Overview

overview

10

Static

static

3

XBinderOutp2ut.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    39s
  • max time network
    44s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    13-11-2024 22:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XBinderOutp2ut.exe

  • Size

    5.3MB

  • MD5

    6e01cde3a5ea24144142b1184ac4ad70

  • SHA1

    d31382e26b35e674867c25c9c9a865db7b2e3f6e

  • SHA256

    e51e384406c40df27f4e87e40a1bf94f4222bbfdf180acb1e4027c2ef7a500d9

  • SHA512

    1ff938ed0571b6d6b71d3a6b33719106951462e9c34ddcf16a18fe64da3ea0f114378b0f2119f1415c77438e7d6e0aa20a2ab68ccab89b05094bd799348ccdef

  • SSDEEP

    98304:jTpB0aai5jV3/DD93AWG0qO4qPGKYFVl3D8tvlviwYGb/wSabzJTgeh5:PpB0EpVN3gXqPGKSlKDYGb/wL5geh5

Score
10/10
xwormevasionexecutionpersistencepyinstallerrattrojan

Malware Config

Extracted

Family

xworm

C2

man-laughing.gl.at.ply.gg:57783

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    Windows Data Compiler.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XBinderOutp2ut.exe
    "C:\Users\Admin\AppData\Local\Temp\XBinderOutp2ut.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:732
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows Data Complier.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4492
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "Windows Data Complier" /SC ONLOGON /TR "C:\Windows\System32\Windows Data Complier.exe" /RL HIGHEST
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3516
    • C:\Windows\System32\Windows Data Complier.exe
      "C:\Windows\System32\Windows Data Complier.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1032
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows Data Complier.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2324
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Data Complier.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:632
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Windows Data Compiler.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1480
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Data Compiler.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:556
    • C:\Users\Admin\AppData\Local\Temp\s.exe
      "C:\Users\Admin\AppData\Local\Temp\s.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Users\Admin\AppData\Local\Temp\s.exe
        "C:\Users\Admin\AppData\Local\Temp\s.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:1752
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    3eb3833f769dd890afc295b977eab4b4

    SHA1

    e857649b037939602c72ad003e5d3698695f436f

    SHA256

    c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

    SHA512

    c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    84063c0d1d9aae057e1c424279a859b9

    SHA1

    267a2c5851b5da21dea746f0417dd4b33f051a31

    SHA256

    8efb3b1ffff11a06d7fc95530ea8eb260de51e72cfb457cf10a6fd34c8d20ed8

    SHA512

    ed878d9e9632e0f9ca2a644a86dd142eb91ea74403e5829dd159f225b7230b48314d52f783aff3e80180815f95cb7daebfdc0a89e4d93eb233aebb53ebc7f111

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    63e59d8385512f774bcb7fffaa2f35c5

    SHA1

    38679e31788faaa240eb7266d7b45194816ee67e

    SHA256

    f2e5a289b526cdfe426939d44998caccafecc50ce8a07cdfd3fd38db3480fde8

    SHA512

    7922269d37ae9790527aed64c35a4bd5eea754bdaaa7d13ff10953f3e47481d8456daf10371bae7bccee33a3abe20365c9c9cd8cba61d68e1d64e81beb2f68a0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    14359ab04fb385861ffac85e495c5738

    SHA1

    c9abc53942ad000c711a7ff53fd19ae48fff7f98

    SHA256

    ac605ab47b791d2622c834454a9cab9b18c3a3d0c85f147fcc2b6d9517299efb

    SHA512

    3fb23705e50a6d3dfe45c3fcb5fec34e79071645a1a55ae38be0692aa7c007fa04cbfd9675f2f05799443ba3d49f292b1c3605827a039ea6b657119e951e5a96

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    4d01b82df84c6f130e2e7b301c9edeb4

    SHA1

    79d37d4779cd7e46fe8c6c94206c84f69cbee332

    SHA256

    0fa5fc3b88a4f074db88919fabe589aa8fce90bef3f4cb08f9532752bda2255a

    SHA512

    b2055142979d1f74275b05e3e5a785ea0fc2590705ca5c6ba74ba82d5f1affd36ae2fbd3960ab0f797c80c707b97c32356dd9a3c221dbf80e6b223b41137b165

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI25322\VCRUNTIME140.dll
    Filesize

    106KB

    MD5

    870fea4e961e2fbd00110d3783e529be

    SHA1

    a948e65c6f73d7da4ffde4e8533c098a00cc7311

    SHA256

    76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

    SHA512

    0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI25322\_bz2.pyd
    Filesize

    81KB

    MD5

    bbe89cf70b64f38c67b7bf23c0ea8a48

    SHA1

    44577016e9c7b463a79b966b67c3ecc868957470

    SHA256

    775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723

    SHA512

    3ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI25322\_ctypes.pyd
    Filesize

    119KB

    MD5

    ca4cef051737b0e4e56b7d597238df94

    SHA1

    583df3f7ecade0252fdff608eb969439956f5c4a

    SHA256

    e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b

    SHA512

    17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI25322\_lzma.pyd
    Filesize

    153KB

    MD5

    0a94c9f3d7728cf96326db3ab3646d40

    SHA1

    8081df1dca4a8520604e134672c4be79eb202d14

    SHA256

    0a70e8546fa6038029f2a3764e721ceebea415818e5f0df6b90d6a40788c3b31

    SHA512

    6f047f3bdaead121018623f52a35f7e8b38c58d3a9cb672e8056a5274d02395188975de08cabae948e2cc2c1ca01c74ca7bc1b82e2c23d652e952f3745491087

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI25322\_socket.pyd
    Filesize

    75KB

    MD5

    0f5e64e33f4d328ef11357635707d154

    SHA1

    8b6dcb4b9952b362f739a3f16ae96c44bea94a0e

    SHA256

    8af6d70d44bb9398733f88bcfb6d2085dd1a193cd00e52120b96a651f6e35ebe

    SHA512

    4be9febb583364da75b6fb3a43a8b50ee29ca8fc1dda35b96c0fcc493342372f69b4f27f2604888bca099c8d00f38a16f4c9463c16eff098227d812c29563643

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI25322\base_library.zip
    Filesize

    812KB

    MD5

    fbd6be906ac7cd45f1d98f5cb05f8275

    SHA1

    5d563877a549f493da805b4d049641604a6a0408

    SHA256

    ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0

    SHA512

    1547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI25322\libffi-7.dll
    Filesize

    32KB

    MD5

    eef7981412be8ea459064d3090f4b3aa

    SHA1

    c60da4830ce27afc234b3c3014c583f7f0a5a925

    SHA256

    f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

    SHA512

    dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI25322\psutil\_psutil_windows.pyd
    Filesize

    76KB

    MD5

    ebefbc98d468560b222f2d2d30ebb95c

    SHA1

    ee267e3a6e5bed1a15055451efcccac327d2bc43

    SHA256

    67c17558b635d6027ddbb781ea4e79fc0618bbec7485bd6d84b0ebcd9ef6a478

    SHA512

    ab9f949adfe9475b0ba8c37fa14b0705923f79c8a10b81446abc448ad38d5d55516f729b570d641926610c99df834223567c1efde166e6a0f805c9e2a35556e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI25322\python3.dll
    Filesize

    63KB

    MD5

    c17b7a4b853827f538576f4c3521c653

    SHA1

    6115047d02fbbad4ff32afb4ebd439f5d529485a

    SHA256

    d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

    SHA512

    8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI25322\python310.dll
    Filesize

    4.3MB

    MD5

    deaf0c0cc3369363b800d2e8e756a402

    SHA1

    3085778735dd8badad4e39df688139f4eed5f954

    SHA256

    156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

    SHA512

    5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI25322\select.pyd
    Filesize

    28KB

    MD5

    c119811a40667dca93dfe6faa418f47a

    SHA1

    113e792b7dcec4366fc273e80b1fc404c309074c

    SHA256

    8f27cd8c5071cb740a2191b3c599e99595b121f461988166f07d9f841e7116b7

    SHA512

    107257dbd8cf2607e4a1c7bef928a6f61ebdfc21be1c4bdc3a649567e067e9bb7ea40c0ac8844d2cedd08682447b963148b52f85adb1837f243df57af94c04b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_umhl1kvz.nvw.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\s.exe
    Filesize

    5.4MB

    MD5

    30feca7ddfac8b7a5dc39b4e9336a0d7

    SHA1

    1b524d54f524f4edfd96e9a5e2c540ee3463d18b

    SHA256

    d50ce8571ded39ccacf25c90fac12231ed6133f3e85b6ac29800115c61142328

    SHA512

    c36ab233191a1dec8b02396e874b4edbb357ae908a4c8ad850c23b334ef85682f8392fc825a597db8284bdca38c00116861fde41c0ba6b9f3832fd624f2ff230

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Data Compiler.lnk
    Filesize

    1KB

    MD5

    79874a1121d991122ea33e3ffdcc8349

    SHA1

    bca2c94d5f4afd6ec9566c19f588ec672244dc21

    SHA256

    92499e817b7ee5153a9e30d7d3710ac7c02a607ba0be3846d684aba7ce7641e9

    SHA512

    a523e2d50108a8d7b1a5441a7fba7c877094e65bf54a231a5b9ec47060f7abe3a4b8d1331464cbb144d72a336af34b7d0140f0668112097010a7d75404204614

    Download Submit

  • C:\Windows\System32\Windows Data Complier.exe
    Filesize

    82KB

    MD5

    ac82021a4611e4f15c4eb33f9fc179d6

    SHA1

    dee75a9ea1e458448851c856b09b8e929f85b4b5

    SHA256

    8c81b95f5a7846df8685855e76e310606e626d9c9455fa72e824c733b4db3bdc

    SHA512

    057ab98f565f6a06a527ac4a8eaa5bbeecbeccd4cba0b1d442096a453232e3c4bebe684c75e38ad25c7e9d8dd18a245d950d0262e9be1de3c72932ed094149ed

    Download Submit

  • memory/732-21-0x00007FFDD7883000-0x00007FFDD7885000-memory.dmp

    Filesize

    8KB

    Download

  • memory/732-64-0x00007FFDD7880000-0x00007FFDD8342000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/732-0-0x00007FFDD7883000-0x00007FFDD7885000-memory.dmp

    Filesize

    8KB

    Download

  • memory/732-1-0x0000000000B60000-0x00000000010C0000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/732-2-0x00007FFDD7880000-0x00007FFDD8342000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1032-38-0x0000000000170000-0x000000000018A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1032-160-0x000000001D690000-0x000000001D6A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1032-159-0x000000001D460000-0x000000001D46A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1032-158-0x000000001D340000-0x000000001D429000-memory.dmp

    Filesize

    932KB

    Download

  • memory/1032-157-0x000000001D430000-0x000000001D43E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3900-102-0x0000021CE1550000-0x0000021CE1551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3900-95-0x0000021CE1550000-0x0000021CE1551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3900-101-0x0000021CE1550000-0x0000021CE1551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3900-103-0x0000021CE1550000-0x0000021CE1551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3900-100-0x0000021CE1550000-0x0000021CE1551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3900-104-0x0000021CE1550000-0x0000021CE1551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3900-99-0x0000021CE1550000-0x0000021CE1551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3900-105-0x0000021CE1550000-0x0000021CE1551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3900-94-0x0000021CE1550000-0x0000021CE1551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3900-93-0x0000021CE1550000-0x0000021CE1551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4492-3-0x00007FFDD7880000-0x00007FFDD8342000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4492-13-0x000002B2D1430000-0x000002B2D1452000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4492-14-0x00007FFDD7880000-0x00007FFDD8342000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4492-15-0x00007FFDD7880000-0x00007FFDD8342000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4492-16-0x00007FFDD7880000-0x00007FFDD8342000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4492-17-0x00007FFDD7880000-0x00007FFDD8342000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4492-20-0x00007FFDD7880000-0x00007FFDD8342000-memory.dmp

    Filesize

    10.8MB

    Download