Overview

overview

10

Static

static

3

file.exe

windows7-x64

7

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 13:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.4MB

  • MD5

    7d7e24137d26338d8729761d740b0c04

  • SHA1

    a50cf1255b04fec0a34ab695993bff21a4a05ddf

  • SHA256

    f215e0525ac3365a7d33a949db3a7efa90811992e665e243f385fc00dc653c16

  • SHA512

    72c84b53d4a5f488fab1b43ab3e5f4cbd3414d44946d94b3bccff3d29f3083ddcf3ae900efebf2b01585e4836ed0d0085aa1a8dc8650fee18168f3c2bff4b591

  • SSDEEP

    24576:vjfZlBBYhEotw3Byz8uTZN8ekilz8CiglbMhupYq3MtXtU4YIuPc8HW6Lp:v7ZTauotw3Bg5TjR8sWuP8t9U2icAW

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:8895

162.230.48.189:8895
Mutex

ZRGtN7NDh24Vx89x

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Gathers network information 2 TTPs 4 IoCs

    Uses commandline utility to view network configuration.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3540
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        "C:\Users\Admin\AppData\Local\Temp\file.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops startup file
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4784
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2764
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4308
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c ipconfig /release
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1704
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /release
              5⤵
              • System Location Discovery: System Language Discovery
              • Gathers network information
              PID:3336
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c ipconfig /renew
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4960
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /renew
              5⤵
              • System Location Discovery: System Language Discovery
              • Gathers network information
              PID:3608
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rdTOqrzU1nz2.bat" "
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2660
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            4⤵
            • System Location Discovery: System Language Discovery
            PID:428
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 5 localhost
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3692
          • C:\Users\Admin\AppData\Roaming\IDEKCRY.exe
            "C:\Users\Admin\AppData\Roaming\IDEKCRY.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3936
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4784
        • C:\Users\Admin\AppData\Local\Temp\xplaad.exe
          "C:\Users\Admin\AppData\Local\Temp\xplaad.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1380
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c ipconfig /release
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3296
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /release
              5⤵
              • System Location Discovery: System Language Discovery
              • Gathers network information
              PID:1396
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c ipconfig /renew
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3780
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /renew
              5⤵
              • System Location Discovery: System Language Discovery
              • Gathers network information
              PID:1152
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8CA6.tmp.bat""
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3336
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            4⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:1668
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4748

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log
      Filesize

      1KB

      MD5

      b0566c9c0483fed7798d76cc05aeeaea

      SHA1

      ba03b7fe55f32ab2b0ddab60a4efb6753c313fe1

      SHA256

      b5c08f29e07865c49e1cfe89592764a882c0addea626c8424a8cda4b7264fce4

      SHA512

      ab18df143cdd9e9fc9dcc32dc7c7605464818a943c28bfd072b5573489c49817b7a3e4ed7dc0d8cf3240333f6cdfbeaff06134e87695f620e6da7bb85317b0c6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\rdTOqrzU1nz2.bat
      Filesize

      170B

      MD5

      023bb3cfe8425fbf51bdec975dd079f7

      SHA1

      2a789647dbbbe163f78e64a66926e5df6f8219fd

      SHA256

      1b059b86add3c1eaecb5ef0ba4b2f427f815ce610151c1d44f637577063a638e

      SHA512

      508d967e07e8bc838d1760b75fbdeaac7d71e9f66e5f266c30ce66692bc89ea658ba16ad6a6425c6be179233a58d644f0d773ee6ec78d36c694c85eb116246cb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp8CA6.tmp.bat
      Filesize

      175B

      MD5

      f3e651af0d2b81ee9ba2c27aa47af988

      SHA1

      364b6ca6b2e48408c5af847e0de1695c26393168

      SHA256

      59ea9efa3a90611e8f061c0ee6c7e97082c72fc51e975fbd077da33cd71f01a4

      SHA512

      fea0ed03b11d1d2adcad2507619b5380496ec2131995208fde674ac54868ace8e79924300d1834253b0c49f8fd503a3b3986d2c314ad94720b1e7e436060871f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\xplaad.exe
      Filesize

      1.0MB

      MD5

      d5a658bf1ba47c2197602adaf3ccf35e

      SHA1

      5a5d81ac2da7dd8e7963a9a6ae50ca211cccc6e2

      SHA256

      ce4ebe3b66b980a093838aa814fbf48aef7e1e4a2fe6b88a09608f3d628a88e6

      SHA512

      eb2772e21f2392aede06e17b9411c16f2bfb4e13d5c50b0bdeec72d5b644897831238679c1f11eb4add58d00c5112613d886eeaa3df7fb0d97949c080b8bd7e5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\IDEKCRY.exe
      Filesize

      5.2MB

      MD5

      e519d96058ad7edc4ad729c5031aade3

      SHA1

      a25dff3c86aa7fefddb8b9173b64f5f87f398ea3

      SHA256

      671cd2ed3cab7edffa86e4babf8a9fe39303b4298fe12788b43f371bb3d6600a

      SHA512

      c69ad5b84fbcd3c930e3569bb3c417c8d22947b09adf3ad9a2b48e2d53e91bd16422a5a21770b4e393031062bf958d8f9218708def12d00d1fef2703c2e6d593

      Download Submit

    • memory/2764-1105-0x00000000072C0000-0x00000000073AE000-memory.dmp

      Filesize

      952KB

      Download

    • memory/2764-1100-0x0000000074650000-0x0000000074E00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2764-1097-0x0000000074650000-0x0000000074E00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2764-1093-0x0000000074650000-0x0000000074E00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2764-1092-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/2764-1094-0x0000000002FB0000-0x0000000002FB8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2764-2199-0x0000000074650000-0x0000000074E00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2764-1098-0x0000000005DF0000-0x0000000006408000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2764-1099-0x0000000005850000-0x00000000058B6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2764-1101-0x0000000074650000-0x0000000074E00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2764-1104-0x0000000006F30000-0x000000000701A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/2764-1096-0x00000000055B0000-0x000000000566C000-memory.dmp

      Filesize

      752KB

      Download

    • memory/2764-1115-0x0000000074650000-0x0000000074E00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2764-1114-0x0000000074650000-0x0000000074E00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2764-1111-0x0000000074650000-0x0000000074E00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2764-1109-0x0000000008370000-0x0000000008464000-memory.dmp

      Filesize

      976KB

      Download

    • memory/2764-1108-0x0000000074650000-0x0000000074E00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2764-1107-0x0000000074650000-0x0000000074E00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2764-1106-0x00000000076E0000-0x00000000076EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3936-3309-0x0000000000230000-0x0000000000768000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3936-3311-0x00000000079D0000-0x0000000007ED8000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/3936-3310-0x0000000005140000-0x0000000005648000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/4308-1117-0x0000000000400000-0x0000000000512000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4308-1119-0x0000000074650000-0x0000000074E00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4308-1120-0x0000000074650000-0x0000000074E00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4308-1118-0x0000000005630000-0x0000000005718000-memory.dmp

      Filesize

      928KB

      Download

    • memory/4308-2195-0x0000000005A40000-0x0000000005A9A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/4308-2200-0x0000000074650000-0x0000000074E00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4308-2204-0x0000000074650000-0x0000000074E00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4784-45-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-39-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-9-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-8-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-6-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-1080-0x0000000074650000-0x0000000074E00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4784-1081-0x0000000005430000-0x00000000054E4000-memory.dmp

      Filesize

      720KB

      Download

    • memory/4784-1082-0x0000000005520000-0x000000000556C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4784-1086-0x0000000074650000-0x0000000074E00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4784-1088-0x0000000074650000-0x0000000074E00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4784-1087-0x00000000056E0000-0x0000000005734000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4784-1095-0x0000000074650000-0x0000000074E00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4784-13-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-15-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-19-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-21-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-23-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-27-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-29-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-31-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-33-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-35-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-37-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-11-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-41-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-43-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-0-0x000000007465E000-0x000000007465F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4784-47-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-49-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-51-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-57-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-59-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-61-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-63-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-65-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-67-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-69-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-2202-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4784-2203-0x00000000056E0000-0x000000000577C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4784-55-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-53-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-26-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-17-0x00000000050C0000-0x00000000051FB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-5-0x0000000005330000-0x00000000053C2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4784-4-0x00000000057E0000-0x0000000005D84000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4784-3-0x0000000074650000-0x0000000074E00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4784-2-0x00000000050C0000-0x0000000005200000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4784-1-0x00000000005C0000-0x000000000072C000-memory.dmp

      Filesize

      1.4MB

      Download