Overview

overview

10

Static

static

3

ItachiSupe...er.exe

windows7-x64

10

ItachiSupe...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-11-2024 21:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ItachiSuperSpoofer.exe

  • Size

    46KB

  • MD5

    bbcc30d76b31b102204c01d112f98b15

  • SHA1

    a05e5f69ab886c58e695e5f545b34193fce169a7

  • SHA256

    e3bd1735607a84ce63f2678c0e3b5397f665a2826c5603b53345072a91c5d815

  • SHA512

    502237bc308be48adb6ddfef3edd7db045aaa6dd9712fd026a5e51fbe3011faaa50ca8fb8f11f4a4ad67e4398da84acd5281768e9856d6cede8a420d1e2327b9

  • SSDEEP

    768:tc4O3Um5dr30Cn2W/AD1JeM7XzYc/cEzwsf9K0g6tJhZW9s:t6km5dX2WYDrvxz5XgCRb

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

ensure-manual.gl.at.ply.gg:41199

Mutex

v67WFYQWDnW3aeSs

Attributes
  • Install_directory

    %AppData%

  • install_file

    dllhost.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 12 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ItachiSuperSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\ItachiSuperSpoofer.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Users\Admin\AppData\Roaming\dllhost.exe
      "C:\Users\Admin\AppData\Roaming\dllhost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:2776
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\spoofer.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\system32\timeout.exe
        timeout /t 2
        3⤵
        • Delays execution with timeout.exe
        PID:2312
      • C:\Windows\system32\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:2628
      • C:\Windows\system32\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:2616
      • C:\Windows\system32\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:2684
      • C:\Windows\system32\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:2632
      • C:\Windows\system32\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:2592
      • C:\Windows\system32\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:2492
      • C:\Windows\system32\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:2848
      • C:\Windows\system32\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:2764
      • C:\Windows\system32\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:2480
      • C:\Windows\system32\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:2500
      • C:\Windows\system32\timeout.exe
        timeout /t 2
        3⤵
        • Delays execution with timeout.exe
        PID:2552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\dllhost.exe
    Filesize

    34KB

    MD5

    87a8223a150351f1b411f8e0e0331bbe

    SHA1

    abf6850f06287b52e4520b7934d2e75f63078073

    SHA256

    aac24eb0a68cb3c89fd981c43893cee5223af8070bef57bf0d5f51440986b34c

    SHA512

    f82e6120338e826b1f3365c36de207f0bee2fcdbc8022b713ab76b2a86e93ebf987578d02b9079e8fc032e6601baf618eece1091088fddc3acd85f35e56931b7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\spoofer.bat
    Filesize

    1KB

    MD5

    e9b0e93ae7c7ffeb49a9704a4c1d6bc9

    SHA1

    55a855e9350ba9d9a5cb4716791b75ff3d6d92b5

    SHA256

    ade1d00da9e13c81e5246b27e5d26e408e28711029198723390dafd223531267

    SHA512

    a2a57fac6762ec36482c1c8aa19c38308b61ccdbab209e17d0bb4b1dc22406f9cce0bc180f7b22f38b4b8841d56bd86c933efbdbfab20ded18dfb2439a14df0b

    Download Submit

  • memory/2116-0-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2116-1-0x0000000000120000-0x0000000000132000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2776-15-0x0000000000C40000-0x0000000000C4E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2776-17-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2776-19-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2776-20-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2776-21-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

    Filesize

    9.9MB

    Download