Overview

overview

10

Static

static

3

Complier.exe

windows7-x64

10

Complier.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 14:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Complier.exe

  • Size

    8.7MB

  • MD5

    2b83acb31286e3675a46c514f7b38554

  • SHA1

    fb37844c5d0d4e2427000a5aea4e6a3acc0814d3

  • SHA256

    78da6bfa78c77c0f8a398be9a48d791036e3f15b9859a241aed7f7e1d20688e5

  • SHA512

    f7725b8e2337c3502bce5e2d1fe1127ddca8212bc53326cc78ede3a6543eb442fd169493a090c54d1f9b216a56225e8d2abf5233a20223ce2f4b7232e5edcc64

  • SSDEEP

    196608:HsttcYiaVW7hyq1WYn56omfTut4jD6+qBbw5T+0nT4UjiSkwC+V1:H4fWz1Wa51mfTutiQB+pMUjl

Score
10/10
xwormexecutionpersistencerattrojanupx

Malware Config

Extracted

Family

xworm

C2

fun-ce.gl.at.ply.gg:63401

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Complier.exe
    "C:\Users\Admin\AppData\Local\Temp\Complier.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Users\Admin\AppData\Local\Temp\Built.exe
      "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Users\Admin\AppData\Local\Temp\Built.exe
        "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1744
    • C:\Users\Admin\AppData\Local\Temp\System interrupts.exe
      "C:\Users\Admin\AppData\Local\Temp\System interrupts.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\System interrupts.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1912
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System interrupts.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1632
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\HD-PLAYER'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1588
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'HD-PLAYER'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2336
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "HD-PLAYER" /tr "C:\ProgramData\HD-PLAYER"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:996
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {422ABAC2-B181-4063-AB89-2A50A8E76A3B} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\ProgramData\HD-PLAYER
      C:\ProgramData\HD-PLAYER
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1756
    • C:\ProgramData\HD-PLAYER
      C:\ProgramData\HD-PLAYER
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\System interrupts.exe
    Filesize

    72KB

    MD5

    776b0200de5d99a2a92b747733c541dc

    SHA1

    77c74231bc284a1618e7989e7e0d16bca67ff8cf

    SHA256

    1e4aa21d558fe059d1d30a000000927decdc3f2676c303a4984d278b92440724

    SHA512

    de016164ff5542e0e598a724488fb5a0a6f1c4f206a17c9e15ad3230a0bb58355f2191a764a29943225ca9504f6b5a50abc3e3d070208884df2afe1401ac1fd0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI27122\api-ms-win-core-processthreads-l1-1-1.dll
    Filesize

    21KB

    MD5

    517eb9e2cb671ae49f99173d7f7ce43f

    SHA1

    4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

    SHA256

    57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

    SHA512

    492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI27122\api-ms-win-core-timezone-l1-1-0.dll
    Filesize

    21KB

    MD5

    d12403ee11359259ba2b0706e5e5111c

    SHA1

    03cc7827a30fd1dee38665c0cc993b4b533ac138

    SHA256

    f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

    SHA512

    9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI27122\python313.dll
    Filesize

    1.8MB

    MD5

    6ef5d2f77064df6f2f47af7ee4d44f0f

    SHA1

    0003946454b107874aa31839d41edcda1c77b0af

    SHA256

    ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367

    SHA512

    1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI27122\ucrtbase.dll
    Filesize

    992KB

    MD5

    0e0bac3d1dcc1833eae4e3e4cf83c4ef

    SHA1

    4189f4459c54e69c6d3155a82524bda7549a75a6

    SHA256

    8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

    SHA512

    a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    05e3ea9f8ddcf8182cc2666ca8ba4a1f

    SHA1

    a1a331a610a51f5d2e5990947170e4fc28253004

    SHA256

    4636e5ca32a34822abc66f91470749fa3b1e152fac3083636364f14a9d3f81b1

    SHA512

    8a318528395383fff6135d41a9f44a6c7e7e9d7dca91468dc5774552f566484ef795755566553ee0f73c279e0dc776569e2feb7b85b026b709d3f7e0dc1ff29c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Built.exe
    Filesize

    8.8MB

    MD5

    06da2ccc85aca2085657c0b1c960e772

    SHA1

    7192cddca4cdb3509b13839bee32869a1020478d

    SHA256

    b5a5f2a8281bacf969b9f3be9c650763a2af8587048b0645b6a7bfa452764c90

    SHA512

    aba80f0f5ad95cb1e56f9e44b925cfda4a06ee64a3bfa5e60d4bed4f17901ce74a938b0d7f0231bce217c9c2cc945a9926d5e2f5dc53d4f58328533a2c65351a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\_MEI27122\api-ms-win-core-file-l1-2-0.dll
    Filesize

    21KB

    MD5

    1c58526d681efe507deb8f1935c75487

    SHA1

    0e6d328faf3563f2aae029bc5f2272fb7a742672

    SHA256

    ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

    SHA512

    8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

    Download Submit

  • \Users\Admin\AppData\Local\Temp\_MEI27122\api-ms-win-core-file-l2-1-0.dll
    Filesize

    18KB

    MD5

    bfffa7117fd9b1622c66d949bac3f1d7

    SHA1

    402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

    SHA256

    1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

    SHA512

    b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\_MEI27122\api-ms-win-core-localization-l1-2-0.dll
    Filesize

    21KB

    MD5

    724223109e49cb01d61d63a8be926b8f

    SHA1

    072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

    SHA256

    4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

    SHA512

    19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

    Download Submit

  • memory/1632-109-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1632-108-0x000000001B710000-0x000000001B9F2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1744-93-0x000007FEEE900000-0x000007FEEEF63000-memory.dmp

    Filesize

    6.4MB

    Download

  • memory/1756-182-0x0000000001300000-0x0000000001318000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1912-101-0x000000001B680000-0x000000001B962000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1912-102-0x0000000001F50000-0x0000000001F58000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2364-74-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2364-2-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2364-0-0x000007FEF52D3000-0x000007FEF52D4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2364-1-0x0000000000B50000-0x0000000001416000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/2760-94-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2760-18-0x00000000010E0000-0x00000000010F8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2760-121-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2760-178-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2760-68-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

    Filesize

    9.9MB

    Download