Overview

overview

10

Static

static

3

Decryption.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    17-11-2024 20:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Decryption.exe

  • Size

    89KB

  • MD5

    135041cb6c4e66156a9cc5af89db818e

  • SHA1

    b80b813743bb5441ed38166f0975953631115a26

  • SHA256

    66e240c85756cdd733ba77fd2a3f1807a2c960e47c220fcd646b9758c0b1905d

  • SHA512

    6c7655a213d4990d7f63f880e5fb17f366e9d53f7c78310a7d11acde66116683305d630d98585583bd04c50e2a582173fc4722742ffa0249902de95d3ba67b7f

  • SSDEEP

    1536:WaBsJpMRlSEwuW6Lp7h0YLgpTqNGOmoD/AVtgl2mYrJ/EEebWjD2mPsD:WagSWuW4Jh3QgGwMV6/Y1ab4VPsD

Score
10/10
xwormevasionexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

while-stuffed.gl.at.ply.gg:61275

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Decryption.exe
    "C:\Users\Admin\AppData\Local\Temp\Decryption.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Decryption.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1732
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Decryption.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4784
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Decryption.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3176
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "Decryption" /tr "C:\ProgramData\Decryption.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4060
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Decryption.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:2096
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Decryption.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:4744
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Decryption.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:3920
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Decryption" /tr "C:\ProgramData\Decryption.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3780
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5hnsiwsv\5hnsiwsv.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3296
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5CEB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8F5C1618C4DF4A48B529F06D7AAA7E84.TMP"
        3⤵
          PID:4772
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /delete /f /tn "Decryption"
        2⤵
          PID:2484
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7853.tmp.bat""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1620
          • C:\Windows\system32\timeout.exe
            timeout 3
            3⤵
            • Delays execution with timeout.exe
            PID:2544
      • C:\ProgramData\Decryption.exe
        "C:\ProgramData\Decryption.exe"
        1⤵
        • Executes dropped EXE
        PID:1020

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Decryption.exe
        Filesize

        89KB

        MD5

        135041cb6c4e66156a9cc5af89db818e

        SHA1

        b80b813743bb5441ed38166f0975953631115a26

        SHA256

        66e240c85756cdd733ba77fd2a3f1807a2c960e47c220fcd646b9758c0b1905d

        SHA512

        6c7655a213d4990d7f63f880e5fb17f366e9d53f7c78310a7d11acde66116683305d630d98585583bd04c50e2a582173fc4722742ffa0249902de95d3ba67b7f

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Decryption.exe.log
        Filesize

        1KB

        MD5

        2b4889ecb49120375fdf2bccb3c0966e

        SHA1

        fc1ee2f1161887e3f8b0cdd2453ae441739b993a

        SHA256

        7bf24ff0f6791ef902937b3caba0de16814a2c898dfb103d922c48582b602379

        SHA512

        8d737276620add4738d3cb484bca8e1efe23247955d37ebad199d2428f2f494e10dbee98721a77c7fa9d55f662c230acb206894538da9b8a9d0314166b5549a3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        3eb3833f769dd890afc295b977eab4b4

        SHA1

        e857649b037939602c72ad003e5d3698695f436f

        SHA256

        c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

        SHA512

        c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        60b3262c3163ee3d466199160b9ed07d

        SHA1

        994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

        SHA256

        e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

        SHA512

        081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        bcb3ac1a2e2afb59163ae6c42faa4204

        SHA1

        acf77abb448971791daf104c48bb45731bbac1e3

        SHA256

        2306a5a537a262a984f1a26e3f77c9345efec6de2faeebe9edcb8d382c5414f4

        SHA512

        1b49b7f626770243051321dcc5908e69d9750dc3d494fc6d85708fa4b2c2ddbfc5a4ac539629e325e412e21186b3b658a4426afabe04fdf025d8cf4f230fbf12

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        0c54ff51bdeb3cafc23d008b6918c098

        SHA1

        da3f74cb1b6731223cc20d9153cd4898eaf0fcd7

        SHA256

        e78a43631c93af841563efc60ce0defbb2a262aaaf1fc68b6b9cccfc84b8e04d

        SHA512

        d71de1922ae5b1f6366544431548be4028aa0477209f0731a0da928ce0ad2650cdd501deac49a240362a58774c2af18e4e5ff9586d85ef91ee5e3e03fe1a2352

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        076fd3817ef7fc1ac51db11a7e080aa0

        SHA1

        0242f43530c34e6b35d52b8cba6e2439ed323d68

        SHA256

        97e9bb9f4d4190f256cf7e92c6c926b0f408f80f33925e03c360c29a17abc339

        SHA512

        51b90761c31cf5d8fba5daca67e401b41cc25e23007f4843d08b560a47405a81719e8bc60de4528d3fa3e8971146fed1484a0f32e100935db86578fa6857bdbc

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        ddf8b6e433710ffdaea57f2788aa3e3c

        SHA1

        389604befd7a4abb9f940f842a0944dd80cf9c94

        SHA256

        738c4c6c360bf6d6a34832a9d8334b8a30a4da028b56a63568d5e8682d26d91d

        SHA512

        294bf7bf25a3bb856ea247b298189602d5c6b021bfaa1e859bb458579efa87f6f2f2c8a9f4a8ee64dcad6b5aa8dc0661c4bee2e349d4392626994c06757b7e5d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\5hnsiwsv\5hnsiwsv.0.vb
        Filesize

        847B

        MD5

        1e9bcb20a9fdec5da1d39b0dd3a31e99

        SHA1

        40689933669560f8484c34cc35f1cf51a6717d05

        SHA256

        945fd689e232fa04521cf8707c030795bb2f153bde3e6342f440a569a8bd10f9

        SHA512

        8fd74e5d1cdb937251296fc6c431b3ebe9873077b515960551b8eff5e843908b76e9a4828a81c890c855ff44b3a22668a932708113af7f24efd14383cdc06d5d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\5hnsiwsv\5hnsiwsv.cmdline
        Filesize

        313B

        MD5

        4c2259866981d724000d2c5881f021fb

        SHA1

        3b0e935dd7a7f9dc40d80a54ea1bf48de297a046

        SHA256

        76929dfb1454b5553a3853dfaba5601d45a8606deba06098671c8eb21c5651ff

        SHA512

        0d2ae38fa87a10c38219505ac673bacd933e0b0e1725fe3c8c1afc8b1029c0fe8704ca57329274eceed2221702d839f3cf096e50a38f51daaf61bfa4de22b727

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\5hnsiwsv\5hnsiwsv.exe
        Filesize

        7KB

        MD5

        ad78d0024f478c3bade820c877d40b7f

        SHA1

        2550649435fa290f021711ae466fa54287e5a599

        SHA256

        9a019931330a3ee2eb7cf248113fdf7551973c81bea3e3cfd504b8cbd4c6dc4a

        SHA512

        8e41fca6c068aa98d76fc97aee10e4b434368c14bf98ca086c56e8a7b2e4ff7a78b51131eebec997d545b0e85fdd3be53beed015d5523e846e614408f077a9ec

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES5CEB.tmp
        Filesize

        1KB

        MD5

        db87df3db381effdbfd4422b993db52e

        SHA1

        2bca7e749f2f9cbb7c041919d07e47de11e92169

        SHA256

        c01643d97e0609737ae8e4101f193c55b1412098640fff324c729773759971e4

        SHA512

        8bccbf2c7d3e10a4094450dca11586b69dbc275efed88f585a118ea5437222bd26819879844f114798518fec02da51cbe9a8cf0170b3c247bb1efda2e408d658

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qjcb2wkn.c4b.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp7853.tmp.bat
        Filesize

        162B

        MD5

        534f19b1ba18258aa1a10c6f11d93e00

        SHA1

        f685fd594b23b46c3b6d9e404bf2770a01159bc6

        SHA256

        89b2c881679fb9cb6fda5d0ddcfaab47f42d2918c0d9228fc7bf47dfcefa2f1d

        SHA512

        7e526872e24be6abf0427edf13418f89179cc0b8e8a0f36a9a99a7b6c9832d8adf339911c072ccfce8c37dd131db096436192c035887fba73e4146767a803142

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\vbc8F5C1618C4DF4A48B529F06D7AAA7E84.TMP
        Filesize

        1KB

        MD5

        f439f0ffba40e6de8b5f6cd2e0253aec

        SHA1

        2b1c1d94bdb063a928f7a5fe6ab5999ab8e69a22

        SHA256

        36110fa539306ece2d20f2344bb8c01e43eb725adef760235838dcf1e2e9f6e0

        SHA512

        1b1cebe76c0924c50d99d8d189f68b1f58c1f50af080ac9a953e5e04987c302b094f1f2d7f606ddd626e05e5b21d423ca9ecc98c2a18ed966e5a887da17b3cfc

        Download Submit

      • memory/1628-47-0x000000001C600000-0x000000001C618000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1628-111-0x00000000009E0000-0x00000000009E8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1628-119-0x00007FFC5E460000-0x00007FFC5EF22000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1628-1-0x0000000000340000-0x000000000035C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1628-18-0x00007FFC5E460000-0x00007FFC5EF22000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1628-17-0x00007FFC5E463000-0x00007FFC5E465000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1628-90-0x0000000000B60000-0x0000000000B6C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1628-95-0x00000000009C0000-0x00000000009CA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1628-96-0x00000000009D0000-0x00000000009DA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1628-0-0x00007FFC5E463000-0x00007FFC5E465000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1628-2-0x00007FFC5E460000-0x00007FFC5EF22000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1732-16-0x00007FFC5E460000-0x00007FFC5EF22000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1732-9-0x00007FFC5E460000-0x00007FFC5EF22000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1732-5-0x000001FB50460000-0x000001FB50482000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1732-14-0x00007FFC5E460000-0x00007FFC5EF22000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1732-15-0x00007FFC5E460000-0x00007FFC5EF22000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1732-19-0x00007FFC5E460000-0x00007FFC5EF22000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1732-22-0x00007FFC5E460000-0x00007FFC5EF22000-memory.dmp

        Filesize

        10.8MB

        Download