Overview

overview

10

Static

static

10

eheheh.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    69s
  • max time network
    54s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10/11/2024, 07:28

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    eheheh.exe

  • Size

    83KB

  • MD5

    6bb17f4042738219708a1fcd785b2f20

  • SHA1

    7b7f33f12a9a7602ad2b1128ca51b4336c63bf8b

  • SHA256

    52f750c805eb0d8d1175b9b648bc6e458bcbb33048c864d8e064099c44addfa1

  • SHA512

    f4c22bc88e3644621fcc2853562e8312a4b68c673148742b0cae3c54c0e7c80f19c31d9d32114a385fabb1248740467b19bea1ab0d6d05c42ca35878e4c8e8e6

  • SSDEEP

    1536:POGdaV0R6Gkp3UyLshEjoE9I8uEMWb15uaGM53/m8AWm6Z3JOY451:WGdBS3Un8oE9I8+Wb15uaxxL3JOY43

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

about-publishing.gl.at.ply.gg:49157

Attributes
  • Install_directory

    %AppData%

  • install_file

    update.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\eheheh.exe
    "C:\Users\Admin\AppData\Local\Temp\eheheh.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:5168
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\UninstallBackup.cmd" "
    1⤵
      PID:1604
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4608
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1868 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ef6297f-0b6b-45bd-86d6-e2487386a0b6} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" gpu
          3⤵
            PID:1676
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2376 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2356 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3a5cf23-6aec-4173-aaae-9172bb5b3e91} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" socket
            3⤵
              PID:2748
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2980 -childID 1 -isForBrowser -prefsHandle 3140 -prefMapHandle 3136 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a563e04-4331-44e7-bb9d-1fae15a95f66} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" tab
              3⤵
                PID:5520
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3528 -childID 2 -isForBrowser -prefsHandle 3584 -prefMapHandle 3192 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d1fcf96-c382-45f4-ac1b-e0d0d5cf0c8a} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" tab
                3⤵
                  PID:1456
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4684 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4680 -prefMapHandle 4676 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84d3e5bf-737b-481e-bf4a-ad86055e9d79} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" utility
                  3⤵
                  • Checks processor information in registry
                  PID:5836
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1560 -childID 3 -isForBrowser -prefsHandle 912 -prefMapHandle 1120 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af1e7b39-8d4c-43e2-bf4a-edd5bb267ffe} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" tab
                  3⤵
                    PID:4132
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1404 -childID 4 -isForBrowser -prefsHandle 2728 -prefMapHandle 5596 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00c84fa6-c549-4e48-9056-e7c671cda980} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" tab
                    3⤵
                      PID:3332
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5824 -childID 5 -isForBrowser -prefsHandle 5944 -prefMapHandle 5952 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8300b4b9-2530-41f2-a1af-9dfff8aa0db7} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" tab
                      3⤵
                        PID:2320
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6264 -childID 6 -isForBrowser -prefsHandle 6248 -prefMapHandle 6240 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1de6718b-666d-4c27-b70d-019180026782} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" tab
                        3⤵
                          PID:2176

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p38rro19.default-release\activity-stream.discovery_stream.json
                            Filesize

                            25KB

                            MD5

                            29380bbd40f16c1526da5e9036be9a9a

                            SHA1

                            1bf757b5424cf74a0599386dd212240d7dba7ba3

                            SHA256

                            1d02e0b4c6ad2c222b58d828e1b8272fd96952954bb7da930623a8e8845811fb

                            SHA512

                            11cdbf6ae39d524906ce7b696e764960add77e319ef520672317259acaffddece2a8f45f977767f703f2aad190411f2d0bb931a8b74bdac9253d6e55cb3f6312

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                            Filesize

                            479KB

                            MD5

                            09372174e83dbbf696ee732fd2e875bb

                            SHA1

                            ba360186ba650a769f9303f48b7200fb5eaccee1

                            SHA256

                            c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                            SHA512

                            b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                            Filesize

                            13.8MB

                            MD5

                            0a8747a2ac9ac08ae9508f36c6d75692

                            SHA1

                            b287a96fd6cc12433adb42193dfe06111c38eaf0

                            SHA256

                            32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                            SHA512

                            59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\AlternateServices.bin
                            Filesize

                            8KB

                            MD5

                            de045de7f840179e83750f169f460e82

                            SHA1

                            23995c91a4d8fcde439d19b6533496744e805daf

                            SHA256

                            c3a9a8285c8bc0ace2d2dbaed3cbe6449ab5f95c51ccf7f73c8d9b368597a536

                            SHA512

                            aeed22a0bb699e2f460ca6a5ea26bfc2492210cddee988c73a6b7e5f7d0b7296cde8a95e9fa6f6487d3a65b41874e4f852aaa382e7dfd60f37216e86722713dd

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\AlternateServices.bin
                            Filesize

                            12KB

                            MD5

                            09fdf202b3cb233be9cf5f079d093a2b

                            SHA1

                            75dd7556d2cdef71df31064a56957842c1281def

                            SHA256

                            adac4fe90ccea9e1fd4da5c98126e64e32a0cf02dc67c32ce83283d866719e0d

                            SHA512

                            2642ae672822751d4981a08c6e3bb1877e086f66c6a5796e7abc68753876a56b9ddb257e2ec8ebd54ffb26fd6db7e1d1a0f9dc591eb0581d88f54902f703191c

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\db\data.safe.tmp
                            Filesize

                            5KB

                            MD5

                            178ec991339cd699bb7b281d8086c7ee

                            SHA1

                            ee5599fbbe0963e899d8c5524e5393ee9001b78f

                            SHA256

                            6ba7ad9299e904b314e96395410bdfa4994d0318d94543c2c013c554fa42c1cb

                            SHA512

                            6a70946135e6470f5edcf16b9568bb7ef252c6647981c7f2c7942481fadd127af2ce88c1571fd92c6ecf378e82860103450cc57805c30f0ed27d5b4ec60c41e9

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\db\data.safe.tmp
                            Filesize

                            5KB

                            MD5

                            6c7571d8dfce5bd0cb55697e21d845f9

                            SHA1

                            6294613faf7f646ce470837cf1605c2e562ce566

                            SHA256

                            3a2a8992dadccdf156315e71f45ce857168b81428384dd238d1cfa7fde746a83

                            SHA512

                            e49e6d11f21d01ba8c3c6380cf0e2c30c0489c3cffc2a2bdc2f0499211b5681955e021522085dedb2280b38f955cc780ba6b8ec64e4ab13d43d54798330ed58c

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\db\data.safe.tmp
                            Filesize

                            17KB

                            MD5

                            10a6a1d5cc3cd0d0f402661ebbecf67a

                            SHA1

                            5279cce7ce676dc85630d3ecc4119fc9150702c5

                            SHA256

                            9753a0005f6ea2f49b39df3bf3fe61c14b28ea7a0c2beeb3b6efcc7e547899de

                            SHA512

                            62b064deb19eee70eac4417895d572d467c48e3c70a3cf84b5d2d83cda245b57c244a98aaf0934b1f69c41490bb7e327d1076d0e2da08eab19dacfedabbb5cc6

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\pending_pings\29618107-43b5-49b5-a585-c4ffbdb127a5
                            Filesize

                            26KB

                            MD5

                            aef08e98ec870a104edfa1d42da4f016

                            SHA1

                            6e0e65f269be65169784e91180fe6e2e6e6dba0e

                            SHA256

                            5d7f23dfcb9629e67f9cf0b5bda56462e4e7c5afcef7a188d568c4af251eb664

                            SHA512

                            4c0fba9b0c3b0ca44f18e02d30126a1f835fcb2ce60441b965db117f00b315a93026e73bd0e7561a7e163a13c72e81cc74945eb9ed1d7a52a26d9dc997223dde

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\pending_pings\40260918-c6b8-44ea-9909-0bfcaa7ca812
                            Filesize

                            982B

                            MD5

                            8a511b7d72d8ed23856d540690574de0

                            SHA1

                            07e138b8bc4253154c8199ac396887695f8579c0

                            SHA256

                            3fd4d26688ff3ea8fdebd10fbbeb6a5310ad251e0d0e271b92d0ea29477d6593

                            SHA512

                            8960c5ec4f57d667ce594d05bdd8bcc9aaca44f32baaccbd58e10ffb5998460ee721cf1b4be1d766b507e99e398bf8867776f653235f8f3da79f19903ed97900

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\pending_pings\9f712435-660f-4e80-b11e-ed6637cbc001
                            Filesize

                            671B

                            MD5

                            ceee7c6fa5a27bc78346381a674769ce

                            SHA1

                            ed1144b84009ee25163cf270e5244f6e1f298dd9

                            SHA256

                            ec12583e1c68aba4725626ade35aa23c41dcc18a887e0753a9a23a115726c05d

                            SHA512

                            0f99ce09db77a2f7d01ffe390b4c8c2e6a6a52093a7454c8120e0dd23d744f0ec045e15a1e033842e07875ada5c32dd9cfd814a6fdc5f27effc49fbe179b4308

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                            Filesize

                            1.1MB

                            MD5

                            842039753bf41fa5e11b3a1383061a87

                            SHA1

                            3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                            SHA256

                            d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                            SHA512

                            d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                            Filesize

                            116B

                            MD5

                            2a461e9eb87fd1955cea740a3444ee7a

                            SHA1

                            b10755914c713f5a4677494dbe8a686ed458c3c5

                            SHA256

                            4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                            SHA512

                            34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                            Filesize

                            372B

                            MD5

                            bf957ad58b55f64219ab3f793e374316

                            SHA1

                            a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                            SHA256

                            bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                            SHA512

                            79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                            Filesize

                            17.8MB

                            MD5

                            daf7ef3acccab478aaa7d6dc1c60f865

                            SHA1

                            f8246162b97ce4a945feced27b6ea114366ff2ad

                            SHA256

                            bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                            SHA512

                            5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\prefs-1.js
                            Filesize

                            11KB

                            MD5

                            45aa51e46f8f8d52eef8c716e0dc7688

                            SHA1

                            a6047a712e9c3db11355182793e625996f3fcb21

                            SHA256

                            d90aa2efbe3f86aecace492b4547266bd56e4e3aac7b741a9957c81ad6c32ff8

                            SHA512

                            e7f692eb419df86c141c26c3ce84bd7fd5f9111f2b3504c258d4c8a5b6708e341a27074c47eb3dd49deafe2344c479369851eed0640d445958d5e8b7d7427bc7

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\prefs-1.js
                            Filesize

                            10KB

                            MD5

                            f9f5fdfba54ecdb127482b999533b2c0

                            SHA1

                            eec588295e2bd4c01a641e964462fea5b2afc1dc

                            SHA256

                            e298be5b5f632d1e9ba886abe47b36a0fc83dd908a7ed27eb5bc9cbd224c0010

                            SHA512

                            ab49b91960a64777babb876e7c34065930197fb3c6d49e0a41ea627db37df188e18be236bf6a5b3c366edde1a39a9500416d01e3fe7ca0ae455866e954076b5d

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\sessionstore-backups\recovery.baklz4
                            Filesize

                            3KB

                            MD5

                            35ba9181f941eeec5e9b17da03803944

                            SHA1

                            947664848a8cfad37b72c3ee2013e8194aa90c14

                            SHA256

                            77aba65e218402ad4bd65ab2611cbd6c17c264fb4afd718c5821377941f0ceef

                            SHA512

                            64cd6384b4ca8d32ea54d1fc4b8e6f3c53fd7bde45c27aa9e14f54216b33d9b996dfa7db5df1a87390e913e8a1385dec893ed2575762237501e6ccacd7eee1d5

                            Download Submit

                          • memory/5168-0-0x00007FF91FE13000-0x00007FF91FE15000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/5168-3-0x00007FF91FE10000-0x00007FF9208D2000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/5168-2-0x00007FF91FE10000-0x00007FF9208D2000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/5168-1-0x0000000000D90000-0x0000000000DAC000-memory.dmp

                            Filesize

                            112KB

                            Download