Overview

overview

10

Static

static

10

fa5a74ef13...30.exe

windows7-x64

10

fa5a74ef13...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    02-11-2024 17:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa5a74ef1355ddd1d5984b84d52d7aa0727e11e40a89ca3a2bbf4594eea57730.exe

  • Size

    158KB

  • MD5

    1ade097499dd5fb334ffe69d06d00b31

  • SHA1

    ab5e0d3a2e0a71b2afe9a04bd24835a8f5874079

  • SHA256

    fa5a74ef1355ddd1d5984b84d52d7aa0727e11e40a89ca3a2bbf4594eea57730

  • SHA512

    b35aec83bbf5e0501a706df42db4db1b077acf88e37a4d6c65b52c83f24db0e0eb33fad9f22f0a847a14f6540419d85e24062f9c65a2a6d96db5ab20d315598e

  • SSDEEP

    3072:6vpWpop9+bNFwwO52HJe5BV0bUniyimyx:IVpkbEaJe5v0bURy

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

topics-junior.at.ply.gg:45283

Attributes
  • Install_directory

    %AppData%

  • install_file

    msedge.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa5a74ef1355ddd1d5984b84d52d7aa0727e11e40a89ca3a2bbf4594eea57730.exe
    "C:\Users\Admin\AppData\Local\Temp\fa5a74ef1355ddd1d5984b84d52d7aa0727e11e40a89ca3a2bbf4594eea57730.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fa5a74ef1355ddd1d5984b84d52d7aa0727e11e40a89ca3a2bbf4594eea57730.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fa5a74ef1355ddd1d5984b84d52d7aa0727e11e40a89ca3a2bbf4594eea57730.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2428
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2872
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2628
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Roaming\msedge.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2604
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {68BE668F-127A-4FF0-AB73-E8021FEF1EB5} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Users\Admin\AppData\Roaming\msedge.exe
      C:\Users\Admin\AppData\Roaming\msedge.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1948
    • C:\Users\Admin\AppData\Roaming\msedge.exe
      C:\Users\Admin\AppData\Roaming\msedge.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2928

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    4ef6db9b4dd51e117344a4fbf2c161c3

    SHA1

    73e6c4b8e9d1d70a314d4ed8e73dc55c437c6d70

    SHA256

    fa99f13f4a8ce8a5267088f1f08a742db1a6a310b94ed55bb1276611e6589eba

    SHA512

    309c6f895b489578bf2d148176922a9fbbff05a9e242cfd8ac0f42afe6efb564fa9084b78d7dbb77660d813fd5fb45af2b18c0fe514ea9267e51d46c288dcd52

    Download Submit

  • C:\Users\Admin\AppData\Roaming\msedge.exe
    Filesize

    158KB

    MD5

    1ade097499dd5fb334ffe69d06d00b31

    SHA1

    ab5e0d3a2e0a71b2afe9a04bd24835a8f5874079

    SHA256

    fa5a74ef1355ddd1d5984b84d52d7aa0727e11e40a89ca3a2bbf4594eea57730

    SHA512

    b35aec83bbf5e0501a706df42db4db1b077acf88e37a4d6c65b52c83f24db0e0eb33fad9f22f0a847a14f6540419d85e24062f9c65a2a6d96db5ab20d315598e

    Download Submit

  • memory/1776-32-0x000000001B3D0000-0x000000001B450000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1776-1-0x0000000000C90000-0x0000000000CBC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1776-34-0x000000001B3D0000-0x000000001B450000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1776-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1776-33-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1948-38-0x0000000000C20000-0x0000000000C4C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2428-14-0x000000001B510000-0x000000001B7F2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2428-15-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2928-41-0x00000000010E0000-0x000000000110C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3000-8-0x0000000002970000-0x0000000002978000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3000-7-0x000000001B4B0000-0x000000001B792000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3000-6-0x0000000002C50000-0x0000000002CD0000-memory.dmp

    Filesize

    512KB

    Download