Analysis

  • max time kernel
    128s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 02:20

General

  • Target

    4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe

  • Size

    163KB

  • MD5

    72f5f19b35b22d82d8459f5e0739c248

  • SHA1

    0218dd2b354dcfdff2a11d06b6cf57f53987e9eb

  • SHA256

    4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1

  • SHA512

    ae5fb16700e76a79049b9b92f13ead1d611b490a1e447adcc1a6da35be611e2c1e2fc618d17cc4f3a2052fd9b4cf261e12c1464474590c30647a40580e9e2d07

  • SSDEEP

    1536:9QJaAtooQh0elU0qT9rbRCKGOjEkb2yMnx8Xb627dOnZzWEU:eJaNp9lVYoKGNkb2ymxMhOnZSEU

Malware Config

Extracted

Family

xworm

C2

vehicle-temp.gl.at.ply.gg:1930

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    MicrosoftClient.exe

  • telegram

    https://api.telegram.org/bot7754858173:AAGHhysa0geGaNnoiGNJaE5p14tWFWtQDWs/sendMessage?chat_id=7247076886

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe
    "C:\Users\Admin\AppData\Local\Temp\4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2144
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2892
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\MicrosoftClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2940
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2864

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

          Filesize

          7KB

          MD5

          e07434875f4889ec4046e5541317b9b5

          SHA1

          e36b889d5456e6deecfdc5296b6bc156e6bc012a

          SHA256

          31af0ec31f412d19211aa04a41353766800801c8593bf461fd2e4ca59ef96e8b

          SHA512

          6bb95584dff550c769d4fd16022cee8e312d8b98fac047055e5534b5b1e56e5bbf62ed95cbb04a228dbed4d5933b019c2814b7f62ea2f06e09c9a438c7e0bdcc

        • memory/2060-0-0x000007FEF6253000-0x000007FEF6254000-memory.dmp

          Filesize

          4KB

        • memory/2060-1-0x00000000002D0000-0x00000000002FE000-memory.dmp

          Filesize

          184KB

        • memory/2060-26-0x000007FEF6253000-0x000007FEF6254000-memory.dmp

          Filesize

          4KB

        • memory/2060-28-0x000000001ABB0000-0x000000001AC30000-memory.dmp

          Filesize

          512KB

        • memory/2060-29-0x000000001ABB0000-0x000000001AC30000-memory.dmp

          Filesize

          512KB

        • memory/2144-6-0x0000000002500000-0x0000000002580000-memory.dmp

          Filesize

          512KB

        • memory/2144-7-0x000000001B210000-0x000000001B4F2000-memory.dmp

          Filesize

          2.9MB

        • memory/2144-8-0x0000000002220000-0x0000000002228000-memory.dmp

          Filesize

          32KB

        • memory/2892-14-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

          Filesize

          2.9MB

        • memory/2892-15-0x00000000022A0000-0x00000000022A8000-memory.dmp

          Filesize

          32KB