Overview

overview

10

Static

static

3

fda3ed77e2...90.exe

windows7-x64

10

fda3ed77e2...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-11-2024 01:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090.exe

  • Size

    1.1MB

  • MD5

    30a5ad6d62e4cd603673a9e3b3e77631

  • SHA1

    c8d42f3efe983add08b190325239290e4fb79631

  • SHA256

    fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090

  • SHA512

    a0a87ea2374a4d3f8dd014011a0373f6302aa04d8dc70e9bda0e78221486057ac26ef09c3702e6ee80a3f738bcee7c8fb62363b5cd238ed36b9fb068d35113bc

  • SSDEEP

    24576:0zAW5Wy3XuH/pR0+9vwe5oc78dBDaiMo9mRCYDwECvw:0NWHH/Dt55l4jaYKIEcw

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.23:25808

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    Realtek HD Audio Universal Service.exe

Extracted

Family

xworm

Version

5.0

C2

senior-adopted.gl.at.ply.gg:56758

Mutex

Bz7AHGcWuERgvPvx

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090.exe
    "C:\Users\Admin\AppData\Local\Temp\fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Users\Admin\AppData\Local\Temp\2.exe
      "C:\Users\Admin\AppData\Local\Temp\2.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2768
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2348
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1816
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:484
    • C:\Users\Admin\AppData\Local\Temp\FREE BYPASS.exe
      "C:\Users\Admin\AppData\Local\Temp\FREE BYPASS.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe
        "C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2468
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:596
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3016
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Realtek HD Audio Universal Service.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1824
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2256
      • C:\Users\Admin\AppData\Local\Temp\SAM CHEAT bypass.exe
        "C:\Users\Admin\AppData\Local\Temp\SAM CHEAT bypass.exe"
        3⤵
        • Executes dropped EXE
        PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2.exe
    Filesize

    38KB

    MD5

    8b2dcbe05d600ce494098fd501786fb5

    SHA1

    20dea1f20b8506d9703c12ebbac32eb89be0b5e3

    SHA256

    a3ddac32a27fe5da8c189519d6a9801cbf2f4bd38c6e85b2b8dcb54351e01649

    SHA512

    9338ae864d823ce397d853b3ca3e699270bbd8405654e9a84714aff43343a9e0c26c0594188ce2ca43a2e4a3548c5031dcd50e2c039ec9b27b66370eae4a6920

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\FREE BYPASS.exe
    Filesize

    758KB

    MD5

    d73c9e865143acd7ee7b526266109048

    SHA1

    86cd070de3e808bfa057daf04ca7286644e33e35

    SHA256

    d1179ff1ecadf6756288590c6c08420ec7b9e06aa9e0effc9b2c6b9b8ca5fa4e

    SHA512

    a3ba88e3418d68cac8bb7d96a29fa218605933696cf1489367062f8d85d5a6c701403b24e701c668dcfeb27abdd1fd907a9815691f47d6802087b409bdc66e33

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe
    Filesize

    79KB

    MD5

    066d90fb1d671648842a3b46622eb7ce

    SHA1

    6d0949bd4f494c9f8d80b705a79cfa9038c80e51

    SHA256

    8d2cf02c3005fb4bb7058df1f3a2e24b98077a8c5a8aab5c8184f4aa9ed951d8

    SHA512

    b22c8910e501de5fcb8e6197552396285366c9b43c4c6df4387b95a28830bf13a6ce634aadbf79e71b83879d19132c63414da5c5059edaa33be6bb71cee32745

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    69b321fcbf23bbe6ae16f84c6ef265cf

    SHA1

    dfcc3a537c38912bc311e45b9afbb1f0b4db092a

    SHA256

    364dbe63be638344138f74e8392b4c3fe35e8e3d7a1e8f73874ed4aaf0500379

    SHA512

    bc782be3520f5ff3b7cf0cf8e8ec776b7bc0b9fdf675e0784e3da2399d36e6b4c69cf8ee6a5f010bef69bf224f727021b2bc2fff61688d1af4e164df449d825b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\SAM CHEAT bypass.exe
    Filesize

    1.3MB

    MD5

    d46bcf5d90966c10fb75419041fae79f

    SHA1

    9db2c47dd39acd50983c963d370045fcb956d72a

    SHA256

    edcef9f0255fa29acdfd80bbfb03abea630eb152b19f20fca12fdd88ccf9b399

    SHA512

    26a241bb87b5abafbba8209135c49163e9ee97ef4f8eaa4dbaf5723b9ce7038b6bdfa9926da29ad3728a854d424168384605c3f494dc29f55249b96adcbe7fb2

    Download Submit

  • memory/2348-47-0x000000001B600000-0x000000001B8E2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2348-48-0x0000000002810000-0x0000000002818000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2368-34-0x0000000000E90000-0x0000000000EA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2368-21-0x000007FEF5283000-0x000007FEF5284000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2368-85-0x000007FEF5283000-0x000007FEF5284000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2468-35-0x0000000000CE0000-0x0000000000CFA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2768-40-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2768-41-0x0000000002860000-0x0000000002868000-memory.dmp

    Filesize

    32KB

    Download