Analysis

  • max time kernel
    30s
  • max time network
    6s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    29/10/2024, 22:03

General

  • Target

    3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe

  • Size

    88KB

  • MD5

    d5193774c90ba82c65541beadd6c313e

  • SHA1

    3925fc50ab0c8ce843e08941cb3f418a7eae379b

  • SHA256

    c3673d01d7ccd2a3c7735b8b00b050f731e73af3feb6e5b14bf3689bf89b884c

  • SHA512

    f4a4e24cc173458222a742d00bf461623ab0fba5309d3d275ba93a6840a267c8d460479767f1e637e53a6933d734ce76b7e9f579b7ff3711e582eb4caf8bca54

  • SSDEEP

    1536:Pm1GBOZ7//G3CFdS313hZsB77buO4MHXpZqVhrcLEuwTnq:PmMq7bFdSF3mXimyV5mEjnq

Score
10/10

Malware Config

Extracted

Family

xworm

C2

185.84.161.64:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe
    "C:\Users\Admin\AppData\Local\Temp\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2492
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
        3⤵
          PID:2388
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:3228
          • C:\Windows\system32\mode.com
            mode 103,5
            3⤵
              PID:3700
            • C:\Windows\system32\chcp.com
              chcp 65001
              3⤵
                PID:4308
              • C:\Windows\system32\mode.com
                mode 120,17
                3⤵
                  PID:4652
              • C:\Users\Admin\AppData\Roaming\svchost.exe
                "C:\Users\Admin\AppData\Roaming\svchost.exe"
                2⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:4876

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Roaming\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.bat

                    Filesize

                    5KB

                    MD5

                    1a29286ae9d746284b195a34811f5e89

                    SHA1

                    2418da95e35c84e8b922cd6c525463bab7e43a06

                    SHA256

                    061d3b55f7cfd4bd35e48768fb993a1444d5ed4990cda5ef813220715325f630

                    SHA512

                    370288124edecdfb611d65b93f2ed9c0205299653a0819d351b226a595c4a4fda636c50444d3bac2c43c4678119cf53b7c9e5d1bc69f16452be16eb720b90c07

                  • C:\Users\Admin\AppData\Roaming\svchost.exe

                    Filesize

                    70KB

                    MD5

                    ae702d156a2ee10aa0df4e5a365654a1

                    SHA1

                    bad92787d53da53bda2f180f770752e679ba80c0

                    SHA256

                    07cc6cdf43c5bfa4c7dc097c3abc5a6fcdfbbda8a52db993ed9f397c4a8af716

                    SHA512

                    3a6daf7b4ee44cfd6c9a15575f9b4bbc54f22192c72ff4380a2fb3f33227645a4c25cd5cfb15445b446d6485c6bfb38fdf6adf94f121b719ed373e2b5c9a0d9c

                  • memory/3020-0-0x00007FFA346C3000-0x00007FFA346C5000-memory.dmp

                    Filesize

                    8KB

                  • memory/3020-1-0x0000000000480000-0x000000000049C000-memory.dmp

                    Filesize

                    112KB

                  • memory/4876-23-0x0000000000CA0000-0x0000000000CB8000-memory.dmp

                    Filesize

                    96KB

                  • memory/4876-25-0x00007FFA346C0000-0x00007FFA35182000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/4876-26-0x00007FFA346C0000-0x00007FFA35182000-memory.dmp

                    Filesize

                    10.8MB