Overview

overview

10

Static

static

3

1f27ead138...c1.exe

windows7-x64

10

1f27ead138...c1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-11-2024 13:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1f27ead1385d2bd425b05765ba7d2f34ae480e97c6dfa288c8860fc1826260c1.exe

  • Size

    302KB

  • MD5

    98c38e2a2e6fed11878664c62ceee304

  • SHA1

    d9798077b4582ca595c2b1facad1c95d0c356897

  • SHA256

    1f27ead1385d2bd425b05765ba7d2f34ae480e97c6dfa288c8860fc1826260c1

  • SHA512

    d61811977670fb25578b15af111c0385ad20b265f21066f6efe6aa82f30e3ab33edf9bebd22168ee69ce7a75605ad8ef2f9e3efc14d341c559a66e094e430156

  • SSDEEP

    6144:olLwDPhjGNtxZJBs6enQLVYpFZsTv0kzMPP/GtKGLGfye4INK1FkEI:6UDPhjGdjSlAV2FarH4ut9GfyWQ1+EI

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

soon-console.gl.at.ply.gg:60222

Mutex

6TmnQVeEYZF4Sp6V

Attributes
  • Install_directory

    %AppData%

  • install_file

    Windows.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f27ead1385d2bd425b05765ba7d2f34ae480e97c6dfa288c8860fc1826260c1.exe
    "C:\Users\Admin\AppData\Local\Temp\1f27ead1385d2bd425b05765ba7d2f34ae480e97c6dfa288c8860fc1826260c1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Users\Admin\AppData\Local\Temp\Crack.exe
      "C:\Users\Admin\AppData\Local\Temp\Crack.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Crack.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Windows\system32\certutil.exe
          certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Crack.exe" MD5
          4⤵
            PID:644
          • C:\Windows\system32\find.exe
            find /i /v "md5"
            4⤵
              PID:4972
            • C:\Windows\system32\find.exe
              find /i /v "certutil"
              4⤵
                PID:972
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c mode 80,15
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3372
              • C:\Windows\system32\mode.com
                mode 80,15
                4⤵
                  PID:1372
            • C:\Users\Admin\AppData\Local\Temp\BOOT_FPS.exe
              "C:\Users\Admin\AppData\Local\Temp\BOOT_FPS.exe"
              2⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3536
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BOOT_FPS.exe'
                3⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1348
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BOOT_FPS.exe'
                3⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1212
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows.exe'
                3⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4960
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows.exe'
                3⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2940

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            62623d22bd9e037191765d5083ce16a3

            SHA1

            4a07da6872672f715a4780513d95ed8ddeefd259

            SHA256

            95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

            SHA512

            9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            b51dc9e5ec3c97f72b4ca9488bbb4462

            SHA1

            5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

            SHA256

            976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

            SHA512

            0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            9c740b7699e2363ac4ecdf496520ca35

            SHA1

            aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

            SHA256

            be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

            SHA512

            8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\BOOT_FPS.exe
            Filesize

            40KB

            MD5

            bca0eedabdf246ddc3b2c156eaf46af1

            SHA1

            38a51efbcdbe67b64b0e4a0893660933f93d39fd

            SHA256

            5ed950a27ce029f74813dba796d34496e770339aabbbe813d179283fd67cbf1d

            SHA512

            9c5e90910daeeda438b26495d37b59c3f90e580014a2e7bb6ce1bb5895b00133be69c114840ffe9e2fb66dcfc9dc9ca9a6ca8fbd2265a86b32f59dedb770cdea

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Crack.exe
            Filesize

            540KB

            MD5

            49546520ae6822c5e45906c4bfd4577a

            SHA1

            7bd8c2dbcdba84bd005137703a3631ff3e18fb13

            SHA256

            8246e42c9161da82d25c43c923a09ac93f7a025ad4a8cacf2049e04eac525875

            SHA512

            846eab1be0fb8a0f20311c29a0304e8ae6f8037e009398fd0e7e9432a73b62844dffd5203054367370e95d9c2b97d38c5115e81d64de6dcc61a746f7d01cfa17

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cc1i1cwm.sr1.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • memory/1348-27-0x000001D7D2640000-0x000001D7D2662000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1684-24-0x00007FF993180000-0x00007FF993C41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1684-0-0x00007FF993183000-0x00007FF993185000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1684-7-0x00007FF993180000-0x00007FF993C41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1684-1-0x00000000002F0000-0x0000000000342000-memory.dmp

            Filesize

            328KB

            Download

          • memory/3536-22-0x00007FF993180000-0x00007FF993C41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3536-23-0x0000000000F10000-0x0000000000F20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3536-26-0x00007FF993180000-0x00007FF993C41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3536-74-0x00007FF993180000-0x00007FF993C41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3536-75-0x00007FF993180000-0x00007FF993C41000-memory.dmp

            Filesize

            10.8MB

            Download