Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
20/11/2024, 14:21 UTC
General
-
Target
Complier.exe
-
Size
8.7MB
-
MD5
2b83acb31286e3675a46c514f7b38554
-
SHA1
fb37844c5d0d4e2427000a5aea4e6a3acc0814d3
-
SHA256
78da6bfa78c77c0f8a398be9a48d791036e3f15b9859a241aed7f7e1d20688e5
-
SHA512
f7725b8e2337c3502bce5e2d1fe1127ddca8212bc53326cc78ede3a6543eb442fd169493a090c54d1f9b216a56225e8d2abf5233a20223ce2f4b7232e5edcc64
-
SSDEEP
196608:HsttcYiaVW7hyq1WYn56omfTut4jD6+qBbw5T+0nT4UjiSkwC+V1:H4fWz1Wa51mfTutiQB+pMUjl
Malware Config
Extracted
xworm
fun-ce.gl.at.ply.gg:63401
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 3 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 10 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Complier.exe"C:\Users\Admin\AppData\Local\Temp\Complier.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\System interrupts.exe"C:\Users\Admin\AppData\Local\Temp\System interrupts.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\System interrupts.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System interrupts.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\HD-PLAYER'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'HD-PLAYER'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "HD-PLAYER" /tr "C:\ProgramData\HD-PLAYER"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {422ABAC2-B181-4063-AB89-2A50A8E76A3B} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\HD-PLAYERC:\ProgramData\HD-PLAYER2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\HD-PLAYERC:\ProgramData\HD-PLAYER2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
-
DNSip-api.comRemote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1 -
GEThttp://ip-api.com/line/?fields=hostingRemote address:208.95.112.1:80RequestGET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Wed, 20 Nov 2024 14:21:23 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
-
GEThttp://ip-api.com/line/?fields=hostingRemote address:208.95.112.1:80RequestGET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Wed, 20 Nov 2024 14:21:30 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 52
X-Rl: 42
-
DNSfun-ce.gl.at.ply.ggRemote address:8.8.8.8:53Requestfun-ce.gl.at.ply.ggIN AResponsefun-ce.gl.at.ply.ggIN A147.185.221.23
-
208.95.112.1:80http://ip-api.com/line/?fields=hostinghttp
HTTP Request
GET http://ip-api.com/line/?fields=hostingHTTP Response
200 -
208.95.112.1:80http://ip-api.com/line/?fields=hostinghttp
HTTP Request
GET http://ip-api.com/line/?fields=hostingHTTP Response
200 -
147.185.221.23:63401fun-ce.gl.at.ply.gg
-
147.185.221.23:63401fun-ce.gl.at.ply.gg
-
147.185.221.23:63401fun-ce.gl.at.ply.gg
-
147.185.221.23:63401fun-ce.gl.at.ply.gg
-
147.185.221.23:63401fun-ce.gl.at.ply.gg
-
8.8.8.8:53ip-api.comdns
DNS Request
ip-api.com
DNS Response
208.95.112.1
-
8.8.8.8:53fun-ce.gl.at.ply.ggdns
DNS Request
fun-ce.gl.at.ply.gg
DNS Response
147.185.221.23
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5776b0200de5d99a2a92b747733c541dc
SHA177c74231bc284a1618e7989e7e0d16bca67ff8cf
SHA2561e4aa21d558fe059d1d30a000000927decdc3f2676c303a4984d278b92440724
SHA512de016164ff5542e0e598a724488fb5a0a6f1c4f206a17c9e15ad3230a0bb58355f2191a764a29943225ca9504f6b5a50abc3e3d070208884df2afe1401ac1fd0
-
Filesize
21KB
MD5517eb9e2cb671ae49f99173d7f7ce43f
SHA14ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab
SHA25657cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54
SHA512492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be
-
Filesize
21KB
MD5d12403ee11359259ba2b0706e5e5111c
SHA103cc7827a30fd1dee38665c0cc993b4b533ac138
SHA256f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781
SHA5129004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0
-
Filesize
1.8MB
MD56ef5d2f77064df6f2f47af7ee4d44f0f
SHA10003946454b107874aa31839d41edcda1c77b0af
SHA256ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367
SHA5121662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266
-
Filesize
992KB
MD50e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA14189f4459c54e69c6d3155a82524bda7549a75a6
SHA2568a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd
-
Filesize
7KB
MD505e3ea9f8ddcf8182cc2666ca8ba4a1f
SHA1a1a331a610a51f5d2e5990947170e4fc28253004
SHA2564636e5ca32a34822abc66f91470749fa3b1e152fac3083636364f14a9d3f81b1
SHA5128a318528395383fff6135d41a9f44a6c7e7e9d7dca91468dc5774552f566484ef795755566553ee0f73c279e0dc776569e2feb7b85b026b709d3f7e0dc1ff29c
-
Filesize
8.8MB
MD506da2ccc85aca2085657c0b1c960e772
SHA17192cddca4cdb3509b13839bee32869a1020478d
SHA256b5a5f2a8281bacf969b9f3be9c650763a2af8587048b0645b6a7bfa452764c90
SHA512aba80f0f5ad95cb1e56f9e44b925cfda4a06ee64a3bfa5e60d4bed4f17901ce74a938b0d7f0231bce217c9c2cc945a9926d5e2f5dc53d4f58328533a2c65351a
-
Filesize
21KB
MD51c58526d681efe507deb8f1935c75487
SHA10e6d328faf3563f2aae029bc5f2272fb7a742672
SHA256ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2
SHA5128edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1
-
Filesize
18KB
MD5bfffa7117fd9b1622c66d949bac3f1d7
SHA1402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA2561ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f
-
Filesize
21KB
MD5724223109e49cb01d61d63a8be926b8f
SHA1072a4d01e01dbbab7281d9bd3add76f9a3c8b23b
SHA2564e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210
SHA51219b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
6.4MB
-
Filesize
96KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
8.8MB
-
Filesize
9.9MB
-
Filesize
96KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB