Overview

overview

10

Static

static

3

bqkriy6l.exe

windows7-x64

10

bqkriy6l.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 15:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bqkriy6l.exe

  • Size

    1.4MB

  • MD5

    72a6fe522fd7466bf2e2ac9daf40a806

  • SHA1

    b0164b9dfee039798191de85a96db7ac54538d02

  • SHA256

    771d0ba5b4f3b2d1c6d7a5ebe9b395e70e3d125540c28f1a0c1f80098c6775ce

  • SHA512

    b938a438e14458120316581cb1883579a2ce7f835b52f4ab1cde33aa85febcad11f8a8b0a23fb9a8acafa774fe9cbd1c804a02fd8e6f5d8df60924c351f0126e

  • SSDEEP

    24576:9lh9OZjjhYvYjQJABLaR5nyAMqIvGPSFyPHCA2c8UkHBSDzJ4u:fhwZjjhYvYTLaPy+IvG6FHAk8DzJ4u

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

38.180.203.11:1010

Mutex

LE5ccvPhTtoUBuJ2

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bqkriy6l.exe
    "C:\Users\Admin\AppData\Local\Temp\bqkriy6l.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2884
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
      "Powershell" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\bqkriy6l.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\frameApp_consoleMode.exe'
      2⤵
      • Drops startup file
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2884-12-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2884-14-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2884-9-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2884-8-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2884-20-0x0000000074720000-0x0000000074E0E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2884-19-0x0000000074720000-0x0000000074E0E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2884-18-0x0000000074720000-0x0000000074E0E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2884-7-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2884-10-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2884-11-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2884-17-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3048-5-0x0000000004820000-0x00000000048F6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/3048-0-0x000000007472E000-0x000000007472F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3048-21-0x0000000074720000-0x0000000074E0E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3048-2-0x0000000074720000-0x0000000074E0E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3048-6-0x0000000000940000-0x0000000000962000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3048-1-0x0000000000B20000-0x0000000000C88000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3048-4-0x0000000074720000-0x0000000074E0E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3048-3-0x0000000074720000-0x0000000074E0E000-memory.dmp

    Filesize

    6.9MB

    Download