Overview

overview

10

Static

static

10

Xeno.exe

windows7-x64

10

Xeno.exe

windows10-2004-x64

10

Xeno.exe

windows10-ltsc 2021-x64

10

Xeno.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    151s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    18-11-2024 14:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Xeno.exe

  • Size

    70KB

  • MD5

    1edee495fc92dcfdbfb89c0202f87b29

  • SHA1

    38d6c9154e066daa75d9a4f2346a1b7b7c84da2b

  • SHA256

    d87423760f97f5010d3589c0e7d5e704a698b4562b5d9de627b6d756a29cefe3

  • SHA512

    11709a00d0b5bb50b172344295c216f51a450d5e936fb15c5834a6a167d1ef75e1d510f94ff2105b87f41b1ff607843d4e365c056693e8b5a1d873bae013d1ac

  • SSDEEP

    1536:mvdK/frfAdNtG6zJllzZ+bPsag6Ha3OqY7l:LEXQM+bPsWa3Oqul

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

20.ip.gl.ply.gg:53128

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Xeno.exe
    "C:\Users\Admin\AppData\Local\Temp\Xeno.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xeno.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2396
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xeno.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1372
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:1692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    3eb3833f769dd890afc295b977eab4b4

    SHA1

    e857649b037939602c72ad003e5d3698695f436f

    SHA256

    c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

    SHA512

    c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    83d94e8aa23c7ad2db6f972739506306

    SHA1

    bd6d73d0417971c0077f772352d2f538a6201024

    SHA256

    dfa5cbd243b304f47196c492bc2d8b29941a550c2f076ef8bdfca72755e71881

    SHA512

    4224625e8ef8dadc72f1e1a1edfe2079656b14f2af94ce6128316481d96e9d0b6edf4de13fcdcc182038a2b29eb562b9246f944aecebfcb7c5ee8d7936b6287e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    b6519c54bdb7fc4ddd1f1c415d01f799

    SHA1

    b306128c9e292956dc4de5475544bbb43bc1fa3b

    SHA256

    bf2ab5877badb03960551f127f41b3577bafff142d444df959c76f6970bc59a3

    SHA512

    1a39fbcb9dca7a667732dbb67ad75eb910680e731c4459408cd189a2b38f165b99bf1725ec403684a9b59b8c0d91063855687dcf95b9598e56373106760a55b8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    fc033e24ab289adcc7ebcb4a1c777086

    SHA1

    11d8d38b7cea7ef3b064c01fa2f77de506dfbda4

    SHA256

    184d42d4edb2ea9fb27fbfed34fcab9c902e1ab9b745dae395ddb4fff20909d0

    SHA512

    e1c353070aa92ae7bd0b368aae8e6008a8279c02a8b9c511454cb438229be747dbee1f4442f4468da0243388b1d7d6e70ca832daa4767a6358369fc560d0a2f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hrdgazvn.rky.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/2396-16-0x00007FF95FFF0000-0x00007FF960AB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2396-14-0x00007FF95FFF0000-0x00007FF960AB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2396-15-0x00007FF95FFF0000-0x00007FF960AB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2396-19-0x00007FF95FFF0000-0x00007FF960AB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2396-13-0x00007FF95FFF0000-0x00007FF960AB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2396-12-0x00007FF95FFF0000-0x00007FF960AB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2396-2-0x000002281A090000-0x000002281A0B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2504-0-0x00007FF95FFF3000-0x00007FF95FFF5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2504-31-0x00007FF95FFF3000-0x00007FF95FFF5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2504-1-0x0000000000080000-0x0000000000098000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2504-59-0x00007FF95FFF0000-0x00007FF960AB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2504-60-0x00007FF95FFF0000-0x00007FF960AB2000-memory.dmp

    Filesize

    10.8MB

    Download