Overview

overview

10

Static

static

3

All function1.0.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    25s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    16-11-2024 11:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    All function1.0.exe

  • Size

    1.7MB

  • MD5

    aa1ba3c905421e79b13645c9c8c81135

  • SHA1

    da44103f2f45d8818c10fa2269976ea826c57014

  • SHA256

    a5e013b374ebc919d925619516a0191809e385819223d324900da126ccdc0a87

  • SHA512

    9bfa9d7bc0de40f3d0e18d0b35226a1e39abb0fea10ba099a4476ae18a8b4382d096c7bd6eb03f49c3a7b567674b7a4e5eb8d31f66c8010a30e076ba8a263a93

  • SSDEEP

    49152:DBr7VVvutuINQ3jKRq8qwnU5osLDlK8j+0:DN7q2TKRq1wWos3lKm

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:5000

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Extracted

Family

xworm

Version

5.0

C2

client-toilet.gl.at.ply.gg:29921

Mutex

NvsfH1XO1syyGREn

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\All function1.0.exe
    "C:\Users\Admin\AppData\Local\Temp\All function1.0.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4716
    • C:\Users\Admin\AppData\Roaming\Microsoft Teame.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft Teame.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft Teame.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:764
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Teame.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:576
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft Teame'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:3584
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Teame'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:2528
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Teame" /tr "C:\Users\Admin\AppData\Roaming\Microsoft Teame"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2096
    • C:\Users\Admin\AppData\Roaming\All function.exe
      "C:\Users\Admin\AppData\Roaming\All function.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:232
      • C:\Users\Admin\AppData\Local\Temp\Ratty_win32_directx11.exe
        "C:\Users\Admin\AppData\Local\Temp\Ratty_win32_directx11.exe"
        3⤵
        • Executes dropped EXE
        PID:3460
      • C:\Users\Admin\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe
        "C:\Users\Admin\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe"
        3⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2776
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4260
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BLACKGODDOM V.2 GOD BY LA.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:1404
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:2400
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:4016
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    3eb3833f769dd890afc295b977eab4b4

    SHA1

    e857649b037939602c72ad003e5d3698695f436f

    SHA256

    c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

    SHA512

    c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    60b3262c3163ee3d466199160b9ed07d

    SHA1

    994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

    SHA256

    e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

    SHA512

    081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    6dd1dc388f672b69069a31f569c93a8b

    SHA1

    84164f661e65653f419b11a0faad1a6a5ec24c3b

    SHA256

    1c65585127dc02bd86c15d3c7503dec15d1ecc1691f2803281b8016b3fadefea

    SHA512

    c2ba14f0477a6232197a80747072ee9206f7ae18486a1f76b1a97237329f4fa9950836c1d400860cec11aaf09bf33eaddac3b616ad5df152e4de446090f35adb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    273760112f1f2e60426631713dc50319

    SHA1

    3c1e9b5b5a7934720ae53ef6e844387860dd1e51

    SHA256

    057dc9b8f7c35b6fb55f8a2618fb75057ada88a95629c4414ed67e9fc2542247

    SHA512

    17d5f6244bf7e892b9b22c3ed72d44cc794e630e075038ea51c3e680298fb7110937416c741bd114431386eafa4fa41d8cec6b66515ca43b9ddf4d57cf0c5317

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    14cd92246fda5a83168f7c50c6f40efc

    SHA1

    da4d7bc90a6b820945e31bb0589f44cccdeda780

    SHA256

    d33f0c05c6c271bcd9fc92684ee0899821c709ea2c499af9a681f38154c9d66d

    SHA512

    ac47cfdfe1ee372b40ea4a93f34ccfc6a2f2a5c8132da1eaf2103f74f54197235ac63dde12024eb89ecaef416bac585491bbeca0e666e9e0ee9b3fc34affc453

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    dbc7e71d4d150ccfefe2f0aeea0f4b88

    SHA1

    0bd7c87aac1cdfadc651eeea85d888b96f7e3c4c

    SHA256

    41a20dea317c2164b772f7c33e97f316e3cec5a288a9b5d2ac03b30eb4c4d359

    SHA512

    a39adb3f7172b7ae0fc1e28c386c894e5571429a169a4d8bc0aa2e25f1c91807242fca5b5b206374f851bdca1ac58cdafd827e1ea6f3ad0137e1d1bde14548e0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    6a807b1c91ac66f33f88a787d64904c1

    SHA1

    83c554c7de04a8115c9005709e5cd01fca82c5d3

    SHA256

    155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

    SHA512

    29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe
    Filesize

    67KB

    MD5

    2b1bcff698482a45a0d01356ad3e0384

    SHA1

    77d106b1495b869600cdfda6afeaec0f75a78634

    SHA256

    a9bd5014b5a6744b0a5c180a3e76ff546a514dcbad8bf2d8c500f903a285424b

    SHA512

    e8b6a729f3b4fc02886aeed232511dc9407a52aae40f01cd2817f8369944b14240bd3edfd573dbdef0d506557f02622148ce4042f6f497c20f1f11af85eeac77

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ratty_win32_directx11.exe
    Filesize

    13.9MB

    MD5

    d3565f59bbadcceded3d00831af9b9e9

    SHA1

    dbec6b8026bb9c1c5500c185c7f6f69b8839450b

    SHA256

    efec9245e0fd8b7f0074eaa849ea0ff77da68d01597e3dcca3109f9c421e5d3e

    SHA512

    d5a047f9d2136886f51162ed4f2394f8a269ac99f903014b8cb6f42b86a0fd1214fc5b2f9d55ce4ef011661bb924f46b305141a1e841472f65248e0c9cd9f528

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_snioqlig.hba.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\All function.exe
    Filesize

    1.4MB

    MD5

    7f9590397abd938cfd86a9a7a6e51ef6

    SHA1

    cbb2e5a197fd5a93b653c6937307ba711eb502b6

    SHA256

    1968dc63a803aee28a327e9bac7dcea8c2680753fa646693670f5f0fdbae600d

    SHA512

    515bab44e81bec9f67590fe79897134e283d7526810072271f2176fd7cee86cf3c32333bfe493e8589c20f750aedfdefe863ddcb22b043c195885c9e5f65e522

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft Teame.exe
    Filesize

    181KB

    MD5

    136134a755e2f106495c188feeee5fdb

    SHA1

    cd7bc6ef674424ae61d4cbe7373afbb9d79b13aa

    SHA256

    5ebeda98d33ec7a15b6c4e579f936ba92f58fdddc1803961bf296e16d49833c4

    SHA512

    99d110234e16f5462afaeabfd48f6f3b8f2f9a8fc7c408837a42bbbf0cbd1d5b62a003bcc1ff11bae7d38e1b08eacbee40753b75cd51d912e9da9d111af1517d

    Download Submit

  • memory/232-32-0x0000000000340000-0x00000000004A4000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/232-34-0x00007FFD42E10000-0x00007FFD438D2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/232-62-0x00007FFD42E10000-0x00007FFD438D2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/764-70-0x00000255FF4B0000-0x00000255FF4D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2576-33-0x00007FFD42E10000-0x00007FFD438D2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2576-63-0x00007FFD42E10000-0x00007FFD438D2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2576-31-0x0000000000EC0000-0x0000000000EF2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2576-161-0x00007FFD42E10000-0x00007FFD438D2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2576-162-0x00007FFD42E10000-0x00007FFD438D2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2776-61-0x00000000005B0000-0x00000000005C6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4716-0-0x00007FFD42E13000-0x00007FFD42E15000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4716-1-0x0000000000A00000-0x0000000000BC4000-memory.dmp

    Filesize

    1.8MB

    Download