Overview

overview

10

Static

static

10

extfix.exe

windows7-x64

10

extfix.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 19:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    extfix.exe

  • Size

    75KB

  • MD5

    03ac7cea640de499ffd4d820cbf91aec

  • SHA1

    c5431178ad49172a65398770a03fecccc37f711f

  • SHA256

    c6ac39bb6bd04c72e7c1f23b6d98b7a3ae591efa9ef285458b27bef353a255cb

  • SHA512

    52186a0938de15b83873626f72f594219dc193b1d5b7fbec5d2577761488f3379d5cd42e6de205964f6dec5cdfc3023de36375da28a0146a5311ab0516f23d7c

  • SSDEEP

    1536:2L1YZRemnhY0X1+Q3jaHPjbIbnFJ8v6sqKoO4o0iD8:22ZPhhzOHobnv6oOz0iA

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:64112

FRERE-57054.portmap.host:64112

solutions-stunning.gl.at.ply.gg:64112:64112

solutions-stunning.gl.at.ply.gg:64112
Attributes
  • Install_directory

    %Public%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\extfix.exe
    "C:\Users\Admin\AppData\Local\Temp\extfix.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\extfix.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2256
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'extfix.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2528
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2804
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2768
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Public\XClient.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2468
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {1CBB23E7-F9D2-4C14-B3B6-06FF15B75565} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:812
    • C:\Users\Public\XClient.exe
      C:\Users\Public\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2248
    • C:\Users\Public\XClient.exe
      C:\Users\Public\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2204
    • C:\Users\Public\XClient.exe
      C:\Users\Public\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    2d28dc46f49586d61d8953e88d7cfdf8

    SHA1

    ca384091033206e848f8e7fa9b305165c1b58be4

    SHA256

    6e06933ef5961b5190819716e31be86a7ae6cbefde6d98b1d46d220ab5acede6

    SHA512

    8f8de47f5590da2ce0412976defd631518e32aa79bd421631b643566475875fc76940f17da731cb9274220be4bbb562de0a1b893e38d70e2b6772a4267ea0602

    Download Submit

  • C:\Users\Public\XClient.exe
    Filesize

    75KB

    MD5

    03ac7cea640de499ffd4d820cbf91aec

    SHA1

    c5431178ad49172a65398770a03fecccc37f711f

    SHA256

    c6ac39bb6bd04c72e7c1f23b6d98b7a3ae591efa9ef285458b27bef353a255cb

    SHA512

    52186a0938de15b83873626f72f594219dc193b1d5b7fbec5d2577761488f3379d5cd42e6de205964f6dec5cdfc3023de36375da28a0146a5311ab0516f23d7c

    Download Submit

  • memory/1872-2-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1872-0-0x000007FEF5CC3000-0x000007FEF5CC4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1872-28-0x000007FEF5CC3000-0x000007FEF5CC4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1872-30-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1872-1-0x0000000000880000-0x000000000089A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2204-36-0x00000000001C0000-0x00000000001DA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2248-34-0x0000000000C70000-0x0000000000C8A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2256-7-0x0000000002930000-0x00000000029B0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2256-8-0x000000001B790000-0x000000001BA72000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2256-9-0x0000000002910000-0x0000000002918000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2528-15-0x000000001B690000-0x000000001B972000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2528-16-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download