Overview

overview

10

Static

static

10

8327399d45...0N.exe

windows7-x64

10

8327399d45...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 12:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8327399d458913b2f8b9b8d5b53d38390ba01842747eb701cc75486e57df1d30N.exe

  • Size

    70KB

  • MD5

    01417d75f6d4f4e43ab50301bdfed600

  • SHA1

    f71eb0c0c8e43f82338f2ea45b41a434836f77c4

  • SHA256

    8327399d458913b2f8b9b8d5b53d38390ba01842747eb701cc75486e57df1d30

  • SHA512

    3ae6831b2aa620f262f2d7c23194b66cb52eccbd955ee8f2b5ce7cfd3e53f85070000f98a301ec67f4f0426284bd5fdf0c135533fe3c041493781dac91cbe6ac

  • SSDEEP

    1536:ujXe7voXuNLagsO7hdXvxY+CbTX9R6l4OAy8AjubP:E6wXuNLagsO1dpY+CbTtNOB8AQP

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

192.168.0.3:3389

184.190.169.22:3389

192.168.0.8:3389

192.168.0.7:3389
Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Microsoft OneDrive.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8327399d458913b2f8b9b8d5b53d38390ba01842747eb701cc75486e57df1d30N.exe
    "C:\Users\Admin\AppData\Local\Temp\8327399d458913b2f8b9b8d5b53d38390ba01842747eb701cc75486e57df1d30N.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\8327399d458913b2f8b9b8d5b53d38390ba01842747eb701cc75486e57df1d30N.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2656
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '8327399d458913b2f8b9b8d5b53d38390ba01842747eb701cc75486e57df1d30N.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft OneDrive.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft OneDrive.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    7e6e4e43c9dfb065dd02705bdb72b862

    SHA1

    6626358671ffd02d56cc4bb9f078c51847bcc8be

    SHA256

    4e0c1b05535260e3f006e12b6964c52ea02d5e03839aa512adbcee7ee97ba4cd

    SHA512

    98bb292cb0284a5629adc0a074790d280329a6935d6a1ba86c163c9647c88bdcc223a62987ff475fafa3e5f8a614d3d67b80116f8603f8763c7f1eb61d36679d

    Download Submit

  • memory/2196-0-0x000007FEF6473000-0x000007FEF6474000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2196-1-0x0000000000EE0000-0x0000000000EF8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2196-28-0x000000001B2A0000-0x000000001B320000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2196-29-0x000000001B2A0000-0x000000001B320000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2656-6-0x0000000002970000-0x00000000029F0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2656-7-0x000000001B610000-0x000000001B8F2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2656-8-0x0000000002720000-0x0000000002728000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2688-14-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2688-15-0x0000000001CD0000-0x0000000001CD8000-memory.dmp

    Filesize

    32KB

    Download