Overview

overview

10

Static

static

1

LIST.ITEMS.exe

windows7-x64

10

LIST.ITEMS.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 16:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LIST.ITEMS.exe

  • Size

    556KB

  • MD5

    d7c03169dbdd363163dbfc5119738c61

  • SHA1

    e51f6fe9f9422c054d7b33e949981239ef3355eb

  • SHA256

    c304f5610e7059e7eb2100f0de1e6c1bbeeaa75d746f75e3561eee5b7fb0ac92

  • SHA512

    bbf5eba23c466a478ec381c127a70fc8e1ca7e0b744cf89606341df918b2d40c5c71f29a1f19532c5a83f886e75393e3744d9ae4f4b9862af22d08e596978dec

  • SSDEEP

    12288:qI/rXQ9TZwetjcQaBJLJ/yd4bIhX3KVaV910N4VtndapxbzVykR:/atjdSJ/HIhHKa9GNitApVzr

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

savelat19847.duckdns.org:7000

Mutex

sL1COlJF2Dst73el

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LIST.ITEMS.exe
    "C:\Users\Admin\AppData\Local\Temp\LIST.ITEMS.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\LIST.ITEMS.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2724
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RaKnUqrXb.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2884
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RaKnUqrXb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp535E.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2820
    • C:\Users\Admin\AppData\Local\Temp\LIST.ITEMS.exe
      "C:\Users\Admin\AppData\Local\Temp\LIST.ITEMS.exe"
      2⤵
        PID:2624
      • C:\Users\Admin\AppData\Local\Temp\LIST.ITEMS.exe
        "C:\Users\Admin\AppData\Local\Temp\LIST.ITEMS.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2332

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp535E.tmp
      Filesize

      1KB

      MD5

      addce78a345f8fcce8d809230b28fd81

      SHA1

      df564b84e2749a9f1ea80cbb1f360bd38489ae07

      SHA256

      b51e91be2c571bd021696a31611f747cd024caadb8882d5e88f0996e2dde250a

      SHA512

      0c7f28132ecbb85fdd99b356deafb9e92ee1202e0f4a9dc775a4bfcfa89fedb02072a8d1e6edf65082cec642c8acb0efb6baf90ae412c61e246e97a176c875b5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HL3QOTUTU3I8ST4QSNFL.temp
      Filesize

      7KB

      MD5

      0988efca4133f5a0d150b84c49980e32

      SHA1

      cffa10f36e0e8b758b7e926d1bb8fa758ab6f159

      SHA256

      3efd14e1210725e37e6ba3fa1f29acaf6c24071e360ca08a3ff583e4ce00baf1

      SHA512

      173e5d64ea70ac13207eed1e28974b69fc00fd69ce5b875c0091fefe79bbbc137c2a234c145c4e225fc5494eaa15f34a81847da929ace88bf0d911a546e3ea0c

      Download Submit

    • memory/2332-29-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2332-30-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2332-19-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2332-21-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2332-23-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2332-25-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2332-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2332-28-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2480-6-0x0000000000200000-0x0000000000250000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2480-31-0x00000000740F0000-0x00000000747DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2480-0-0x00000000740FE000-0x00000000740FF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2480-1-0x0000000000E90000-0x0000000000F1E000-memory.dmp

      Filesize

      568KB

      Download

    • memory/2480-2-0x00000000740F0000-0x00000000747DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2480-3-0x0000000000580000-0x000000000059C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2480-5-0x00000000740F0000-0x00000000747DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2480-4-0x00000000740FE000-0x00000000740FF000-memory.dmp

      Filesize

      4KB

      Download