Analysis

  • max time kernel
    30s
  • max time network
    30s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    29/10/2024, 22:03

General

  • Target

    Dekbangtlez.exe

  • Size

    675KB

  • MD5

    ed8c4275d9e7eb916315fec83f38375f

  • SHA1

    ee3943deb752b8f85124f5d4885a1914ac6e7d61

  • SHA256

    0dc0610dbac4926a7d3ab442dba98ed1efdea06c7b53b690d1cd2a85e77af3fd

  • SHA512

    c2fdec5c745d8dd71cd586227909c2c6c917fca9e6ffc98bb9d7d82fb6206c545f3dc6cac7f266b074a3e06c7fae447e9516ecc66dc24122d3efa01e428b99d7

  • SSDEEP

    12288:RtQ/bSl7hk4oSEBOZh0XLiWH/2stVM/Ta5CCoyychTyS8VZmsCj3HvzBLk:xl7h1oScQh0XZH/2Ii2oyFhTyzmsCjXa

Score
10/10

Malware Config

Extracted

Family

xworm

C2

185.84.161.64:7000

45.141.26.194:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dekbangtlez.exe
    "C:\Users\Admin\AppData\Local\Temp\Dekbangtlez.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1572
    • C:\Users\Admin\AppData\Roaming\Dekbangtlez.exe
      "C:\Users\Admin\AppData\Roaming\Dekbangtlez.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1428
      • C:\ProgramData\Dekbangtlez.exe
        "C:\ProgramData\Dekbangtlez.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2848
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c mode 70,10
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2000
          • C:\Windows\system32\mode.com
            mode 70,10
            5⤵
              PID:4088
        • C:\ProgramData\Update.exe
          "C:\ProgramData\Update.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4424
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3960

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Dekbangtlez.exe

            Filesize

            498KB

            MD5

            84416279a7351a91459d74dcea00fc7c

            SHA1

            5b9930ef311221e61a3ac7070ea423474e588f76

            SHA256

            c7b8225f79a9aee29c753d4442a1884711a73aa90956f055278f9fac083d1392

            SHA512

            1d712f30db5c75067bf50acf1015fbae0577e7c0b9242a6bff23e2c13648eca52d58e82f5a08d69cc8f80c72b4bcc6e8a6acd7797d725fa2349dca70871460e5

          • C:\ProgramData\Update.exe

            Filesize

            80KB

            MD5

            da9a4e81a524746aaba1013d22b8fda1

            SHA1

            6069cf40c5989d407afceb1ad85b511278ac309e

            SHA256

            0f927c26e97088f77bcec0ce7c273d3b6674b0c3b31cd802f2a1999235f6a038

            SHA512

            34d05ead4af3468d5411b99c2027945cc37eb7633add16f169cdb0963dd533aee355ab0396dfea468abcbf557180f1d2c88f34a831aded1251be3b1a8206386c

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Dekbangtlez.exe.log

            Filesize

            654B

            MD5

            11c6e74f0561678d2cf7fc075a6cc00c

            SHA1

            535ee79ba978554abcb98c566235805e7ea18490

            SHA256

            d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

            SHA512

            32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

          • C:\Users\Admin\AppData\Roaming\Dekbangtlez.exe

            Filesize

            590KB

            MD5

            c1ad42cb1379c36cd605cbd758bc5001

            SHA1

            1a471c3089ca4acc7bbef2423717ae8e89e8906c

            SHA256

            6d69c9b00d9af49c3267f0aa6c77cde27f9a37e60aa03849bc6796b94b2c8d59

            SHA512

            909f1b2b5f2ebd7486e5a2947b8e61d4688dc05906166cf227eff27a0021a4913ee25b4854dca928bc1b279a621041f260f58b46933043cbb128a6abf02c8c12

          • C:\Users\Admin\AppData\Roaming\svchost.exe

            Filesize

            70KB

            MD5

            ae702d156a2ee10aa0df4e5a365654a1

            SHA1

            bad92787d53da53bda2f180f770752e679ba80c0

            SHA256

            07cc6cdf43c5bfa4c7dc097c3abc5a6fcdfbbda8a52db993ed9f397c4a8af716

            SHA512

            3a6daf7b4ee44cfd6c9a15575f9b4bbc54f22192c72ff4380a2fb3f33227645a4c25cd5cfb15445b446d6485c6bfb38fdf6adf94f121b719ed373e2b5c9a0d9c

          • memory/1428-39-0x00007FFB4AEA0000-0x00007FFB4B962000-memory.dmp

            Filesize

            10.8MB

          • memory/1428-30-0x0000000000010000-0x00000000000AA000-memory.dmp

            Filesize

            616KB

          • memory/1428-60-0x00007FFB4AEA0000-0x00007FFB4B962000-memory.dmp

            Filesize

            10.8MB

          • memory/1572-0-0x00007FFB4AEA3000-0x00007FFB4AEA5000-memory.dmp

            Filesize

            8KB

          • memory/1572-1-0x0000000000850000-0x0000000000900000-memory.dmp

            Filesize

            704KB

          • memory/3960-32-0x0000000000970000-0x0000000000988000-memory.dmp

            Filesize

            96KB

          • memory/3960-59-0x00007FFB4AEA0000-0x00007FFB4B962000-memory.dmp

            Filesize

            10.8MB

          • memory/3960-63-0x00007FFB4AEA0000-0x00007FFB4B962000-memory.dmp

            Filesize

            10.8MB

          • memory/4424-61-0x0000000000F50000-0x0000000000F6A000-memory.dmp

            Filesize

            104KB