Overview

overview

10

Static

static

3

XBinderOutput.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    29s
  • max time network
    37s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    13-11-2024 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XBinderOutput.exe

  • Size

    5.2MB

  • MD5

    dfc4fe438bf0f48fc9a6e1abe5391962

  • SHA1

    f25de3b3c2455cf674cd90ab2c87587177db6ed4

  • SHA256

    f43feac8d598b74de66b04aaac9fc1c1fe40784295ef75a3e050fe81cb24cc8c

  • SHA512

    6ad48e7f3ba3130390f584b3e8e7538f20f40334583557cbfcec57b0fc257ac63b68e2f33e3efb83d6638545175a43e9ebcdaacef3ba6fd9fbb11e8bda24a1ca

  • SSDEEP

    98304:IpmJAGbcS0n4NnZg+O4KDKctCLX5LdyTUzhYybcHsXIJZGUS2V:/AjagIqKct45OdMEdJZG3s

Score
10/10
xwormexecutionpersistencepyinstallerrattrojan

Malware Config

Extracted

Family

xworm

C2

man-laughing.gl.at.ply.gg:57783

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    Windows Data Compiler.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 41 IoCs
  • Suspicious use of SendNotifyMessage 41 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
    "C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:660
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows Data Complier.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2272
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "Windows Data Complier" /SC ONLOGON /TR "C:\Windows\System32\Windows Data Complier.exe" /RL HIGHEST
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2860
    • C:\Windows\System32\Windows Data Complier.exe
      "C:\Windows\System32\Windows Data Complier.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4076
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows Data Complier.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3204
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Data Complier.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3208
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Windows Data Compiler.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:4940
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Data Compiler.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:2120
    • C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3640
      • C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
        "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1256
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "ver"
          4⤵
            PID:1784
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3180

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      3eb3833f769dd890afc295b977eab4b4

      SHA1

      e857649b037939602c72ad003e5d3698695f436f

      SHA256

      c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

      SHA512

      c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      60b3262c3163ee3d466199160b9ed07d

      SHA1

      994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

      SHA256

      e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

      SHA512

      081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      e0c997f26ad63f3e1994e3bd2fd5e642

      SHA1

      0b4ae4a5f341ca96910429e4c5d019c4ebe256da

      SHA256

      8cf9593604da0941da1eeb1d84fc32741bbe47639dc37ff60bcaffedc5b96b9f

      SHA512

      9730e48e704da7d3f86ba48eee9ba2ff5b13cbfbda4635bd3b1447481a60c5c7ae9aff8abfca6e2e355d76a73352cbee43f109b81435b5d6cdb354f77460e3c7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      20414ac4a026bad160fbc805f9c69948

      SHA1

      2ddc9ffea79489ef5231ed69551298b115d22ea9

      SHA256

      d5253092aa84bcf260b60e658e43ef5af74c348559fba471172e66f6dc93442f

      SHA512

      ae58a471d71d2a2011534ebc7a503ab12e938d8aa2080e131369b8fdd72fa2568b09d86a05cdddf0890ea9dd48f8c10e1905c4b385317a08a7552b2663feade1

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      2caedf4a5a478099693e0888a7646597

      SHA1

      9f0389cf7ee1b4e3e6b33b89fb5225cd741db097

      SHA256

      fbeaf47488fd7a4ccb599c6d48e06df9ff2c9d4f8c61d03abf8b02e4147c008b

      SHA512

      e5ee648e0e9c64e212f4faa5347cc1d880d63bec29d34f06ef9ff526960d5e6a6047a6efd9dab654108182cdeb8c3f37b9611c15ebd7614e7236a104c3e82fcd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
      Filesize

      5.3MB

      MD5

      46e86ecd12420ebfd5929db537cd4084

      SHA1

      00606ba3797551ee482c8bec07f14999ce834a19

      SHA256

      a59f107af27b430afa6d76e2b003d5eac11656e5b00183369fb8306932f2e141

      SHA512

      101e711822d40d5b354ba2ea192ef4c0c7225c38669809e8d229f2dcfd1eeb6af54a2c974e708f2ce2cf125fb31a4a199a033be269c0c016f51ee28a0db0fb6f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI36402\VCRUNTIME140.dll
      Filesize

      106KB

      MD5

      870fea4e961e2fbd00110d3783e529be

      SHA1

      a948e65c6f73d7da4ffde4e8533c098a00cc7311

      SHA256

      76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

      SHA512

      0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI36402\_ctypes.pyd
      Filesize

      119KB

      MD5

      ca4cef051737b0e4e56b7d597238df94

      SHA1

      583df3f7ecade0252fdff608eb969439956f5c4a

      SHA256

      e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b

      SHA512

      17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI36402\_socket.pyd
      Filesize

      75KB

      MD5

      0f5e64e33f4d328ef11357635707d154

      SHA1

      8b6dcb4b9952b362f739a3f16ae96c44bea94a0e

      SHA256

      8af6d70d44bb9398733f88bcfb6d2085dd1a193cd00e52120b96a651f6e35ebe

      SHA512

      4be9febb583364da75b6fb3a43a8b50ee29ca8fc1dda35b96c0fcc493342372f69b4f27f2604888bca099c8d00f38a16f4c9463c16eff098227d812c29563643

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI36402\base_library.zip
      Filesize

      812KB

      MD5

      fbd6be906ac7cd45f1d98f5cb05f8275

      SHA1

      5d563877a549f493da805b4d049641604a6a0408

      SHA256

      ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0

      SHA512

      1547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI36402\libffi-7.dll
      Filesize

      32KB

      MD5

      eef7981412be8ea459064d3090f4b3aa

      SHA1

      c60da4830ce27afc234b3c3014c583f7f0a5a925

      SHA256

      f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

      SHA512

      dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI36402\python310.dll
      Filesize

      4.3MB

      MD5

      deaf0c0cc3369363b800d2e8e756a402

      SHA1

      3085778735dd8badad4e39df688139f4eed5f954

      SHA256

      156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

      SHA512

      5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI36402\select.pyd
      Filesize

      28KB

      MD5

      c119811a40667dca93dfe6faa418f47a

      SHA1

      113e792b7dcec4366fc273e80b1fc404c309074c

      SHA256

      8f27cd8c5071cb740a2191b3c599e99595b121f461988166f07d9f841e7116b7

      SHA512

      107257dbd8cf2607e4a1c7bef928a6f61ebdfc21be1c4bdc3a649567e067e9bb7ea40c0ac8844d2cedd08682447b963148b52f85adb1837f243df57af94c04b3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_teezzcgy.vwu.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Data Compiler.lnk
      Filesize

      1KB

      MD5

      ede5e6f1eae0aa096cd609221565a970

      SHA1

      841002eddccb9ad9968317f783ccfb385e8af836

      SHA256

      aa3c05854c19950a150f72a641e7b689d383e1956d0779c2ad78ddb6df8c6bf1

      SHA512

      7df5738d152e37b702ea7b915bafdd4fb9be818e8c91a30ea449661377b8ae9870ae21570862a0163e638624a76246bbe5be4cf0f27d7bf38984b32458f2363e

      Download Submit

    • C:\Windows\System32\Windows Data Complier.exe
      Filesize

      82KB

      MD5

      ac82021a4611e4f15c4eb33f9fc179d6

      SHA1

      dee75a9ea1e458448851c856b09b8e929f85b4b5

      SHA256

      8c81b95f5a7846df8685855e76e310606e626d9c9455fa72e824c733b4db3bdc

      SHA512

      057ab98f565f6a06a527ac4a8eaa5bbeecbeccd4cba0b1d442096a453232e3c4bebe684c75e38ad25c7e9d8dd18a245d950d0262e9be1de3c72932ed094149ed

      Download Submit

    • memory/660-0-0x00007FF8E7563000-0x00007FF8E7565000-memory.dmp

      Filesize

      8KB

      Download

    • memory/660-65-0x00007FF8E7560000-0x00007FF8E8022000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/660-2-0x00007FF8E7560000-0x00007FF8E8022000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/660-1-0x0000000000060000-0x00000000005A4000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2272-3-0x000001A82E700000-0x000001A82E722000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3180-24-0x0000024BB08C0000-0x0000024BB08C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3180-21-0x0000024BB08C0000-0x0000024BB08C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3180-22-0x0000024BB08C0000-0x0000024BB08C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3180-23-0x0000024BB08C0000-0x0000024BB08C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3180-25-0x0000024BB08C0000-0x0000024BB08C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3180-19-0x0000024BB08C0000-0x0000024BB08C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3180-20-0x0000024BB08C0000-0x0000024BB08C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3180-13-0x0000024BB08C0000-0x0000024BB08C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3180-14-0x0000024BB08C0000-0x0000024BB08C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3180-15-0x0000024BB08C0000-0x0000024BB08C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4076-43-0x00000000000B0000-0x00000000000CA000-memory.dmp

      Filesize

      104KB

      Download