Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 18:31

General

  • Target

    97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64.exe

  • Size

    653KB

  • MD5

    2f70673f42fa875f6086be3f08d0228d

  • SHA1

    9d669bedf14a71f846ffa4fd2026f8d956daa57e

  • SHA256

    97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64

  • SHA512

    3dfe6da9f87e82f59addc56aaad56f25305aa2f1ea4a579b9829dd4fffa4f89a93d74f5311e4194bf4c42b035394cf2e3fd5480b0237d24076c33c60603b9dc6

  • SSDEEP

    12288:8qFKqcoUvEmbGqbxoVOxEKEXQ8MUzNkFa21YQ1G8aJqjZ0uqISt:8q0qconmNKYq5zZNkk2qQ8jJq10uqIg

Malware Config

Extracted

Family

xworm

Version

5.0

C2

154.216.20.132:2233

Mutex

NFxnDoJ61PAf6tB3

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain
1
lMqYHoTPSgD/qs6Hl0xuJw==

Signatures

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64.exe
    "C:\Users\Admin\AppData\Local\Temp\97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FFXkKmgOJiIrD.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2560
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FFXkKmgOJiIrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4E6E.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2808
    • C:\Users\Admin\AppData\Local\Temp\97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64.exe
      "C:\Users\Admin\AppData\Local\Temp\97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64.exe"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2660

Network

    No results found
  • 154.216.20.132:2233
    97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64.exe
    152 B
    120 B
    3
    3
  • 154.216.20.132:2233
    97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64.exe
    152 B
    120 B
    3
    3
  • 154.216.20.132:2233
    97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64.exe
    152 B
    120 B
    3
    3
  • 154.216.20.132:2233
    97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64.exe
    152 B
    120 B
    3
    3
  • 154.216.20.132:2233
    97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64.exe
    152 B
    80 B
    3
    2
  • 154.216.20.132:2233
    97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64.exe
    152 B
    120 B
    3
    3
  • 154.216.20.132:2233
    97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64.exe
    152 B
    120 B
    3
    3
  • 154.216.20.132:2233
    97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64.exe
    152 B
    120 B
    3
    3
  • 154.216.20.132:2233
    97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64.exe
    152 B
    120 B
    3
    3
  • 154.216.20.132:2233
    97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64.exe
    152 B
    120 B
    3
    3
  • 154.216.20.132:2233
    97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64.exe
    152 B
    120 B
    3
    3
  • 154.216.20.132:2233
    97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64.exe
    152 B
    120 B
    3
    3
  • 154.216.20.132:2233
    97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64.exe
    152 B
    120 B
    3
    3
  • 154.216.20.132:2233
    97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64.exe
    152 B
    120 B
    3
    3
  • 154.216.20.132:2233
    97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64.exe
    152 B
    120 B
    3
    3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp4E6E.tmp

    Filesize

    1KB

    MD5

    f6c5634ca994e256074e32002dad8108

    SHA1

    c5c8ca019d169f7e98c5b9886780521652175002

    SHA256

    bf7f7e803a8fc2e706a8f697ade6f341a5a985ed35e895435bcd81338d98d2cd

    SHA512

    9983a585f2d9bce71abf7eee62607c4f9fcde9faf099fc7e5f1e5248b492f4aae3a612734c88152bfbdd80596a6d275df8739547befce2cb119e74ae37796a02

  • \Users\Admin\AppData\Roaming\XClient.exe

    Filesize

    653KB

    MD5

    2f70673f42fa875f6086be3f08d0228d

    SHA1

    9d669bedf14a71f846ffa4fd2026f8d956daa57e

    SHA256

    97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64

    SHA512

    3dfe6da9f87e82f59addc56aaad56f25305aa2f1ea4a579b9829dd4fffa4f89a93d74f5311e4194bf4c42b035394cf2e3fd5480b0237d24076c33c60603b9dc6

  • memory/816-26-0x00000000741A0000-0x000000007488E000-memory.dmp

    Filesize

    6.9MB

  • memory/816-1-0x00000000010B0000-0x0000000001158000-memory.dmp

    Filesize

    672KB

  • memory/816-2-0x00000000741A0000-0x000000007488E000-memory.dmp

    Filesize

    6.9MB

  • memory/816-3-0x00000000741AE000-0x00000000741AF000-memory.dmp

    Filesize

    4KB

  • memory/816-4-0x00000000741A0000-0x000000007488E000-memory.dmp

    Filesize

    6.9MB

  • memory/816-5-0x00000000003E0000-0x00000000003FC000-memory.dmp

    Filesize

    112KB

  • memory/816-6-0x0000000000460000-0x00000000004B2000-memory.dmp

    Filesize

    328KB

  • memory/816-0-0x00000000741AE000-0x00000000741AF000-memory.dmp

    Filesize

    4KB

  • memory/2660-14-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/2660-24-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/2660-23-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/2660-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2660-20-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/2660-16-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/2660-25-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/2660-18-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.