Overview

overview

10

Static

static

3

ItachiSupe...er.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    98s
  • max time network
    158s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    02-11-2024 21:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ItachiSuperSpoofer.exe

  • Size

    46KB

  • MD5

    bbcc30d76b31b102204c01d112f98b15

  • SHA1

    a05e5f69ab886c58e695e5f545b34193fce169a7

  • SHA256

    e3bd1735607a84ce63f2678c0e3b5397f665a2826c5603b53345072a91c5d815

  • SHA512

    502237bc308be48adb6ddfef3edd7db045aaa6dd9712fd026a5e51fbe3011faaa50ca8fb8f11f4a4ad67e4398da84acd5281768e9856d6cede8a420d1e2327b9

  • SSDEEP

    768:tc4O3Um5dr30Cn2W/AD1JeM7XzYc/cEzwsf9K0g6tJhZW9s:t6km5dX2WYDrvxz5XgCRb

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

ensure-manual.gl.at.ply.gg:41199

Mutex

v67WFYQWDnW3aeSs

Attributes
  • Install_directory

    %AppData%

  • install_file

    dllhost.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 12 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ItachiSuperSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\ItachiSuperSpoofer.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Users\Admin\AppData\Roaming\dllhost.exe
      "C:\Users\Admin\AppData\Roaming\dllhost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:2476
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\spoofer.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4692
      • C:\Windows\system32\timeout.exe
        timeout /t 2
        3⤵
        • Delays execution with timeout.exe
        PID:3788
      • C:\Windows\system32\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:4092
      • C:\Windows\system32\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:3376
      • C:\Windows\system32\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:2260
      • C:\Windows\system32\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:2336
      • C:\Windows\system32\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:2900
      • C:\Windows\system32\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:1708
      • C:\Windows\system32\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:3596
      • C:\Windows\system32\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:1836
      • C:\Windows\system32\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:1816
      • C:\Windows\system32\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:1612
      • C:\Windows\system32\timeout.exe
        timeout /t 2
        3⤵
        • Delays execution with timeout.exe
        PID:1264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\dllhost.exe
    Filesize

    34KB

    MD5

    87a8223a150351f1b411f8e0e0331bbe

    SHA1

    abf6850f06287b52e4520b7934d2e75f63078073

    SHA256

    aac24eb0a68cb3c89fd981c43893cee5223af8070bef57bf0d5f51440986b34c

    SHA512

    f82e6120338e826b1f3365c36de207f0bee2fcdbc8022b713ab76b2a86e93ebf987578d02b9079e8fc032e6601baf618eece1091088fddc3acd85f35e56931b7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\spoofer.bat
    Filesize

    1KB

    MD5

    e9b0e93ae7c7ffeb49a9704a4c1d6bc9

    SHA1

    55a855e9350ba9d9a5cb4716791b75ff3d6d92b5

    SHA256

    ade1d00da9e13c81e5246b27e5d26e408e28711029198723390dafd223531267

    SHA512

    a2a57fac6762ec36482c1c8aa19c38308b61ccdbab209e17d0bb4b1dc22406f9cce0bc180f7b22f38b4b8841d56bd86c933efbdbfab20ded18dfb2439a14df0b

    Download Submit

  • memory/1156-0-0x00007FFC03DE3000-0x00007FFC03DE5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1156-1-0x0000000000150000-0x0000000000162000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2476-23-0x0000000000370000-0x000000000037E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2476-24-0x00007FFC03DE0000-0x00007FFC048A2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2476-27-0x00007FFC03DE0000-0x00007FFC048A2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2476-28-0x00007FFC03DE0000-0x00007FFC048A2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2476-29-0x00007FFC03DE0000-0x00007FFC048A2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2476-30-0x000000001AED0000-0x000000001AEDC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2476-31-0x000000001B050000-0x000000001B05A000-memory.dmp

    Filesize

    40KB

    Download