Overview

overview

10

Static

static

3

ลบป�...��.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    35s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    19-11-2024 14:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe

  • Size

    90KB

  • MD5

    b5e9d925a5cbc599a04462e05001f790

  • SHA1

    599ab617d497cb99149ac5168c0cab402d5874d2

  • SHA256

    07712414bdc55e8b60f9459cd358a09fed23c017a2ad96f641c59ebab40d8995

  • SHA512

    e85a47fd15ec65fd1a4b59c42a431cebbace69596f131729e4467852e14e375810a10950f4124899c2251565acc41541033062b3f08d4e1f3f09a1960b6cd367

  • SSDEEP

    1536:eCCCCCU1QhJtr2u5yzzRHdc9RkR3598k6Tv9aHwAZhVnudYsYxAOltnMo:Z9yzzVaRJXTv9gwUOE2mB

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

45.141.27.248:7777

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe
    "C:\Users\Admin\AppData\Local\Temp\ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4780
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
        3⤵
          PID:540
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:5188
          • C:\Windows\system32\mode.com
            mode 103,5
            3⤵
              PID:5124
            • C:\Windows\system32\chcp.com
              chcp 65001
              3⤵
                PID:1680
              • C:\Windows\system32\mode.com
                mode 120,17
                3⤵
                  PID:5500
              • C:\Users\Admin\AppData\Roaming\svchost.exe
                "C:\Users\Admin\AppData\Roaming\svchost.exe"
                2⤵
                • Checks computer location settings
                • Drops startup file
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:5096
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
                  3⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:764
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                  3⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4604
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
                  3⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1860
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                  3⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4720
                • C:\Windows\System32\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
                  3⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:1032

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              3KB

              MD5

              3eb3833f769dd890afc295b977eab4b4

              SHA1

              e857649b037939602c72ad003e5d3698695f436f

              SHA256

              c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

              SHA512

              c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              6a807b1c91ac66f33f88a787d64904c1

              SHA1

              83c554c7de04a8115c9005709e5cd01fca82c5d3

              SHA256

              155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

              SHA512

              29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              1add983babb1a08c6bf69d4b6e333222

              SHA1

              479c1d808e29d18df72533636f6f6f91b9dac81b

              SHA256

              294c66949e7ed8e1e8070e894628de249cb90f1e45f6a6ea32c0b38a550802b1

              SHA512

              d2791df10ae777600349f970cc9612d6f9e96b61af66376df759d4a64197a87b023bc48162a0606fcdb4fd608713b9b6d18f19f773b3c26a15ab462a153a4194

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              9dbcd66106ed9bf757e7a5e5c1b5c338

              SHA1

              e68b417d1c65bc72b50788ddd787e41e9b91a821

              SHA256

              8679495b0973437a34da326438cbbe92f829487d4be55b626d728950c9a38a95

              SHA512

              a428650697a00a44e7e368dfe9a486cbf83a94e33c0f2fcd2c319d9c4edad766bb8e3580d9472c3ef0aa743455ba026c4a6073a4eb5efa49c5106608918d174d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4aq2yldf.en2.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Roaming\3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.bat
              Filesize

              5KB

              MD5

              1a29286ae9d746284b195a34811f5e89

              SHA1

              2418da95e35c84e8b922cd6c525463bab7e43a06

              SHA256

              061d3b55f7cfd4bd35e48768fb993a1444d5ed4990cda5ef813220715325f630

              SHA512

              370288124edecdfb611d65b93f2ed9c0205299653a0819d351b226a595c4a4fda636c50444d3bac2c43c4678119cf53b7c9e5d1bc69f16452be16eb720b90c07

              Download Submit

            • C:\Users\Admin\AppData\Roaming\svchost.exe
              Filesize

              73KB

              MD5

              34355faf2f7affeb96060d1732c533dc

              SHA1

              8118303c97aec8226a92eab831427266d511e036

              SHA256

              ba3fa9c54316aa820f99d8416d0c61f88b311d31304c44b85dd678d21d5bda28

              SHA512

              3686c618a100b988fe65dc024c912b27ab30f7f362fa0ea31260d1e815b52ff0d4457cc5c884ff251aae4acb855e86347f28efb39c5d08497b0d3533348ffa9b

              Download Submit

            • memory/764-38-0x0000020AE0E30000-0x0000020AE104D000-memory.dmp

              Filesize

              2.1MB

              Download

            • memory/764-35-0x0000020AC88B0000-0x0000020AC88D2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1668-0-0x00007FFF2A3B3000-0x00007FFF2A3B5000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1668-1-0x0000000000410000-0x000000000042C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/4604-51-0x00000280D6150000-0x00000280D636D000-memory.dmp

              Filesize

              2.1MB

              Download

            • memory/4720-74-0x000001BB394E0000-0x000001BB396FD000-memory.dmp

              Filesize

              2.1MB

              Download

            • memory/5096-24-0x00007FFF2A3B0000-0x00007FFF2AE72000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/5096-23-0x0000000000740000-0x0000000000758000-memory.dmp

              Filesize

              96KB

              Download

            • memory/5096-76-0x00007FFF2A3B0000-0x00007FFF2AE72000-memory.dmp

              Filesize

              10.8MB

              Download