc7839068e9ed3e7a4e70cfefa6f50a6d9362576321dd6d7e10928018b3221270add954691697356d50f85a

          • C:\Users\Admin\AppData\Local\Temp\onefile_5008_133747129989887877\zstandard\backend_c.pyd

            Filesize

            508KB

            MD5

            0fc69d380fadbd787403e03a1539a24a

            SHA1

            77f067f6d50f1ec97dfed6fae31a9b801632ef17

            SHA256

            641e0b0fa75764812fff544c174f7c4838b57f6272eaae246eb7c483a0a35afc

            SHA512

            e63e200baf817717bdcde53ad664296a448123ffd055d477050b8c7efcab8e4403d525ea3c8181a609c00313f7b390edbb754f0a9278232ade7cfb685270aaf0

          • C:\Users\Admin\AppData\Roaming\WEAPON BET 100.exe

            Filesize

            14.3MB

            MD5

            8d7c142902b2e17ca69a524bc60a59f9

            SHA1

            1e61fdf62bea074e6fa00cacf23e9bdb88990950

            SHA256

            e6f89e70121ab6830e4ec097aed9800fc4fcfecb0d79271480e0f56fe1280d6c

            SHA512

            2e8113b952ba09c86cf11bd4c90c49b7b0340e30b2c1d4f9fc1041ec216e0c73ed011aac5398d7ea29b6d98f1cd160afeecd9c78eb4dd28f6734ac304eaad612

          • C:\Users\Admin\AppData\Roaming\svchost.exe

            Filesize

            70KB

            MD5

            ae702d156a2ee10aa0df4e5a365654a1

            SHA1

            bad92787d53da53bda2f180f770752e679ba80c0

            SHA256

            07cc6cdf43c5bfa4c7dc097c3abc5a6fcdfbbda8a52db993ed9f397c4a8af716

            SHA512

            3a6daf7b4ee44cfd6c9a15575f9b4bbc54f22192c72ff4380a2fb3f33227645a4c25cd5cfb15445b446d6485c6bfb38fdf6adf94f121b719ed373e2b5c9a0d9c

          • memory/2668-0-0x00007FFBD8413000-0x00007FFBD8415000-memory.dmp

            Filesize

            8KB

          • memory/2668-1-0x0000000000EB0000-0x0000000001D24000-memory.dmp

            Filesize

            14.5MB

          • memory/3532-29-0x0000000000310000-0x0000000000328000-memory.dmp

            Filesize

            96KB

          • memory/3532-1046-0x000000001C700000-0x000000001C7FF000-memory.dmp

            Filesize

            1020KB

          • memory/4072-1048-0x00007FFBEC900000-0x00007FFBEC92A000-memory.dmp

            Filesize

            168KB

          • memory/4072-1047-0x00007FF60D1C0000-0x00007FF60EBDF000-memory.dmp

            Filesize

            26.1MB

          • memory/5008-1984-0x00007FF648F00000-0x00007FF649D84000-memory.dmp

            Filesize

            14.5MB