Overview

overview

10

Static

static

10

xdblake.exe

windows7-x64

10

xdblake.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    18-11-2024 16:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xdblake.exe

  • Size

    66KB

  • MD5

    bca20b0a6a3877b3bbedd6595e804164

  • SHA1

    0bfd19a1dac3f937098aa005ff0b5aab2e767663

  • SHA256

    0f06d9dfb9badfd337bd1dfb21f8b0ebb934e81072cddcef3d8466e526f2275b

  • SHA512

    4932b511e0429f3a97b726483a87641d579a0d0d8f61c2771eb900baaffe36ea9ee2fba4e098fd922dc3c2aab8b0684483096ed9eb0de23cdc97f63ac449ac32

  • SSDEEP

    1536:aefDEXUBdPPSuPr+hBcbDVnjXVQ6eK4ORonSLIF:aextSuPr4BcbpjFIK4O6nSsF

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

yet-assist.gl.at.ply.gg:63100

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    $77wsappx.exe

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\xdblake.exe
    "C:\Users\Admin\AppData\Local\Temp\xdblake.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\xdblake.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2980
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'xdblake.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2860
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\$77wsappx.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1904
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77wsappx.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2488
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77wsappx" /tr "C:\ProgramData\$77wsappx.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1008
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {C2540C96-4FFF-42A2-B4E3-A0FB8EE2BD67} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\ProgramData\$77wsappx.exe
      C:\ProgramData\$77wsappx.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:592
    • C:\ProgramData\$77wsappx.exe
      C:\ProgramData\$77wsappx.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1004
    • C:\ProgramData\$77wsappx.exe
      C:\ProgramData\$77wsappx.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\$77wsappx.exe
    Filesize

    66KB

    MD5

    bca20b0a6a3877b3bbedd6595e804164

    SHA1

    0bfd19a1dac3f937098aa005ff0b5aab2e767663

    SHA256

    0f06d9dfb9badfd337bd1dfb21f8b0ebb934e81072cddcef3d8466e526f2275b

    SHA512

    4932b511e0429f3a97b726483a87641d579a0d0d8f61c2771eb900baaffe36ea9ee2fba4e098fd922dc3c2aab8b0684483096ed9eb0de23cdc97f63ac449ac32

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    8ceb0c79600cbcb7a7d75e65e32b1396

    SHA1

    1fe1abe4cfb2eb21bba1883ce8f6f315bfc6bc24

    SHA256

    dfcba4d265908f01a96d32e6393ffc7f1eff111425fea448f9409da8a8f4ab97

    SHA512

    409fd71d521ad9cb977ed02d4fc85bec753c6bf0cec1dd61201df06960c0ed7bf3022b6c2fe75cba5dbb21ec6a2a129910da8f9123d1c0cd4d83876b5a7e087c

    Download Submit

  • memory/592-38-0x0000000001340000-0x0000000001356000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2636-34-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2636-1-0x0000000000BB0000-0x0000000000BC6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2636-2-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2636-0-0x000007FEF5FA3000-0x000007FEF5FA4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2636-7-0x000007FEF5FA3000-0x000007FEF5FA4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2860-16-0x000000001B6A0000-0x000000001B982000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2860-17-0x0000000001E20000-0x0000000001E28000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2980-8-0x0000000002B80000-0x0000000002C00000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2980-10-0x0000000002860000-0x0000000002868000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2980-9-0x000000001B720000-0x000000001BA02000-memory.dmp

    Filesize

    2.9MB

    Download