Analysis

  • max time kernel
    125s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    29-10-2024 20:09

General

  • Target

    13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe

  • Size

    1.6MB

  • MD5

    9d8b111c3743b5b77fdd8fce1e30b50c

  • SHA1

    963e2bb076141300843bc8b61d6808ebd7a6dfae

  • SHA256

    13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2

  • SHA512

    0a916cd6c28b71e342aa4c4d2f06253b3b89913ecce33b7776179d4e88f7e925712801265c6a7ebd440874e4226a16988155ebb8cccb3cb37c298276df2a063f

  • SSDEEP

    24576:RRVHmGd0BwUzR+frsjqz86M0/i/U7vqqp:VGGd4NzSrsjqzh/i/kvfp

Malware Config

Extracted

Family

xworm

C2

146.190.110.91:3389

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe
    "C:\Users\Admin\AppData\Local\Temp\13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe
      "C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"
      2⤵
      • Executes dropped EXE
      PID:2892
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2924
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2780
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:628
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2040
    • C:\ProgramData\msedgewebview2.exe
      "C:\ProgramData\msedgewebview2.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1240
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedgewebview2'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1000
      • C:\Windows\system32\schtasks.exe
        "schtasks.exe" /create /tn msedgewebview2 /tr "C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe" /st 20:14 /du 23:59 /sc daily /ri 1 /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1780
      • C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
        "C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        PID:900
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2462.tmp.cmd""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1776
        • C:\Windows\system32\timeout.exe
          timeout 6
          4⤵
          • Delays execution with timeout.exe
          PID:2820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp2462.tmp.cmd

    Filesize

    147B

    MD5

    f6df63a72865c8101a43fdeaa872a67b

    SHA1

    0849942ab178f9361ff9898712b82f5a90ff7dc3

    SHA256

    e35aa40b52cfd621c77feacd303cbff3aa46baf37562835559e1d429f8fb7c24

    SHA512

    7cf9bd69fd31d86cddb23015ea3c89a3c98a71c10f07fa0bbd3f9437459a2f867eaf067aacb046f1fc02d5d06551b87e06b9585ff3c876178edc8869f578248e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    45b7ce57cf031c2131960dca48ab4c9e

    SHA1

    acf8ca21157f20cd68a839205df015bfc1ce4b5e

    SHA256

    058d4c0e7b5553d61078a5cdf4443ecd9fa2e76a64aef63185588d7e9e2fd6bc

    SHA512

    9cf24183544983e5976c2e969d6fe557a09469448704558542b24d9f3bfc59114682d1384feec1d13e150bbcb12b6a605a340cae57f1fdacfc6d9915b184d782

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    1097d3eeb2f913fe0595f065be983912

    SHA1

    7ab5fd48c9f5c64bf81cdeabd56e54e40da27f30

    SHA256

    9decdb662d2088a516633f993922ea213c19eaaf77db72af3ffc94f84933637d

    SHA512

    a822d571e5d52068d324ec75aec80c6124249e72fd3ecca3b99e578da1c0da31870c7b0d738072e936eb158b2fb0ef29015acca10bf6b4b32db4228faf856e70

  • C:\Users\Admin\AppData\Roaming\svchost.exe

    Filesize

    65KB

    MD5

    36dde308d5e09405a94dad6844ca0c44

    SHA1

    c585d502f48206f767f97ac7f7acd4112c314ccc

    SHA256

    c901ffc47365a32dcb7e1981386cc0d60833bab6addfc88b813a5a8cdc4fb11b

    SHA512

    5964d137c5b510ae978b331161bc20c7ecfd4a35aa6c65c4d95a13c8568f774a483807c4ca555e3559a83712421c811d1af18f7aa2981367129244c1bfc74923

  • \Users\Admin\AppData\Local\Temp\SilverBulletPro.exe

    Filesize

    602KB

    MD5

    347d21e54202cc42486f1be0f38ebea1

    SHA1

    f3a17fd7d1581928d8bf773c0f99433da64253db

    SHA256

    80e06ccb6370aca19137d47b6ecf3256d6a34b67a3d4bf0b7c3190a1c5feacad

    SHA512

    620f6318b95253cee873b21b90bdc8f75fb32c30bc42032b9eed5773890a700e66ca3f27f2418bb6b39c8a33f2dea718c2215852e64063e0187131be841950b9

  • memory/900-75-0x0000000000BD0000-0x0000000000C12000-memory.dmp

    Filesize

    264KB

  • memory/1000-61-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

    Filesize

    2.9MB

  • memory/1240-53-0x0000000000FE0000-0x0000000001022000-memory.dmp

    Filesize

    264KB

  • memory/2380-18-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

    Filesize

    9.9MB

  • memory/2380-38-0x000007FEF6403000-0x000007FEF6404000-memory.dmp

    Filesize

    4KB

  • memory/2380-46-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

    Filesize

    9.9MB

  • memory/2380-54-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

    Filesize

    9.9MB

  • memory/2380-0-0x000007FEF6403000-0x000007FEF6404000-memory.dmp

    Filesize

    4KB

  • memory/2380-1-0x0000000000D20000-0x0000000000EB6000-memory.dmp

    Filesize

    1.6MB

  • memory/2780-31-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

    Filesize

    32KB

  • memory/2780-30-0x000000001B140000-0x000000001B422000-memory.dmp

    Filesize

    2.9MB

  • memory/2924-24-0x0000000001F40000-0x0000000001F48000-memory.dmp

    Filesize

    32KB

  • memory/2924-23-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

    Filesize

    2.9MB

  • memory/3060-17-0x0000000001350000-0x0000000001366000-memory.dmp

    Filesize

    88KB