Overview

overview

10

Static

static

3

file.exe

windows7-x64

8

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 07:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    16KB

  • MD5

    54ec587044fdff4bfd0029946041a109

  • SHA1

    242cc5fdd5c75a02776f1f5e526cc42cf138b313

  • SHA256

    e666b2644c35f564041ad18c5125f1677255f05421ad18785aed42bfb3ac5adf

  • SHA512

    6e2c9f3b3850c021b0db78af02f37e6fe1b32bd046ba5767b0499f2c4af11586e167c80235258b5536bcfece567a18f2e2eca6a107e60d5efb62a65175049046

  • SSDEEP

    384:vQ/pw4zDzEe2PGVMN0kc/aw9BsjGpATcQC:vj4EebD+a26

Score
10/10
stormkittyxwormdiscoveryratstealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:8895

162.230.48.189:8895
Mutex

ZRGtN7NDh24Vx89x

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 6 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3476
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        "C:\Users\Admin\AppData\Local\Temp\file.exe"
        2⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4508
        • C:\Users\Admin\AppData\Local\Temp\tmpA45E.tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\tmpA45E.tmp.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2180
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c ipconfig /release
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5044
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /release
              5⤵
              • System Location Discovery: System Language Discovery
              • Gathers network information
              PID:4968
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c ipconfig /renew
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1404
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /renew
              5⤵
              • System Location Discovery: System Language Discovery
              • Gathers network information
              PID:5116
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4244
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1776
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c ipconfig /release
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3852
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /release
              5⤵
              • System Location Discovery: System Language Discovery
              • Gathers network information
              PID:2004
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c ipconfig /renew
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:856
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /renew
              5⤵
              • System Location Discovery: System Language Discovery
              • Gathers network information
              PID:3340
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1400
        • C:\Users\Admin\AppData\Local\Temp\cohmwy.exe
          "C:\Users\Admin\AppData\Local\Temp\cohmwy.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3636
          • C:\Users\Admin\AppData\Local\Temp\tmp13AD.tmp.exe
            "C:\Users\Admin\AppData\Local\Temp\tmp13AD.tmp.exe"
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3224
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c ipconfig /release
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2068
              • C:\Windows\SysWOW64\ipconfig.exe
                ipconfig /release
                6⤵
                • System Location Discovery: System Language Discovery
                • Gathers network information
                PID:704
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c ipconfig /renew
              5⤵
              • System Location Discovery: System Language Discovery
              PID:5628
              • C:\Windows\SysWOW64\ipconfig.exe
                ipconfig /renew
                6⤵
                • System Location Discovery: System Language Discovery
                • Gathers network information
                PID:1500
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 2776
          3⤵
          • Program crash
          PID:5444
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:5276
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1400 -ip 1400
      1⤵
        PID:2724

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\cohmwy.exe
        Filesize

        16KB

        MD5

        54ec587044fdff4bfd0029946041a109

        SHA1

        242cc5fdd5c75a02776f1f5e526cc42cf138b313

        SHA256

        e666b2644c35f564041ad18c5125f1677255f05421ad18785aed42bfb3ac5adf

        SHA512

        6e2c9f3b3850c021b0db78af02f37e6fe1b32bd046ba5767b0499f2c4af11586e167c80235258b5536bcfece567a18f2e2eca6a107e60d5efb62a65175049046

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpA45E.tmp.exe
        Filesize

        1.4MB

        MD5

        3d3459b0630ce9dc45b177b697ca23a0

        SHA1

        0245c62e5155dd121bd3b31af02e5bf62bb01e71

        SHA256

        40d07a9b787d52381da6ce75c088f62eb009baffd98858660670715976ad7cc5

        SHA512

        2016ada15909d95c7518cf8f803f1ecd05c8f1d1325be1e8c2ac3c7e5b24e9da58dccef9ac7e978e660bbe4f93096d2e483f84ac8b088d72e119b76f2f4d56b9

        Download Submit

      • memory/1400-3314-0x0000000007AE0000-0x0000000007B2C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1400-3313-0x0000000007730000-0x0000000007A84000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1400-3312-0x00000000075D0000-0x00000000076EE000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1400-3308-0x0000000006F00000-0x0000000007250000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1400-2209-0x0000000000720000-0x0000000000730000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1400-2210-0x0000000004C60000-0x0000000004CFC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/1776-2204-0x0000000005150000-0x00000000051AA000-memory.dmp

        Filesize

        360KB

        Download

      • memory/1776-1129-0x0000000004ED0000-0x0000000004FB8000-memory.dmp

        Filesize

        928KB

        Download

      • memory/1776-1128-0x0000000000400000-0x0000000000512000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2180-61-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-1097-0x0000000004F40000-0x0000000004FF4000-memory.dmp

        Filesize

        720KB

        Download

      • memory/2180-43-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-41-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-37-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-35-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-33-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-31-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-29-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-27-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-25-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-23-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-55-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-65-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-79-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-85-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-83-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-81-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-77-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-75-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-73-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-71-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-69-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-67-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-63-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-49-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-59-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-57-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-53-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-51-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-1096-0x0000000074C50000-0x0000000075400000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2180-47-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-1098-0x0000000004B50000-0x0000000004B9C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2180-1099-0x0000000005190000-0x00000000051F6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2180-1103-0x0000000074C50000-0x0000000075400000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2180-1104-0x0000000074C50000-0x0000000075400000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2180-1105-0x0000000074C50000-0x0000000075400000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2180-1106-0x0000000074C50000-0x0000000075400000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2180-1107-0x0000000074C50000-0x0000000075400000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2180-1108-0x0000000074C50000-0x0000000075400000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2180-1109-0x0000000005C70000-0x0000000005CC4000-memory.dmp

        Filesize

        336KB

        Download

      • memory/2180-1110-0x0000000074C50000-0x0000000075400000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2180-15-0x0000000000010000-0x000000000017C000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2180-18-0x0000000074C50000-0x0000000075400000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2180-19-0x0000000004BD0000-0x0000000004D10000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-16-0x0000000074C50000-0x0000000075400000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2180-1118-0x0000000074C50000-0x0000000075400000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2180-21-0x0000000004D10000-0x0000000004DA2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2180-20-0x00000000052C0000-0x0000000005864000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2180-22-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-45-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2180-39-0x0000000004BD0000-0x0000000004D0B000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4244-1123-0x00000000074D0000-0x00000000075C4000-memory.dmp

        Filesize

        976KB

        Download

      • memory/4244-1122-0x0000000006FA0000-0x0000000006FAA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4244-1121-0x0000000006B20000-0x0000000006C0E000-memory.dmp

        Filesize

        952KB

        Download

      • memory/4244-1117-0x00000000059E0000-0x0000000005FF8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4244-1116-0x00000000051C0000-0x000000000527C000-memory.dmp

        Filesize

        752KB

        Download

      • memory/4244-1115-0x0000000002B30000-0x0000000002B38000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4244-1114-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/4508-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4508-1-0x00000000007A0000-0x00000000007AA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4508-2-0x0000000074C50000-0x0000000075400000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4508-17-0x0000000074C50000-0x0000000075400000-memory.dmp

        Filesize

        7.7MB

        Download