Overview

overview

10

Static

static

3

P00LCUE.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    26s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    17-11-2024 14:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    P00LCUE.exe

  • Size

    337KB

  • MD5

    a8bf7d1f42ce4fe13c76e01befe367fa

  • SHA1

    add32173cf45061d651b75f8b7ab33f86fdfbee7

  • SHA256

    310c6e4649169990ced7e39f97fade780c725e8ecac3c7a6fe4a8e3d1b874bc8

  • SHA512

    eba707226d114c4405b25b627ee38ba5b2c24cf353fdafd1d78dd90c0fed5de67a2c8c0846609ad7d554306191836667f00dd896d12215fd769c6f36f0f58e2d

  • SSDEEP

    3072:rXjgxzi3Z80WaXjTa4X+oFM3bUiS75l/NTugUJV21KFpwqEBOrNoq98wSpvbUP:rzgxAZ82a4XrFXSlQqrR98XU

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

185.84.161.66:5000

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 14 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 13 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe
    "C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe
      "C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:5092
      • C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe
        "C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1560
        • C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe
          "C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4768
          • C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe
            "C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe"
            5⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:6036
            • C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe
              "C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe"
              6⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:3088
              • C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe
                "C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe"
                7⤵
                • Checks computer location settings
                • Suspicious use of WriteProcessMemory
                PID:3740
                • C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe
                  "C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe"
                  8⤵
                  • Checks computer location settings
                  • Suspicious use of WriteProcessMemory
                  PID:2944
                  • C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe
                    "C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe"
                    9⤵
                    • Checks computer location settings
                    • Suspicious use of WriteProcessMemory
                    PID:4528
                    • C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe
                      "C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe"
                      10⤵
                      • Checks computer location settings
                      • Suspicious use of WriteProcessMemory
                      PID:2420
                      • C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe
                        "C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe"
                        11⤵
                        • Checks computer location settings
                        • Suspicious use of WriteProcessMemory
                        PID:3144
                        • C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe
                          "C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe"
                          12⤵
                          • Checks computer location settings
                          • Suspicious use of WriteProcessMemory
                          PID:6016
                          • C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe
                            "C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe"
                            13⤵
                            • Checks computer location settings
                            • Suspicious use of WriteProcessMemory
                            PID:1628
                            • C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe
                              "C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe"
                              14⤵
                                PID:3132
                              • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
                                "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
                                14⤵
                                • Executes dropped EXE
                                PID:5708
                            • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
                              "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
                              13⤵
                              • Executes dropped EXE
                              PID:4912
                          • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
                            "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
                            12⤵
                            • Executes dropped EXE
                            PID:2912
                        • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
                          "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
                          11⤵
                          • Executes dropped EXE
                          PID:3064
                      • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
                        "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
                        10⤵
                        • Executes dropped EXE
                        PID:2656
                    • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
                      "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
                      9⤵
                      • Executes dropped EXE
                      PID:5868
                  • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
                    "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
                    8⤵
                    • Executes dropped EXE
                    PID:1072
                • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
                  "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
                  7⤵
                  • Executes dropped EXE
                  PID:3032
              • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
                "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
                6⤵
                • Executes dropped EXE
                PID:5896
            • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
              "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
              5⤵
              • Executes dropped EXE
              PID:5664
          • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
            "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:5040
        • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
          "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:5508
      • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
        "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
        2⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3492
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5856
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BLACKSUPER X.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5472
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3580
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:5844
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4476

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\P00LCUE.exe.log
      Filesize

      654B

      MD5

      11c6e74f0561678d2cf7fc075a6cc00c

      SHA1

      535ee79ba978554abcb98c566235805e7ea18490

      SHA256

      d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

      SHA512

      32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      b9cd68b5f314b5190f27a211d3506df0

      SHA1

      60c891d9a3c857fda4b75576420a54d38054c544

      SHA256

      8908f5cb47ad8627c2af37f08e4f42734cb8dd761734d27fb7745ca522e0018e

      SHA512

      1565a76680cf17ec9426dacab318124ff6374243e19550616069cd1a6149f356bb6f90ea524fbddce2082631be85831d5cb3a118d53c2c15c82096100b5b6182

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      f6f3a4f92ce1d27fa748a8c72187736a

      SHA1

      5aa5cce673ce2d2db480f3fc6e598ebcff91da4e

      SHA256

      d053272bbf420738a60dc105eeb0c466bd5cdbb8d8519fa31b7ff54b0f3316f2

      SHA512

      410716c275a7266a1eaecee425b090cb6f38ae2bcbfad362ca90955e3b7d7312de1088e86ce266c6714438642515aeeda8514bda7edcb1fd22527031f5d12665

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      5a70f5b2dec5fa7749e57726bf21768d

      SHA1

      1524671f3751b9b86ec7de5a0940f6f701cec6ef

      SHA256

      78d72377085f0523a75cf5e5e0383472c6a92c617db9e828235713c3115c9582

      SHA512

      3024397d36eee791c26336640baac1af4144312782ec70e49543ee41363bb90f5dfba7938a7547a9e1007045e3d05a9b22e63537df54ace3ccd6e9f391f24fae

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      db287b240063eb2b8a3c08dd13dd6152

      SHA1

      f72154c4f8cb6cdc1705e2767b8a3b8c93d12cab

      SHA256

      d9b47ee420b807ee8dc8e3c3aebc9dfd6ad591b879daa117bab46b290c7db90d

      SHA512

      fb03c5bda9622fa601b9ef74c1d9c1dd7f5cf9bb15bd4795ea8fa91869eda14bd725b6fbf80a30852dd1111d77bd87f9913c8b46db6882a32543153d454cef9a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
      Filesize

      69KB

      MD5

      2d58b179ec133f1016a2496a96c5da20

      SHA1

      f5b59d6c3c382295d5d5fed1aed04342a7ab7f2e

      SHA256

      ea9c924bd79e33535b8d6537da0a320ce89d6700697173397bb0a31341831a1b

      SHA512

      486e8248f14d721519bd3701d8dfaf6b8e5af2bce02825fac078402c5ac4a1ceff72af2c36eb3a5c3006aaef0eb00ae8b2289d5a2b8b149e50e7bc7e2bad5abc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dupzmwrc.yyf.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/1784-1-0x00000000008B0000-0x000000000090A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/1784-7-0x00007FF8378D0000-0x00007FF838392000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1784-0-0x00007FF8378D3000-0x00007FF8378D5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1784-20-0x00007FF8378D0000-0x00007FF838392000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3492-18-0x0000000000DD0000-0x0000000000DE8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3492-26-0x00007FF8378D0000-0x00007FF838392000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3492-21-0x00007FF8378D0000-0x00007FF838392000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3492-79-0x00007FF8378D0000-0x00007FF838392000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3492-84-0x00007FF8378D0000-0x00007FF838392000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5092-25-0x00007FF8378D0000-0x00007FF838392000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5092-22-0x00007FF8378D0000-0x00007FF838392000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5092-19-0x00007FF8378D0000-0x00007FF838392000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5856-36-0x000001EA32180000-0x000001EA321A2000-memory.dmp

      Filesize

      136KB

      Download