Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
16-11-2024 05:44
General
-
Target
injector.exe
-
Size
36KB
-
MD5
1d9727f02bd353afc1fedee98e4acfbb
-
SHA1
2263f809ead639430a130976ea4722aacb3e1362
-
SHA256
26eb0d93904680fef2d4df49b9d55a6e54f8b341a888bb6bec2fec1e711e9536
-
SHA512
62390fc747f737a15879a521f68827ab73dd26e1ee08837f3eaad542dc435703f98552b187aa19c760dc3a12c1a4d183c4d5450e4458c1a1111f131fd3de97cc
-
SSDEEP
768:F2C78uvbhLyScu6JBbTZ6VFyc9PZO/h7AX:Ft78utLySuJBbTZwF39PZO/KX
Malware Config
Extracted
xworm
5.0
six-usb.gl.at.ply.gg:49722
TcBEJUp0a8DkShx2
-
Install_directory
%AppData%
-
install_file
System User.exe
Signatures
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\injector.exe"C:\Users\Admin\AppData\Local\Temp\injector.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\Admin\AppData\Roaming\System User.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "System User"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF7C.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Roaming\System User.exe"C:\Users\Admin\AppData\Roaming\System User.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
159B
MD5d49d0acf5f3ace8adf04a787b64853c2
SHA12cdd36cf913cb24f2adb5d214ea12f36d092984e
SHA2561fcc7b0befa34515c4fed75a9d7b44c145bfe0a940db15749b684b5bf5fc0439
SHA5123cbbf8ac7476e67066647b434807f0a8b588b153b03bf2d0714849f1b2c828db83df845f4d35d27e001acc86b419eb8b424de3781d53a1ca3143e962237b58de
-
Filesize
36KB
MD51d9727f02bd353afc1fedee98e4acfbb
SHA12263f809ead639430a130976ea4722aacb3e1362
SHA25626eb0d93904680fef2d4df49b9d55a6e54f8b341a888bb6bec2fec1e711e9536
SHA51262390fc747f737a15879a521f68827ab73dd26e1ee08837f3eaad542dc435703f98552b187aa19c760dc3a12c1a4d183c4d5450e4458c1a1111f131fd3de97cc
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB