Overview

overview

10

Static

static

10

b5e520b8f9...4c.exe

windows7-x64

10

b5e520b8f9...4c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 08:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b5e520b8f9aa8fba0e106406628802faf9fbc927bf2a09aba6270afe3b0a3c4c.exe

  • Size

    59KB

  • MD5

    13f8ea6f22766a2a3fab7161647b1d00

  • SHA1

    af696ffbb96d8dbb29077ab11c4d2f91f73b618a

  • SHA256

    b5e520b8f9aa8fba0e106406628802faf9fbc927bf2a09aba6270afe3b0a3c4c

  • SHA512

    c0903a9880f4560797fa3dcac362990969529811acdbebf78108ca53a636065d3f1915a73e2a6caa7fc059b2b5561d972b4aa62fdb83d1fe8c4116b2294cd9eb

  • SSDEEP

    1536:zDT94NmEa2JFvnkbAqjniRfi6N+yOUtvJ7:vTvEa2JhkbAq+xOcvJ7

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:9935

additional-ll.gl.at.ply.gg:9935
Attributes
  • Install_directory

    %AppData%

  • install_file

    solara.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5e520b8f9aa8fba0e106406628802faf9fbc927bf2a09aba6270afe3b0a3c4c.exe
    "C:\Users\Admin\AppData\Local\Temp\b5e520b8f9aa8fba0e106406628802faf9fbc927bf2a09aba6270afe3b0a3c4c.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b5e520b8f9aa8fba0e106406628802faf9fbc927bf2a09aba6270afe3b0a3c4c.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1992
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'b5e520b8f9aa8fba0e106406628802faf9fbc927bf2a09aba6270afe3b0a3c4c.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2064
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\solara.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'solara.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    ec6cb741a96f9f98e7daf025b2e70027

    SHA1

    bbb0480f2889ba64c6137b331331635eff6f768b

    SHA256

    4c1c053cbbed1a02c4c57681daa85a25402a596d9d15be79559ab004c9044c86

    SHA512

    afef9529da45f8d6812e51ab87d4732dccc139a3097e2fe5c3bb21e63d23d2ef83e09dff6b9a8bcb1c5df761219f42f3d525ece7a51d7e0f58591c29bb562e3f

    Download Submit

  • memory/1324-0-0x000007FEF5813000-0x000007FEF5814000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-1-0x0000000001240000-0x0000000001256000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1324-32-0x000000001B300000-0x000000001B380000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1324-33-0x000007FEF5813000-0x000007FEF5814000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-34-0x000000001B300000-0x000000001B380000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1992-6-0x0000000002900000-0x0000000002980000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1992-7-0x000000001B6B0000-0x000000001B992000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1992-8-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2064-15-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2064-14-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

    Filesize

    2.9MB

    Download