Overview

overview

10

Static

static

1

SS Bottmac...d..exe

windows7-x64

10

SS Bottmac...d..exe

windows10-2004-x64

10

Analysis

  • max time kernel
    38s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    01/11/2024, 03:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SS Bottmac Engineers Pvt. Ltd..exe

  • Size

    562KB

  • MD5

    ff9e45d7326698f34526793bf1244811

  • SHA1

    b3ff69abfe1c5e6633a866ffbebe2139a69e3f0a

  • SHA256

    4db566fcdc413fe50153dc8431ae86192241f0e1e86071f80d42eb6e0fb5baca

  • SHA512

    ed2e02262beb00f77c5d17854c7b6544cdb4edce37e870505e21c0cd08999cb99904a667e5ed31cde3a3437c4e9713e6bfc63f091b30a9cec25a046ad0120657

  • SSDEEP

    12288:FDxrXQ9TZweejcQ1FXQEcupRk6CvPlZ0wJOszYkR:ZQejd1BpcupC6Cb0qL

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

kanrplest.duckdns.org:4068

Mutex

TdUxMCK2FUdy51AH

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SS Bottmac Engineers Pvt. Ltd..exe
    "C:\Users\Admin\AppData\Local\Temp\SS Bottmac Engineers Pvt. Ltd..exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SS Bottmac Engineers Pvt. Ltd..exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2444
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RTUZKYTc.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2948
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2D19.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1136
    • C:\Users\Admin\AppData\Local\Temp\SS Bottmac Engineers Pvt. Ltd..exe
      "C:\Users\Admin\AppData\Local\Temp\SS Bottmac Engineers Pvt. Ltd..exe"
      2⤵
        PID:2752
      • C:\Users\Admin\AppData\Local\Temp\SS Bottmac Engineers Pvt. Ltd..exe
        "C:\Users\Admin\AppData\Local\Temp\SS Bottmac Engineers Pvt. Ltd..exe"
        2⤵
        • Drops startup file
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SS Bottmac Engineers Pvt. Ltd..exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2548
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SS Bottmac Engineers Pvt. Ltd..exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2280
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:484

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp2D19.tmp
      Filesize

      1KB

      MD5

      82ed3fe69e999b5b06ccb9d1cbeaa2f0

      SHA1

      e801e68644e1d693f37eebcfe97e4a2ad3c0bc2a

      SHA256

      e5321a00d3897a3dedb6febfd15335ff617f05603703ebfaa898835b8c2c0d8b

      SHA512

      8ebaf0262aef56ef24d0c67d2823de6727ccf1b6e869ee0e06715e89b40ccf168cd669ac408d8542460a87a721d7311d78aa70e42193c9f5ec79396bd0ad6f2c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4F9KWPU78F02O30FVQD0.temp
      Filesize

      7KB

      MD5

      c800c68904c233816f53a21b019a7c68

      SHA1

      5ae06eb9c3c58456627896292da0ea4cad1be850

      SHA256

      2d05570398d52071678895e7b83dc3b12ac92f63289748c0f7ce87fa62ad4e01

      SHA512

      a2f9551e2f8b6cc3c325fb1d5bfaaaf7d907b50abb2cbe80b6ce3c17019131904bbd790d01c8742f82e61cfe30c8d55ff2432dfc8d00880993a1e7050e112317

      Download Submit

    • C:\Users\Admin\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe
      Filesize

      562KB

      MD5

      ff9e45d7326698f34526793bf1244811

      SHA1

      b3ff69abfe1c5e6633a866ffbebe2139a69e3f0a

      SHA256

      4db566fcdc413fe50153dc8431ae86192241f0e1e86071f80d42eb6e0fb5baca

      SHA512

      ed2e02262beb00f77c5d17854c7b6544cdb4edce37e870505e21c0cd08999cb99904a667e5ed31cde3a3437c4e9713e6bfc63f091b30a9cec25a046ad0120657

      Download Submit

    • memory/1820-1-0x0000000000A90000-0x0000000000B20000-memory.dmp

      Filesize

      576KB

      Download

    • memory/1820-2-0x00000000746E0000-0x0000000074DCE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1820-3-0x00000000006E0000-0x00000000006FC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1820-4-0x00000000746EE000-0x00000000746EF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1820-5-0x00000000746E0000-0x0000000074DCE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1820-6-0x00000000003A0000-0x00000000003F2000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1820-31-0x00000000746E0000-0x0000000074DCE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1820-0-0x00000000746EE000-0x00000000746EF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2704-30-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2704-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2704-25-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2704-21-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2704-19-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2704-23-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2704-28-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2704-29-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download