Overview

overview

10

Static

static

10

3cc41a56da...8e.exe

windows7-x64

10

3cc41a56da...8e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 21:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3cc41a56daee0331512d04dd40e33676820a11615a0f808cb812d496b3fc3a8e.exe

  • Size

    67KB

  • MD5

    ecc0117da91937168d95f94fe2b28840

  • SHA1

    f7c1c88b17173f9403536d0ca1fdfdbb108436e9

  • SHA256

    3cc41a56daee0331512d04dd40e33676820a11615a0f808cb812d496b3fc3a8e

  • SHA512

    b5ed48db56c494396f8002dd61dbc10ca38f3487a9117549b43d3c59a4e580b5e3dc084b62eb5e0b7fc82900bfab79168bf394bab0de76b6971f45f6c84dbb4c

  • SSDEEP

    1536:RbCAX3g4GePVcAye7hC+bu/uwdVedefBRfa6GMO9RDc:JLg+cAX7hC+bu/9mauMOfQ

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

0.tcp.ap.ngrok.io:12725

Attributes
  • Install_directory

    %Temp%

  • install_file

    hh.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\3cc41a56daee0331512d04dd40e33676820a11615a0f808cb812d496b3fc3a8e.exe
    "C:\Users\Admin\AppData\Local\Temp\3cc41a56daee0331512d04dd40e33676820a11615a0f808cb812d496b3fc3a8e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3cc41a56daee0331512d04dd40e33676820a11615a0f808cb812d496b3fc3a8e.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1880
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '3cc41a56daee0331512d04dd40e33676820a11615a0f808cb812d496b3fc3a8e.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2872
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\hh.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2636
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'hh.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2256
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "hh" /tr "C:\Users\Admin\AppData\Local\Temp\hh.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1844
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {D48F544A-C963-48B0-B9AC-7C68117CCBAB} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Users\Admin\AppData\Local\Temp\hh.exe
      C:\Users\Admin\AppData\Local\Temp\hh.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:328
    • C:\Users\Admin\AppData\Local\Temp\hh.exe
      C:\Users\Admin\AppData\Local\Temp\hh.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hh.exe
    Filesize

    67KB

    MD5

    ecc0117da91937168d95f94fe2b28840

    SHA1

    f7c1c88b17173f9403536d0ca1fdfdbb108436e9

    SHA256

    3cc41a56daee0331512d04dd40e33676820a11615a0f808cb812d496b3fc3a8e

    SHA512

    b5ed48db56c494396f8002dd61dbc10ca38f3487a9117549b43d3c59a4e580b5e3dc084b62eb5e0b7fc82900bfab79168bf394bab0de76b6971f45f6c84dbb4c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    490056b07e770b7eda933510eb2227ff

    SHA1

    66a105e7e1109dfcfb3766c3f983a760a2caa26b

    SHA256

    dc10499bfa07750c444fab02804bf5c6c822892759be15f67e85c54487144173

    SHA512

    7e9eefc64da223fbf8255193d6bd08a769616cc1700eb300084a0e8ea6c4383781a5094434a05f1dec986a6a96fb0e83378b1069fb5dd635fe95fd7f137f7947

    Download Submit

  • memory/328-32-0x0000000000B40000-0x0000000000B58000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1880-6-0x0000000002900000-0x0000000002980000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1880-7-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1880-8-0x0000000002000000-0x0000000002008000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2092-34-0x00000000010A0000-0x00000000010B8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2188-28-0x000000001AAF0000-0x000000001AB70000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2188-27-0x000000001AAF0000-0x000000001AB70000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2188-0-0x000007FEF6853000-0x000007FEF6854000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2188-1-0x0000000000A90000-0x0000000000AA8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2872-15-0x00000000022E0000-0x00000000022E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2872-14-0x000000001B5B0000-0x000000001B892000-memory.dmp

    Filesize

    2.9MB

    Download