Overview

overview

10

Static

static

3

4560c26325...42.exe

windows7-x64

10

4560c26325...42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 01:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4560c263255a3f4682b69a3e989591ee4b4df60a8a7680a3905c0c7b33a83d42.exe

  • Size

    116KB

  • MD5

    4f0c8a81138b78a1f40ef1d383632130

  • SHA1

    96b6c6ff5c5b1aa90014e975bb851d23acbed598

  • SHA256

    4560c263255a3f4682b69a3e989591ee4b4df60a8a7680a3905c0c7b33a83d42

  • SHA512

    687dddf2a070acbb5eee3af912dc1461968a67b05992f76f5a77a5bb0d773ae1049c7e44386c4a44d5971ace7784a8601c2fc3f47f1f8dbbb06a7e04646bbf1c

  • SSDEEP

    3072:oziOToQz31V4b1pCoLd7H7dwsIc6rmGBLYdLrfncO:+ToQzFjox7bCs5WmGVYVrfn

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

left-noon.gl.at.ply.gg:60705

Attributes
  • Install_directory

    %AppData%

  • install_file

    US11B.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\4560c263255a3f4682b69a3e989591ee4b4df60a8a7680a3905c0c7b33a83d42.exe
    "C:\Users\Admin\AppData\Local\Temp\4560c263255a3f4682b69a3e989591ee4b4df60a8a7680a3905c0c7b33a83d42.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4692
    • C:\Users\Admin\AppData\Local\Temp\4560c263255a3f4682b69a3e989591ee4b4df60a8a7680a3905c0c7b33a83d42.exe
      "C:\Users\Admin\AppData\Local\Temp\4560c263255a3f4682b69a3e989591ee4b4df60a8a7680a3905c0c7b33a83d42.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Users\Admin\AppData\Local\Temp\sms737A.tmp
        "C:\Users\Admin\AppData\Local\Temp\sms737A.tmp"
        3⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3248
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sms737A.tmp'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3116
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sms737A.tmp'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3276
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\sms737A.tmp'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4784
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "sms737A" /tr "C:\Users\Admin\AppData\Roaming\sms737A.tmp"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4364
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe "C:\Users\Admin\AppData\Roaming\sms737A.tmp"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1084

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    6d3e9c29fe44e90aae6ed30ccf799ca8

    SHA1

    c7974ef72264bbdf13a2793ccf1aed11bc565dce

    SHA256

    2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

    SHA512

    60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    5cfe303e798d1cc6c1dab341e7265c15

    SHA1

    cd2834e05191a24e28a100f3f8114d5a7708dc7c

    SHA256

    c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

    SHA512

    ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ytbc3rlh.hrl.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sms737A.tmp
    Filesize

    77KB

    MD5

    8032a5e68376a879472c297749cdb4c4

    SHA1

    d6a96c5287f1d76b41f605ecaeb1688d208c720a

    SHA256

    fa3dd88248218cd597232333c70e0996801817b003c234994102452712a23d1d

    SHA512

    b75d6429844e643fc7920efe1d30b15b0e631ded561f5f0021e105a68a729ebf308a23501c9136efbf4637bb068dba5c0056ff85195cd54d56e05205193d6c21

    Download Submit

  • memory/2708-0-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2708-2-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2708-3-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3116-12-0x00007FFDD2E40000-0x00007FFDD3901000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3116-13-0x00007FFDD2E40000-0x00007FFDD3901000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3116-23-0x000001F2EE9A0000-0x000001F2EE9C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3116-24-0x00007FFDD2E40000-0x00007FFDD3901000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3116-27-0x00007FFDD2E40000-0x00007FFDD3901000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3248-11-0x00007FFDD2E40000-0x00007FFDD3901000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3248-10-0x0000000000280000-0x000000000029A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3248-9-0x00007FFDD2E43000-0x00007FFDD2E45000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3248-58-0x00007FFDD2E40000-0x00007FFDD3901000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4692-4-0x00007FF631340000-0x00007FF63136A000-memory.dmp

    Filesize

    168KB

    Download