Resubmissions

31/10/2024, 05:43

241031-geqama1hmm 10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 05:43

General

  • Target

    scvhost (4).rar

  • Size

    19KB

  • MD5

    f49a4ffb43d6fb43880d56f0bf73838d

  • SHA1

    6e22e3a2aebe0c7aa23669c57109f66e5407282f

  • SHA256

    97434fda8fa6df00ada39c7c94f43e486509658567f875ae585f75f6e6a9f315

  • SHA512

    a24781c0c3ea8522e6b261d72301e27506f8dae10a9b08d4302f07b7d6e85b7a9dfaddebafaebc26cb2770348c74c619bc9b3df28f449e22034a87aa99092b1d

  • SSDEEP

    384:xIUTVfpWcml5lTxWQ+gO94wH+NPqEO2LoFffzuhLqse228vP1+tUp:y6n05lTxWQ+9NYqZWAfihLqsX281+tE

Score
10/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

38.156.214.168:4567

192.168.1.220:4567

Mutex

buHNqt1P1TbTpE0p

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\scvhost (4).rar"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Users\Admin\AppData\Local\Temp\7zO8B8E2B27\scvhost.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8B8E2B27\scvhost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2676

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\7zO8B8E2B27\scvhost.exe

          Filesize

          41KB

          MD5

          42bfab585488af752295a07316ff9bab

          SHA1

          e967ee4fbbfe5216ed83d87c020e3e99b4e64dca

          SHA256

          5f75590c3453c7992f39be1ab37031397ad660a5ebe8ba399b3fb30a29f816c8

          SHA512

          0e44ad4d9a563a854fa2c6544a555b375b9604e4ba092987aa6f108fbc4ac57619fba99fdead3196c525ba12124907c6c151e01560e2ec159a57004ef5930623

        • memory/2676-11-0x0000000001050000-0x0000000001060000-memory.dmp

          Filesize

          64KB