Overview

overview

10

Static

static

3

file.exe

windows7-x64

7

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 13:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.4MB

  • MD5

    3d3459b0630ce9dc45b177b697ca23a0

  • SHA1

    0245c62e5155dd121bd3b31af02e5bf62bb01e71

  • SHA256

    40d07a9b787d52381da6ce75c088f62eb009baffd98858660670715976ad7cc5

  • SHA512

    2016ada15909d95c7518cf8f803f1ecd05c8f1d1325be1e8c2ac3c7e5b24e9da58dccef9ac7e978e660bbe4f93096d2e483f84ac8b088d72e119b76f2f4d56b9

  • SSDEEP

    24576:2/vN2wSUb01BxVVZCfQ7jnOqBpoZk7g8Ll4LMhrsyPBUj8Zpn9BxjZVpTyGZI2:2/l28QjxVCfszOqB6ZB2P1TVTRyGB

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:8895

162.230.48.189:8895
Mutex

ZRGtN7NDh24Vx89x

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Gathers network information 2 TTPs 5 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3448
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        "C:\Users\Admin\AppData\Local\Temp\file.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Checks computer location settings
        • Drops startup file
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1832
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ipconfig /release
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3884
          • C:\Windows\SysWOW64\ipconfig.exe
            ipconfig /release
            4⤵
            • System Location Discovery: System Language Discovery
            • Gathers network information
            PID:2184
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ipconfig /renew
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3756
          • C:\Windows\SysWOW64\ipconfig.exe
            ipconfig /renew
            4⤵
            • System Location Discovery: System Language Discovery
            • Gathers network information
            PID:2588
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1476
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4436
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c ipconfig /release
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2400
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /release
              5⤵
              • System Location Discovery: System Language Discovery
              • Gathers network information
              PID:1328
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c ipconfig /renew
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1864
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /renew
              5⤵
              • System Location Discovery: System Language Discovery
              • Gathers network information
              PID:4808
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Users\Admin\AppData\Local\Temp\xnhufh.exe
          "C:\Users\Admin\AppData\Local\Temp\xnhufh.exe"
          3⤵
          • Executes dropped EXE
          PID:4036
        • C:\Users\Admin\AppData\Local\Temp\cdvayh.exe
          "C:\Users\Admin\AppData\Local\Temp\cdvayh.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1016
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c ipconfig /release
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5172
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /release
              5⤵
              • System Location Discovery: System Language Discovery
              • Gathers network information
              PID:5228
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD363.tmp.bat""
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2752
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            4⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:2044

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\cdvayh.exe
      Filesize

      1.0MB

      MD5

      d5a658bf1ba47c2197602adaf3ccf35e

      SHA1

      5a5d81ac2da7dd8e7963a9a6ae50ca211cccc6e2

      SHA256

      ce4ebe3b66b980a093838aa814fbf48aef7e1e4a2fe6b88a09608f3d628a88e6

      SHA512

      eb2772e21f2392aede06e17b9411c16f2bfb4e13d5c50b0bdeec72d5b644897831238679c1f11eb4add58d00c5112613d886eeaa3df7fb0d97949c080b8bd7e5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpD363.tmp.bat
      Filesize

      175B

      MD5

      d7d92dbe9e1bb75dcbbed4ff47ad32fd

      SHA1

      da92431d25d48b3a894a26311a68a0c96631d3df

      SHA256

      6c1d9b68366f483da9cc7f7552c34f02be29dcc914f7105b88a5151647072208

      SHA512

      83fb4fee46ac8716d5ea50e2cce151a2a0261bef06c24fbe3a0fb0b5a85ed934cd037b737673e14f582d5bf3de0287be3347625b62ee3dc34bd87bc1b5f94b5a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\xnhufh.exe
      Filesize

      5.3MB

      MD5

      73a56908097ee57dd4217877aeae4641

      SHA1

      a41cc3570f40f9688b2ac9f5e7326150a3a350a6

      SHA256

      fde56e00761a85ad495bd2d05654f3657922f665f58edfabcf43d2fa769f0d79

      SHA512

      930ba7d57f250b5c9e020c0265db9376d0675bfcafb7c5c5e292add319ec2942a9f2b5286f997e406e7f1effb8e1029649a5141cd7ad032f4b75a77e51259c67

      Download Submit

    • memory/1476-1109-0x0000000007090000-0x000000000709A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1476-1111-0x0000000008170000-0x0000000008264000-memory.dmp

      Filesize

      976KB

      Download

    • memory/1476-1110-0x0000000007620000-0x000000000770A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/1476-1097-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/1476-1108-0x0000000006C20000-0x0000000006D0E000-memory.dmp

      Filesize

      952KB

      Download

    • memory/1476-1107-0x0000000074AD0000-0x0000000075280000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1476-1106-0x0000000074AD0000-0x0000000075280000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1476-1102-0x0000000005990000-0x0000000005FA8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1476-1100-0x0000000005170000-0x000000000522C000-memory.dmp

      Filesize

      752KB

      Download

    • memory/1476-1098-0x0000000074AD0000-0x0000000075280000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1476-1101-0x0000000074AD0000-0x0000000075280000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1476-1099-0x0000000002CF0000-0x0000000002CF8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1832-50-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-1083-0x0000000005680000-0x00000000056E6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1832-0-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1832-47-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-43-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-41-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-39-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-35-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-33-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-31-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-29-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-27-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-25-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-23-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-21-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-19-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-13-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-9-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-57-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-45-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-37-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-17-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-7-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-6-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-1080-0x0000000074AD0000-0x0000000075280000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1832-1081-0x0000000005360000-0x0000000005414000-memory.dmp

      Filesize

      720KB

      Download

    • memory/1832-1082-0x0000000005450000-0x000000000549C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1832-51-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-1087-0x0000000074AD0000-0x0000000075280000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1832-1088-0x0000000074AD0000-0x0000000075280000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1832-1089-0x0000000074AD0000-0x0000000075280000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1832-1090-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1832-1091-0x0000000074AD0000-0x0000000075280000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1832-1092-0x0000000006470000-0x00000000064C4000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1832-1094-0x0000000074AD0000-0x0000000075280000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1832-53-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-59-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-61-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-63-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-65-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-67-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-1103-0x0000000074AD0000-0x0000000075280000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1832-69-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-55-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-15-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-11-0x0000000005040000-0x000000000517B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-5-0x0000000005260000-0x00000000052F2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1832-4-0x0000000005730000-0x0000000005CD4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1832-1-0x00000000004F0000-0x000000000065C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1832-3-0x0000000005040000-0x0000000005180000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1832-2-0x0000000074AD0000-0x0000000075280000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2116-2197-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2116-2198-0x0000000004FD0000-0x000000000506C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4436-2192-0x0000000005A50000-0x0000000005AAA000-memory.dmp

      Filesize

      360KB

      Download

    • memory/4436-1117-0x0000000005720000-0x0000000005808000-memory.dmp

      Filesize

      928KB

      Download

    • memory/4436-1116-0x0000000000400000-0x0000000000512000-memory.dmp

      Filesize

      1.1MB

      Download