Overview

overview

10

Static

static

10

10f23d2bb9...4N.exe

windows7-x64

10

10f23d2bb9...4N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    105s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2024 18:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10f23d2bb9865c9a32b94dcd6057f8d866a60e5e39a3fb6fa77ede90005e87c4N.exe

  • Size

    86KB

  • MD5

    12095dbb7ef06f84fbb21054f0c33600

  • SHA1

    6f54c3f2f38e5fb7252c2a9d641c40fc1300bc22

  • SHA256

    10f23d2bb9865c9a32b94dcd6057f8d866a60e5e39a3fb6fa77ede90005e87c4

  • SHA512

    3c30f99df8a5da7a9a1c8ec0197a9b5fcdff6417c009e4cabdab60c65c6c19ae0076c291271c58a66090037f0b7d99ab2eec9ea254140578b93186b1dcf2751a

  • SSDEEP

    1536:1ubUIWL10oXnnnop+PBQwtGyybCnpeeL0t2Xz7M66T8NVO3755Ld3T:1u4vnopAAjbCpeeYtKfETmVOLZT

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

great-amanda.gl.at.ply.gg:43926

oil-graphics.gl.at.ply.gg:43926

23.ip.gl.ply.gg:43926

oevn.zapto.org:43926

96.230.131.253:43926
Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\10f23d2bb9865c9a32b94dcd6057f8d866a60e5e39a3fb6fa77ede90005e87c4N.exe
    "C:\Users\Admin\AppData\Local\Temp\10f23d2bb9865c9a32b94dcd6057f8d866a60e5e39a3fb6fa77ede90005e87c4N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\10f23d2bb9865c9a32b94dcd6057f8d866a60e5e39a3fb6fa77ede90005e87c4N.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '10f23d2bb9865c9a32b94dcd6057f8d866a60e5e39a3fb6fa77ede90005e87c4N.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2620
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\system32'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1340
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system32'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2812
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system32" /tr "C:\Users\Admin\system32"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2356
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {528C5B8C-F763-4411-9302-2F48DC378869} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Users\Admin\system32
      C:\Users\Admin\system32
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1764
    • C:\Users\Admin\system32
      C:\Users\Admin\system32
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    2a69650b3a795b15c3ca95145872d124

    SHA1

    47ac1f942e5fe13b6fa3b0a6eda51ef406f0d7b6

    SHA256

    f5f1aa1bb4480a53ded7a506536880a6a98e83f8ebb7947a4aae2c4b35a34c05

    SHA512

    642f4926ba0e2cbc7f6bf66eb8d6920f3a1ee703c9ac7a921d0057b61effb2e1867078360c0967b9699833cde18982d70f7d8d02b71387b5e031bb8ae5a85591

    Download Submit

  • C:\Users\Admin\system32
    Filesize

    86KB

    MD5

    12095dbb7ef06f84fbb21054f0c33600

    SHA1

    6f54c3f2f38e5fb7252c2a9d641c40fc1300bc22

    SHA256

    10f23d2bb9865c9a32b94dcd6057f8d866a60e5e39a3fb6fa77ede90005e87c4

    SHA512

    3c30f99df8a5da7a9a1c8ec0197a9b5fcdff6417c009e4cabdab60c65c6c19ae0076c291271c58a66090037f0b7d99ab2eec9ea254140578b93186b1dcf2751a

    Download Submit

  • memory/1700-9-0x0000000002D80000-0x0000000002E00000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1700-10-0x000000001B810000-0x000000001BAF2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1700-11-0x0000000001E80000-0x0000000001E88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1764-37-0x00000000001A0000-0x00000000001BC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2576-40-0x0000000001370000-0x000000000138C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2620-17-0x000000001B520000-0x000000001B802000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2620-18-0x00000000023A0000-0x00000000023A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3040-0-0x000007FEF58B3000-0x000007FEF58B4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3040-4-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3040-3-0x000007FEF58B3000-0x000007FEF58B4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3040-2-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3040-1-0x0000000000920000-0x000000000093C000-memory.dmp

    Filesize

    112KB

    Download