Overview

overview

10

Static

static

3

notepad.exe

windows7-x64

10

notepad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    123s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/11/2024, 18:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    notepad.exe

  • Size

    932KB

  • MD5

    c65cb44056323b27e0c14ebb39cc87ad

  • SHA1

    ece1dd8a3e1453b1eb8d8070570668a3898fb1fc

  • SHA256

    d1e5084a7735bd884c80508d2e48e8beb41c4a373eaefd40254219ed5b0f053d

  • SHA512

    72b167a09633965cf69e17e37856e57edd7d2fd2e4ba503ffbeb222b2f1f0a3d5462c13a00978c6e250d332a46db9988246b327d5857a0aafe896738f34ed5eb

  • SSDEEP

    12288:ChZ0hxc+gxrjYE25gxp+OSPAO3rFwT/2Fxb5eON5GpX:Cv0hxchxrjYx5a+OS9CL2Fxb5GJ

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

83.38.28.117:1603

83.38.24.1:1603
Attributes
  • Install_directory

    %ProgramData%

  • install_file

    SecurityHealthSystray.exe

Signatures

  • Detect Xworm Payload 12 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\notepad.exe
    "C:\Users\Admin\AppData\Local\Temp\notepad.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:348
    • C:\Users\Admin\RuntimeBroker.exe
      "C:\Users\Admin\RuntimeBroker.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1456
    • C:\Users\Admin\SecurityHealthSystray.exe
      "C:\Users\Admin\SecurityHealthSystray.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:448
    • C:\Users\Admin\OneDrive.exe
      "C:\Users\Admin\OneDrive.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2800
    • C:\Users\Admin\WmiPrvSE.exe
      "C:\Users\Admin\WmiPrvSE.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3008
    • C:\Users\Admin\svchost.exe
      "C:\Users\Admin\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:640
    • C:\Users\Admin\SearchFilterHost.exe
      "C:\Users\Admin\SearchFilterHost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\OneDrive.exe
    Filesize

    170KB

    MD5

    247956f3e2357939ad85a91ade6871bc

    SHA1

    d823a32115625d68a6a2bddf78197492a3656da9

    SHA256

    8b80416b1c2c1fd35981d2ca261578874a599236447f85f91af1e19d50e2d5fc

    SHA512

    b68bee7c8ae6b17621dd910b9b5753e06e98a136c58e15add84b74a2ebf1a673a85676119a5cfbbbab82b3302bce717a059cb893b219c0565130f304f1ec1ff3

    Download Submit

  • C:\Users\Admin\RuntimeBroker.exe
    Filesize

    59KB

    MD5

    a2add11711c5fc82860b42735b4996f3

    SHA1

    986e5d99b1f8f9127e262f7a24513674e5be9868

    SHA256

    aab3501f022a254e9599189aefadbf636aeda273ee0a0ffc6218ef4955157f41

    SHA512

    a00305ccd91e673957471e2b2328b8f41339a46c37ed450d06cd1290096efdcd8a0098b68f5b3b59f84a2be2a5f8ce69f057364bff354ca7f9defeb701cc084a

    Download Submit

  • C:\Users\Admin\SearchFilterHost.exe
    Filesize

    155KB

    MD5

    c493bed5ff7fffa1c7a378235595654f

    SHA1

    008dd17c8201eb83106d95ad135ae711880e6f49

    SHA256

    ebc2b439ce3464a3d6961ad4c8e17245336bb18a7b818ec80c8da9d1513986a2

    SHA512

    ed8e0956ef559c644e4e1f6a519bbaca82c1cb1ea315fce1e17810037b5cb33b854cb7404630f3c598988618e9bea82c7c272826f2a6f6588ba0f8394c4366c5

    Download Submit

  • C:\Users\Admin\SecurityHealthSystray.exe
    Filesize

    254KB

    MD5

    3c4ee8268896f403918024e7be84c5bc

    SHA1

    1b328cf35cd4ae1aa89ef3a70fd4277b6cb8431e

    SHA256

    9c075f295379a6c9f6f567d8f2cdd6f67e5cc272aba900a2533e0f7a8fdd2828

    SHA512

    1b824a62019b910f3c4c3b6f1279a682fc2619c3bfde73a55d270043348ec131f96dcec492eea9c269e54c54bf59f44c27807cc4d8ff55e6d829557d3eee2a7d

    Download Submit

  • C:\Users\Admin\WmiPrvSE.exe
    Filesize

    121KB

    MD5

    c9c36b58fd4b41a0ca4b27fea908d611

    SHA1

    27a286d189a9a64ba0d431e24e3ca38acc0edde7

    SHA256

    4d6a7e99efa2949f2c6e37f5846e40cb6a9b3937f8624654697a93e67cd09ddb

    SHA512

    5967d8b28d677356a102bbcf0858e1b5dab5160194a5ecd0b3476c4ad4bfadbe1a8678465007ec7f8b0b41b7ea4811151880646bf255459b4dd9ef26536ce13f

    Download Submit

  • C:\Users\Admin\svchost.exe
    Filesize

    55KB

    MD5

    d468a3c6966f939a8775fe46c8048583

    SHA1

    aa9ef0f1201388380a051e9c454612b146f918f5

    SHA256

    298f2f96d524f2db8b151909a1fb4f8e480bf76f66cd5a5a26c9483b4987a1a3

    SHA512

    3060f53757c271f0c38128ba72255ce679af8d47c8743aa71a8de2e0b31d7d6afbd34febdf54a77925dadd65bc433e7cfe1064f98f0e41ef21c6931dff0af5c7

    Download Submit

  • memory/348-1-0x0000000000980000-0x0000000000A6E000-memory.dmp

    Filesize

    952KB

    Download

  • memory/348-0-0x00007FFA08123000-0x00007FFA08125000-memory.dmp

    Filesize

    8KB

    Download

  • memory/448-186-0x00007FFA08120000-0x00007FFA08BE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/448-90-0x00000000001C0000-0x0000000000206000-memory.dmp

    Filesize

    280KB

    Download

  • memory/448-185-0x00007FFA08120000-0x00007FFA08BE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/448-181-0x00007FFA08120000-0x00007FFA08BE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/640-177-0x0000000000D00000-0x0000000000D14000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1456-147-0x00007FFA08120000-0x00007FFA08BE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1456-91-0x0000000000090000-0x00000000000A4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1456-187-0x00007FFA08120000-0x00007FFA08BE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2800-182-0x0000000000070000-0x00000000000A0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3008-183-0x0000000000290000-0x00000000002B4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3608-184-0x0000000000AA0000-0x0000000000ACC000-memory.dmp

    Filesize

    176KB

    Download