Overview

overview

10

Static

static

10

test1.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09/11/2024, 09:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    test1.exe

  • Size

    64KB

  • MD5

    9102a37f6aea129203c69401b3fe9720

  • SHA1

    b622081cc2baec9764b2156e99fe1afeaf0cb73f

  • SHA256

    ab77001bb0302e94eb707a07858b174ef90f40e67826d97e725e35f835d5787b

  • SHA512

    fc451d29220cb0d9a66cd24c1f9ce6ff2a54b133275a6b43d93e37708c5a70d84ae2d6e9928f8810ef63d43196de99ff1949b4984ba290e4eae3cc41f5c40c40

  • SSDEEP

    1536:T30ovakP/3QLHp6PcXbZe/XiBwZSNpV8OwURvCl:jh3+rbYqfV8OwUBM

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

C2

0.tcp.ap.ngrok.io:4411

Attributes
  • Install_directory

    %Public%

  • install_file

    hh.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 38 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\test1.exe
    "C:\Users\Admin\AppData\Local\Temp\test1.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3168
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
    1⤵
      PID:1568
    • C:\Windows\system32\BackgroundTransferHost.exe
      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
      1⤵
      • Modifies registry class
      PID:2940
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
      1⤵
        PID:2944
      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2036
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x000000000000049C 0x00000000000004DC
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2356
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
        1⤵
        • System Location Discovery: System Language Discovery
        PID:4032
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,
        1⤵
          PID:2076
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1912
          • C:\Windows\system32\Taskmgr.exe
            taskmgr
            2⤵
              PID:2024
          • C:\Windows\System32\Taskmgr.exe
            "C:\Windows\System32\Taskmgr.exe"
            1⤵
            • Checks SCSI registry key(s)
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:2368

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\e95c7ea1-e7dd-4e12-9b0b-f73cf3300b39.down_data
                  Filesize

                  555KB

                  MD5

                  5683c0028832cae4ef93ca39c8ac5029

                  SHA1

                  248755e4e1db552e0b6f8651b04ca6d1b31a86fb

                  SHA256

                  855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

                  SHA512

                  aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\APPX.181xczz6_30tl1ljqw0802jqd.tmp
                  Filesize

                  2KB

                  MD5

                  530f1945913c81b38450c5a468428ee6

                  SHA1

                  0c6d47f5376342002ffdbc9a26ebec22c48dca37

                  SHA256

                  4112d529734d33abda74478c199f6ddc5098767e69214a00d80f23d2ea7291ff

                  SHA512

                  3906427ffb8f2dfea76ba9bb8cac6bd7dece3ebee7e94ea92da5bbdb55d8859c41260a2bda4e84fab7e1fb857ad12a2e286694ea64d00d0aa6cab200fbbf64f0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\APPX.h9p4mqoo0k0n2g0qjmn9_bd4g.tmp
                  Filesize

                  9KB

                  MD5

                  24ebdb1228a1818eee374bc8794869b7

                  SHA1

                  79fc3adb42a5d7ee12ff6729ef5f7a81e563cd2d

                  SHA256

                  92a7d7d3b0bfac458ddcef07afcdad3646653ba7f4ad048fdd7a5ec673235923

                  SHA512

                  63764d99a0118fac409327d5bf70f2aa9b31caf5277c4bc1e595016a50c524cd6c3d67924321b0fcad12cd968de1a62bd292151e35fd907034efd0f40b743d6a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\APPX.s1_4nbh1254xg4q4rq__rjvm.tmp
                  Filesize

                  1KB

                  MD5

                  4085b7b25606706f1a1ad9a88211a9b7

                  SHA1

                  31019f39a5e0bf2b1aa9fe5dda31856b30e963cc

                  SHA256

                  b64efcb638291c1e1c132ed5636afbb198031cee44384f3ecf67d82b73accecc

                  SHA512

                  9537559523839e3e708feabe8c04f40236add7d200ec36bad00c10a69337a15001103c17093dcc0d8cadb4713d911f39a6411624c1db4cbf1ea1af272a716168

                  Download Submit

                • memory/2368-383-0x0000020B81C50000-0x0000020B81C51000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2368-393-0x0000020B81C50000-0x0000020B81C51000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2368-390-0x0000020B81C50000-0x0000020B81C51000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2368-391-0x0000020B81C50000-0x0000020B81C51000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2368-392-0x0000020B81C50000-0x0000020B81C51000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2368-385-0x0000020B81C50000-0x0000020B81C51000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2368-384-0x0000020B81C50000-0x0000020B81C51000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2368-389-0x0000020B81C50000-0x0000020B81C51000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2368-395-0x0000020B81C50000-0x0000020B81C51000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2368-394-0x0000020B81C50000-0x0000020B81C51000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3168-3-0x00007FFCF6F20000-0x00007FFCF79E2000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/3168-0-0x00007FFCF6F23000-0x00007FFCF6F25000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/3168-1-0x0000000000800000-0x0000000000816000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/3168-2-0x00007FFCF6F20000-0x00007FFCF79E2000-memory.dmp

                  Filesize

                  10.8MB

                  Download