Overview

overview

10

Static

static

10

3d25fe2989...5N.exe

windows7-x64

10

3d25fe2989...5N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-11-2024 11:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d25fe2989b3b9505c5b45751d1da232fe3715bff54c6900d82b99e7ad76e6c5N.exe

  • Size

    114KB

  • MD5

    62ed3d4b4bcced663a7cba48715843a9

  • SHA1

    edb117c9a77f0b9f55491ec23f08a55a3340341f

  • SHA256

    23bd40410d0296e31261f08dcb871ccd8965bd7b610d7d1a5d3c9aaf88048b6c

  • SHA512

    eca0fe59599aa90af0963eeaa475bbebd09edc0e9befa6ff8546ee1b806a1f4e7d4a8386fbefdb016f4df33d3ff5b58de4d2338ada8737ec45c50db9725de883

  • SSDEEP

    1536:JjYYfOtuaA3+pfbrp+ZY9QQK676lJOqVChiH0hLP+VVVVVVVVVVVVVVVVVVVVVVp:B0uaA3+pfbrpfOZfOqVbH0hLN0B

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:10967

22.ip.gl.ply.gg:10967
Attributes
  • Install_directory

    %Userprofile%

  • install_file

    dllhso.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d25fe2989b3b9505c5b45751d1da232fe3715bff54c6900d82b99e7ad76e6c5N.exe
    "C:\Users\Admin\AppData\Local\Temp\3d25fe2989b3b9505c5b45751d1da232fe3715bff54c6900d82b99e7ad76e6c5N.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3d25fe2989b3b9505c5b45751d1da232fe3715bff54c6900d82b99e7ad76e6c5N.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '3d25fe2989b3b9505c5b45751d1da232fe3715bff54c6900d82b99e7ad76e6c5N.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2988
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\dllhso.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhso.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2904
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dllhso" /tr "C:\Users\Admin\dllhso.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2624
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {2827D23E-8C0E-4081-82A3-4499D2E08B4D} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\Users\Admin\dllhso.exe
      C:\Users\Admin\dllhso.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:604
    • C:\Users\Admin\dllhso.exe
      C:\Users\Admin\dllhso.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    a6a97dfa610b821a3695bda1da5d75fb

    SHA1

    a698017b576482193870abf76bfb31878ed67ae4

    SHA256

    47e698685a55cf08ed1f0714081ba8aa5fd6a9fa49fa0dcb394b9e1992fd070d

    SHA512

    a739726baf934628229e18ce4bd73b03c27649e2579ca8bd815751581b53ada18e9da363d9ce7188ee2cdd061c4805f13ea641517c6281297e950161cba682cc

    Download Submit

  • C:\Users\Admin\dllhso.exe
    Filesize

    114KB

    MD5

    62ed3d4b4bcced663a7cba48715843a9

    SHA1

    edb117c9a77f0b9f55491ec23f08a55a3340341f

    SHA256

    23bd40410d0296e31261f08dcb871ccd8965bd7b610d7d1a5d3c9aaf88048b6c

    SHA512

    eca0fe59599aa90af0963eeaa475bbebd09edc0e9befa6ff8546ee1b806a1f4e7d4a8386fbefdb016f4df33d3ff5b58de4d2338ada8737ec45c50db9725de883

    Download Submit

  • memory/604-34-0x0000000001090000-0x00000000010B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2028-36-0x0000000000160000-0x0000000000182000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2128-29-0x000007FEF4FD3000-0x000007FEF4FD4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2128-1-0x00000000012C0000-0x00000000012E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2128-0-0x000007FEF4FD3000-0x000007FEF4FD4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2128-30-0x000000001B1A0000-0x000000001B220000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2128-28-0x000000001B1A0000-0x000000001B220000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2544-7-0x000000001B660000-0x000000001B942000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2544-8-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2544-6-0x0000000002780000-0x0000000002800000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2988-15-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2988-14-0x000000001B630000-0x000000001B912000-memory.dmp

    Filesize

    2.9MB

    Download