Overview

overview

10

Static

static

10

WindowsHost.exe

windows7-x64

10

WindowsHost.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    479s
  • max time network
    485s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 13:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WindowsHost.exe

  • Size

    38KB

  • MD5

    258eb7d90709b608979e3b0bbd5af620

  • SHA1

    d35e9ee78fe5cfa70685d73224a5756629aca0e5

  • SHA256

    f590869661358039931036fcd11efede733fd9ef8ded471017f950ce9e173eb1

  • SHA512

    7cc264cc757b5e06cc483bf9d56668d24361ad04054d512a85d98ab39c0479e7c86565ac39601eb7c9d1368bf06ac3885b42542c4ea545e73677d1ac2e3de8f7

  • SSDEEP

    768:/V7Kjkq9PMXOh5G7m9NFfZk7FWPB9WNOMh2aQkry:/xq/oa5PFyFO9WNOM4sy

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

america-surrey.gl.at.ply.gg:54338

Mutex

uqf0RwmqN0bmwjTI

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    svchost.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 36 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe
    "C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3656
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\svchost.exe
    Filesize

    38KB

    MD5

    258eb7d90709b608979e3b0bbd5af620

    SHA1

    d35e9ee78fe5cfa70685d73224a5756629aca0e5

    SHA256

    f590869661358039931036fcd11efede733fd9ef8ded471017f950ce9e173eb1

    SHA512

    7cc264cc757b5e06cc483bf9d56668d24361ad04054d512a85d98ab39c0479e7c86565ac39601eb7c9d1368bf06ac3885b42542c4ea545e73677d1ac2e3de8f7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
    Filesize

    962B

    MD5

    7c5cb74c27648ab7ca85c9a3ef2cbc73

    SHA1

    15dd7ac1763e67bdd5f680f24228dbfb0ce6a76b

    SHA256

    5919d1c6379cb7ef533b57f0ac41d65ef94e896a5f5338e531ba84cb5de9ed8b

    SHA512

    0f79d94552de2418eaf4bbe47a693d858ce2d0cc53495a93f8a722f47abc90c02e6a981b9da245cab0c1d30066c76e43526841853ea5eb4531e1c75275d7c5f1

    Download Submit

  • memory/1932-18-0x0000029EF52E0000-0x0000029EF52E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1932-21-0x0000029EF52E0000-0x0000029EF52E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1932-15-0x0000029EF52E0000-0x0000029EF52E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1932-9-0x0000029EF52E0000-0x0000029EF52E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1932-10-0x0000029EF52E0000-0x0000029EF52E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1932-11-0x0000029EF52E0000-0x0000029EF52E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1932-17-0x0000029EF52E0000-0x0000029EF52E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1932-16-0x0000029EF52E0000-0x0000029EF52E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1932-20-0x0000029EF52E0000-0x0000029EF52E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1932-19-0x0000029EF52E0000-0x0000029EF52E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3656-0-0x00007FFB85243000-0x00007FFB85245000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3656-7-0x00007FFB85243000-0x00007FFB85245000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3656-8-0x00007FFB85240000-0x00007FFB85D01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3656-6-0x00007FFB85240000-0x00007FFB85D01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3656-1-0x0000000000EA0000-0x0000000000EB0000-memory.dmp

    Filesize

    64KB

    Download