Overview

overview

10

Static

static

3

CodeStealerKing.exe

windows7-x64

10

CodeStealerKing.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-11-2024 06:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CodeStealerKing.exe

  • Size

    362KB

  • MD5

    fca35ebbd101177aeeb22771f19ce660

  • SHA1

    e4458983b396d9f009216ccbd8214311204c2d42

  • SHA256

    ff984e86a415db21ebef7396d3b0d46884300a3b69d3ae4626a3b7dff7ebdbf7

  • SHA512

    36ab1b2e2153dda5e8bf40aeb96f6ae31721f78a29161222d38975f355f003f1ec493e2adfcd2d06be876408a65ff55ba82ed8fc6c3584fe9329d968630a5b92

  • SSDEEP

    6144:0yr8TSA5BssGOE33CFi5f/+3I3x4Hdtj+i3cqA5rGI5/4OTy6zccBamnLoqPdRiy:0RT15B1GOa3C4ZAQ6HdtHpAQI5/4XUBL

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.21:27938

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot6575053517:AAHfQSqLTvzOajvn1QldlaGUVj-u9hK2upc/sendMessage?chat_id=7492036336

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CodeStealerKing.exe
    "C:\Users\Admin\AppData\Local\Temp\CodeStealerKing.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\imgui_draw.cpp
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\imgui_draw.cpp
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2672
    • C:\Users\Admin\svchost.exe
      "C:\Users\Admin\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\imgui_draw.cpp
    Filesize

    259KB

    MD5

    71797b687809a5be7defd3b47013e986

    SHA1

    0026e342a3f7d7d77f61d37b4dd3fb7de6dd49e5

    SHA256

    4263245e645bebedefc89461b359d61117fa7a7b4c7c5de6dfdc090195884bcb

    SHA512

    0d8ebbdd37d884bc308748411d920980ffa955670fd106e951166939d81eb2074b1a5ebc858af98526bee5d10a54e1abae4dbf7f93717c7bdd09679c9d882454

    Download Submit

  • C:\Users\Admin\svchost.exe
    Filesize

    77KB

    MD5

    7a663541653efa34e7e2aabf0acf6ada

    SHA1

    ae14101f62220e6435ed3d80e03dbb4e5f29b344

    SHA256

    829016d508f4064cc618eef8c9250ad000b15355ce563f172e6e54f776c74f9c

    SHA512

    7267f6b0c41dff35a761171a30ebdfde83e81a29f4511fe808cb28b0d7d0a2a2b101fac57aefe74b9c8475ae37c87471b8dcedf1e9458da5dd8d839270a20508

    Download Submit

  • memory/2288-0-0x000007FEF5E53000-0x000007FEF5E54000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2288-1-0x0000000000AE0000-0x0000000000B40000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2356-8-0x0000000000B00000-0x0000000000B1A000-memory.dmp

    Filesize

    104KB

    Download