Overview

overview

10

Static

static

3

XBinderOutput.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    17s
  • max time network
    18s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    13-11-2024 22:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XBinderOutput.exe

  • Size

    5.3MB

  • MD5

    ad9d61716f9fc8760aa5d1d3c28c9e68

  • SHA1

    165d4d89597a53e2c08a698498d7660328c82651

  • SHA256

    3137e58a47fb9656c272ed9cec55ab96df6b8e28f11d3942021c44162979dd32

  • SHA512

    939eee8d19a6bf5ba05bb902dcd94005d3b0ae22454033cceb5f191eabb79f914c0002980066e4291bc9426184efff3a4293e937aa51ee299632f06683653530

  • SSDEEP

    98304:GHbcM5mt/pg+qovAKzpFmtalfL5FU+rEh2wFbs0sDmscq:GHZQTgsjzpFmtSLsHd+mscq

Score
10/10
xwormexecutionpersistencepyinstallerrattrojan

Malware Config

Extracted

Family

xworm

C2

man-laughing.gl.at.ply.gg:57783

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    Windows Data Compiler.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 36 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
    "C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1112
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows Data Complier.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4256
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "Windows Data Complier" /SC ONLOGON /TR "C:\Windows\System32\Windows Data Complier.exe" /RL HIGHEST
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4548
    • C:\Windows\System32\Windows Data Complier.exe
      "C:\Windows\System32\Windows Data Complier.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1308
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows Data Complier.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3644
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Data Complier.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4816
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Windows Data Compiler.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:2132
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Data Compiler.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:4208
    • C:\Users\Admin\AppData\Local\Temp\s.exe
      "C:\Users\Admin\AppData\Local\Temp\s.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1380
      • C:\Users\Admin\AppData\Local\Temp\s.exe
        "C:\Users\Admin\AppData\Local\Temp\s.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:1576
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    3eb3833f769dd890afc295b977eab4b4

    SHA1

    e857649b037939602c72ad003e5d3698695f436f

    SHA256

    c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

    SHA512

    c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    d6d1b8bb34838ccf42d5f69e919b1612

    SHA1

    20e9df1f5dd5908ce1b537d158961e0b1674949e

    SHA256

    8a4e7eae00df2e789c958a38e78ac0b53f439afe2d5bfe8a81fb8c6e232b6491

    SHA512

    ff3ba5dc3cb548018747a315f098e01c5a6f8aee029223ef4080b3db76b0ecaa6a01a1c79e1434bdf2aa5b2ae66ec85d33e760064282411c7712fba890a0309d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    c5f67682ca7a065a4b73be7f11a53548

    SHA1

    f7439e2bdd1dccdfd581db2e24b7bd51b274837e

    SHA256

    4644634fe9c942d8f31365e20782bf623f10381766602cf34bd76ae1cc68785f

    SHA512

    4291d74ee55d41bdfe91d14e3a16a0e3cf592f077ffeb7424b7943ee4ab3a40e3b7cd1c3b9826110c46544d6e60aa9e933b473863f63b5b52a4013a50a9c0b82

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    dece17e8b3d1cc0b29cf5a977b68730e

    SHA1

    e24e56624c7701b349a5a07642e9b9d902196f55

    SHA256

    1f78459e977340a708884f6f42099ad6914a855ee98cba6c09bbb2b56dbaa908

    SHA512

    8a966a00209f43ebc4051c3433aa12ce4e9a2f85acfb428f87fc7fd222549085c115df2372cbc29836a926950a38400a68e29c6f89c8f237a14c7833a92eb8a4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    4aa4b21add005cf520e9ea725480490d

    SHA1

    31a5df10177a05854ceb8e66b45b40dd391a6a43

    SHA256

    d36e141708e0da78d853a98ce9c04d6a91a65184a8490a0ce5f7c0d20ef2a1f0

    SHA512

    dbaaa7d1d3342417f11447c6e9eff797d310bf1ebadd45fd2379f1990cb214bbce0a4562cee998c455b2d0dfd0718eff67d63b75a412c2bfb4c2fdaaa6a49dc4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI13802\VCRUNTIME140.dll
    Filesize

    106KB

    MD5

    870fea4e961e2fbd00110d3783e529be

    SHA1

    a948e65c6f73d7da4ffde4e8533c098a00cc7311

    SHA256

    76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

    SHA512

    0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI13802\_bz2.pyd
    Filesize

    81KB

    MD5

    bbe89cf70b64f38c67b7bf23c0ea8a48

    SHA1

    44577016e9c7b463a79b966b67c3ecc868957470

    SHA256

    775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723

    SHA512

    3ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI13802\_ctypes.pyd
    Filesize

    119KB

    MD5

    ca4cef051737b0e4e56b7d597238df94

    SHA1

    583df3f7ecade0252fdff608eb969439956f5c4a

    SHA256

    e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b

    SHA512

    17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI13802\_lzma.pyd
    Filesize

    153KB

    MD5

    0a94c9f3d7728cf96326db3ab3646d40

    SHA1

    8081df1dca4a8520604e134672c4be79eb202d14

    SHA256

    0a70e8546fa6038029f2a3764e721ceebea415818e5f0df6b90d6a40788c3b31

    SHA512

    6f047f3bdaead121018623f52a35f7e8b38c58d3a9cb672e8056a5274d02395188975de08cabae948e2cc2c1ca01c74ca7bc1b82e2c23d652e952f3745491087

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI13802\_socket.pyd
    Filesize

    75KB

    MD5

    0f5e64e33f4d328ef11357635707d154

    SHA1

    8b6dcb4b9952b362f739a3f16ae96c44bea94a0e

    SHA256

    8af6d70d44bb9398733f88bcfb6d2085dd1a193cd00e52120b96a651f6e35ebe

    SHA512

    4be9febb583364da75b6fb3a43a8b50ee29ca8fc1dda35b96c0fcc493342372f69b4f27f2604888bca099c8d00f38a16f4c9463c16eff098227d812c29563643

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI13802\base_library.zip
    Filesize

    812KB

    MD5

    524a85217dc9edc8c9efc73159ca955d

    SHA1

    a4238cbde50443262d00a843ffe814435fb0f4e2

    SHA256

    808549964adb09afafb410cdc030df4813c5c2a7276a94e7f116103af5de7621

    SHA512

    f5a929b35a63f073bdc7600155ba2f0f262e6f60cf67efb38fa44e8b3be085cf1d5741d66d25a1ecaaf3f94abfe9bbe97d135f8a47c11f2b811d2aac6876f46c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI13802\libffi-7.dll
    Filesize

    32KB

    MD5

    eef7981412be8ea459064d3090f4b3aa

    SHA1

    c60da4830ce27afc234b3c3014c583f7f0a5a925

    SHA256

    f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

    SHA512

    dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI13802\psutil\_psutil_windows.pyd
    Filesize

    76KB

    MD5

    ebefbc98d468560b222f2d2d30ebb95c

    SHA1

    ee267e3a6e5bed1a15055451efcccac327d2bc43

    SHA256

    67c17558b635d6027ddbb781ea4e79fc0618bbec7485bd6d84b0ebcd9ef6a478

    SHA512

    ab9f949adfe9475b0ba8c37fa14b0705923f79c8a10b81446abc448ad38d5d55516f729b570d641926610c99df834223567c1efde166e6a0f805c9e2a35556e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI13802\python3.DLL
    Filesize

    63KB

    MD5

    c17b7a4b853827f538576f4c3521c653

    SHA1

    6115047d02fbbad4ff32afb4ebd439f5d529485a

    SHA256

    d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

    SHA512

    8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI13802\python310.dll
    Filesize

    4.3MB

    MD5

    deaf0c0cc3369363b800d2e8e756a402

    SHA1

    3085778735dd8badad4e39df688139f4eed5f954

    SHA256

    156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

    SHA512

    5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI13802\select.pyd
    Filesize

    28KB

    MD5

    c119811a40667dca93dfe6faa418f47a

    SHA1

    113e792b7dcec4366fc273e80b1fc404c309074c

    SHA256

    8f27cd8c5071cb740a2191b3c599e99595b121f461988166f07d9f841e7116b7

    SHA512

    107257dbd8cf2607e4a1c7bef928a6f61ebdfc21be1c4bdc3a649567e067e9bb7ea40c0ac8844d2cedd08682447b963148b52f85adb1837f243df57af94c04b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lcbcp4l2.3qm.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\s.exe
    Filesize

    5.4MB

    MD5

    aeeed6a840a218311abb29531751c1ed

    SHA1

    8628f6f2bcf5cd7239f95d659391a72f3efc9d56

    SHA256

    8109ab4bbb860e222b5efc030908de4f0ff6810c582eee12b797d4f6f9e5c2be

    SHA512

    49c24f04ccca81529308539fe319241a73aaed1b8ee788cad728ad31676635e1eadde32310ed967c1145aff0d495284618118c3ae6f35ed07e98516398737dcb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Data Compiler.lnk
    Filesize

    1KB

    MD5

    5ca1d36ee11fc9540370616622b24afd

    SHA1

    b65614f0e63714fe3d7028764de165405adb7f81

    SHA256

    ac412bfb168f8968a85e0ab1bfb958f622d65e031a7f1de20d8349b2ab6ca6e7

    SHA512

    8c041af2cf648296d77305f47d942e994ae04de0736fb96209d175711609bcb2669b9b4f4a3b6db3d3afba7f770fe64fbe3e049beef35c76e55492c22061366c

    Download Submit

  • C:\Windows\System32\Windows Data Complier.exe
    Filesize

    82KB

    MD5

    ac82021a4611e4f15c4eb33f9fc179d6

    SHA1

    dee75a9ea1e458448851c856b09b8e929f85b4b5

    SHA256

    8c81b95f5a7846df8685855e76e310606e626d9c9455fa72e824c733b4db3bdc

    SHA512

    057ab98f565f6a06a527ac4a8eaa5bbeecbeccd4cba0b1d442096a453232e3c4bebe684c75e38ad25c7e9d8dd18a245d950d0262e9be1de3c72932ed094149ed

    Download Submit

  • memory/1112-57-0x00007FF8709A0000-0x00007FF871462000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1112-0-0x00007FF8709A3000-0x00007FF8709A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1112-2-0x00007FF8709A0000-0x00007FF871462000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1112-1-0x00000000004E0000-0x0000000000A40000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/1308-38-0x0000000000B50000-0x0000000000B6A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2132-141-0x000001D936910000-0x000001D936B2D000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/3644-118-0x000001BAEF660000-0x000001BAEF87D000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/3756-104-0x00000179473E0000-0x00000179473E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3756-95-0x00000179473E0000-0x00000179473E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3756-93-0x00000179473E0000-0x00000179473E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3756-99-0x00000179473E0000-0x00000179473E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3756-100-0x00000179473E0000-0x00000179473E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3756-105-0x00000179473E0000-0x00000179473E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3756-94-0x00000179473E0000-0x00000179473E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3756-103-0x00000179473E0000-0x00000179473E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3756-102-0x00000179473E0000-0x00000179473E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3756-101-0x00000179473E0000-0x00000179473E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4256-21-0x00007FF8709A0000-0x00007FF871462000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4256-20-0x0000026E29E10000-0x0000026E2A02D000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4256-17-0x00007FF8709A0000-0x00007FF871462000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4256-16-0x00007FF8709A0000-0x00007FF871462000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4256-15-0x00007FF8709A0000-0x00007FF871462000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4256-14-0x00007FF8709A0000-0x00007FF871462000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4256-13-0x0000026E29CD0000-0x0000026E29CF2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4256-3-0x00007FF8709A0000-0x00007FF871462000-memory.dmp

    Filesize

    10.8MB

    Download