Analysis

  • max time kernel
    139s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-10-2024 20:06

General

  • Target

    13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe

  • Size

    1.6MB

  • MD5

    9d8b111c3743b5b77fdd8fce1e30b50c

  • SHA1

    963e2bb076141300843bc8b61d6808ebd7a6dfae

  • SHA256

    13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2

  • SHA512

    0a916cd6c28b71e342aa4c4d2f06253b3b89913ecce33b7776179d4e88f7e925712801265c6a7ebd440874e4226a16988155ebb8cccb3cb37c298276df2a063f

  • SSDEEP

    24576:RRVHmGd0BwUzR+frsjqz86M0/i/U7vqqp:VGGd4NzSrsjqzh/i/kvfp

Malware Config

Extracted

Family

xworm

C2

146.190.110.91:3389

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe
    "C:\Users\Admin\AppData\Local\Temp\13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1836
    • C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe
      "C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"
      2⤵
      • Executes dropped EXE
      PID:452
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:692
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:488
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2692
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:548
    • C:\ProgramData\msedgewebview2.exe
      "C:\ProgramData\msedgewebview2.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedgewebview2'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2196
      • C:\Windows\system32\schtasks.exe
        "schtasks.exe" /create /tn msedgewebview2 /tr "C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe" /st 20:11 /du 23:59 /sc daily /ri 1 /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1676
      • C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
        "C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        PID:2296
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpFFB3.tmp.cmd""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1808
        • C:\Windows\system32\timeout.exe
          timeout 6
          4⤵
          • Delays execution with timeout.exe
          PID:1384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpFFB3.tmp.cmd

    Filesize

    147B

    MD5

    c7fd50cee08e949c8b50169a73950499

    SHA1

    f46aa1a82245f93e9b3e321fe3f27291fdd154f0

    SHA256

    e8ed2b4ac5073cbd8a753bce648a4d5a0344199c896eb1b8be054f9ada012546

    SHA512

    8f55308c0e96a2db0e9d81d088ed645a79a3e75e86cf5da56fba9005d9a82a039ba42f0979c248fc31222172bd620d239719f5b3b8bff771be76bf9e34d371c2

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    aecdda7b40a91f6f4b181de0128ffc1c

    SHA1

    94a2454e2f08e29d5519123a933afb0e2b4df456

    SHA256

    9f3f191a78c0e24fc8009d40c9e537f1b717ae7b699aeae90215de57ed920cef

    SHA512

    ab6de5439e5adad7c5b65a2478c37e7cf45b80f1a1ef4920d441f8c609f670d4a453a4b40c48a07a906d36b9ac3335a00ccb130fa64b1dcf1fb08c087990d58c

  • C:\Users\Admin\AppData\Roaming\svchost.exe

    Filesize

    65KB

    MD5

    36dde308d5e09405a94dad6844ca0c44

    SHA1

    c585d502f48206f767f97ac7f7acd4112c314ccc

    SHA256

    c901ffc47365a32dcb7e1981386cc0d60833bab6addfc88b813a5a8cdc4fb11b

    SHA512

    5964d137c5b510ae978b331161bc20c7ecfd4a35aa6c65c4d95a13c8568f774a483807c4ca555e3559a83712421c811d1af18f7aa2981367129244c1bfc74923

  • \Users\Admin\AppData\Local\Temp\SilverBulletPro.exe

    Filesize

    602KB

    MD5

    347d21e54202cc42486f1be0f38ebea1

    SHA1

    f3a17fd7d1581928d8bf773c0f99433da64253db

    SHA256

    80e06ccb6370aca19137d47b6ecf3256d6a34b67a3d4bf0b7c3190a1c5feacad

    SHA512

    620f6318b95253cee873b21b90bdc8f75fb32c30bc42032b9eed5773890a700e66ca3f27f2418bb6b39c8a33f2dea718c2215852e64063e0187131be841950b9

  • memory/488-34-0x0000000002290000-0x0000000002298000-memory.dmp

    Filesize

    32KB

  • memory/488-30-0x000000001B650000-0x000000001B932000-memory.dmp

    Filesize

    2.9MB

  • memory/692-23-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

    Filesize

    2.9MB

  • memory/692-24-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

    Filesize

    32KB

  • memory/1160-17-0x0000000000C80000-0x0000000000C96000-memory.dmp

    Filesize

    88KB

  • memory/1836-18-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

    Filesize

    9.9MB

  • memory/1836-39-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

    Filesize

    9.9MB

  • memory/1836-0-0x000007FEF5283000-0x000007FEF5284000-memory.dmp

    Filesize

    4KB

  • memory/1836-1-0x0000000000CD0000-0x0000000000E66000-memory.dmp

    Filesize

    1.6MB

  • memory/2196-58-0x0000000002670000-0x0000000002678000-memory.dmp

    Filesize

    32KB

  • memory/2296-71-0x00000000001A0000-0x00000000001E2000-memory.dmp

    Filesize

    264KB

  • memory/2780-38-0x00000000000A0000-0x00000000000E2000-memory.dmp

    Filesize

    264KB