Overview

overview

10

Static

static

3

18ea5087eb...50.exe

windows11-21h2-x64

10

$PLUGINSDI...em.dll

windows11-21h2-x64

3

Resubmissions

24-11-2024 15:40

241124-s4cllssndp 10

24-11-2024 15:36

241124-s1w6vasmdk 10

Analysis

  • max time kernel
    59s
  • max time network
    69s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24-11-2024 15:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18ea5087eb82e075ca35d2b2dcff9450.exe

  • Size

    555KB

  • MD5

    18ea5087eb82e075ca35d2b2dcff9450

  • SHA1

    dc436fbaa777672d44a8b90b98c4a1c266885845

  • SHA256

    a7247c64cc0168290ca3b210e59ef629b46f513205bc6562ec79cdd2cda71725

  • SHA512

    8fbeb3caf13a3fe1359002c2848ff5767e6b2f226049546c683f2b6144756196cfe39f66e4959c8426cdfaeff6a169a4cf5939de241e4a898887d8810ec620c6

  • SSDEEP

    12288:32EIiN/Z1++w1p+wJuQbIgJwCQBk5wBcamd3ZhZs:3wiN/K+wHBfhQBk5s3mdPZs

Score
10/10
guloaderxwormdiscoverydownloaderexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

87.121.86.8:4020

Mutex

ssjpS2lhbkGsnEgT

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Guloader family
    guloader
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18ea5087eb82e075ca35d2b2dcff9450.exe
    "C:\Users\Admin\AppData\Local\Temp\18ea5087eb82e075ca35d2b2dcff9450.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3628
    • C:\Users\Admin\AppData\Local\Temp\18ea5087eb82e075ca35d2b2dcff9450.exe
      "C:\Users\Admin\AppData\Local\Temp\18ea5087eb82e075ca35d2b2dcff9450.exe"
      2⤵
      • Drops startup file
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3188
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\18ea5087eb82e075ca35d2b2dcff9450.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4584
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '18ea5087eb82e075ca35d2b2dcff9450.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4720
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\18ea5087eb82e075ca35d2b2dcff9450.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2988
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2248
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3224

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d0c46cad6c0778401e21910bd6b56b70

      SHA1

      7be418951ea96326aca445b8dfe449b2bfa0dca6

      SHA256

      9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

      SHA512

      057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      db92d7041e62fca2713935081f1c4a78

      SHA1

      8c0fd39ff312916983080f1cfc7ec620686c1d07

      SHA256

      29b298203b31984a0a51e20d9d816b5fda7013a8390d93d327ec2a72486d65b9

      SHA512

      ecd20994c634bda0d20a344fe1cdea7f00154b83f19213a4d1205aec21deb1f03d1eb85c9c93bd7a6cc000dbdb6d1acfdf81d072c715b6a2d53067298b1f7359

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      6fc9e38f184d3b1e45cdc8758b9346b6

      SHA1

      7bce57efd6a77a3bfe8c53ad443e3faa18740568

      SHA256

      21e6f547ca65e845c9e4fb8e278689b07b124a93d435143a8e0eec4151d62391

      SHA512

      894805a8282c72f355a50216329e682fc36981789f1cdcfe48d3a6383d875f8f270bb29a98e3039dd6007eb49e86c29f68f8e20548a81c4eaf4bae0aa70fed07

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vbnwudxm.3r4.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsq88F7.tmp\System.dll
      Filesize

      11KB

      MD5

      75ed96254fbf894e42058062b4b4f0d1

      SHA1

      996503f1383b49021eb3427bc28d13b5bbd11977

      SHA256

      a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

      SHA512

      58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

      Download Submit

    • memory/2988-88-0x000000006E4E0000-0x000000006E52C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3188-102-0x0000000037200000-0x00000000377A6000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3188-14-0x00000000007E0000-0x0000000001AF7000-memory.dmp

      Filesize

      19.1MB

      Download

    • memory/3188-15-0x00000000007E0000-0x00000000007F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3188-16-0x0000000036900000-0x000000003699C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3188-18-0x00007FF9377C0000-0x00007FF9379C9000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3188-104-0x00000000379D0000-0x00000000379DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3188-103-0x0000000037910000-0x00000000379A2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3188-12-0x00007FF9377C0000-0x00007FF9379C9000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3628-13-0x0000000002F00000-0x0000000005439000-memory.dmp

      Filesize

      37.2MB

      Download

    • memory/3628-11-0x0000000002F00000-0x0000000005439000-memory.dmp

      Filesize

      37.2MB

      Download

    • memory/3628-10-0x00007FF9377C0000-0x00007FF9379C9000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3628-9-0x00007FF9377C1000-0x00007FF9378EA000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3628-8-0x0000000002F00000-0x0000000005439000-memory.dmp

      Filesize

      37.2MB

      Download

    • memory/4584-35-0x0000000006DC0000-0x0000000006DF4000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4584-53-0x0000000007D90000-0x0000000007DA5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4584-36-0x000000006E4E0000-0x000000006E52C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4584-45-0x00000000079D0000-0x00000000079EE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4584-46-0x0000000007A00000-0x0000000007AA4000-memory.dmp

      Filesize

      656KB

      Download

    • memory/4584-47-0x0000000008180000-0x00000000087FA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4584-48-0x0000000007B40000-0x0000000007B5A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4584-49-0x0000000007BB0000-0x0000000007BBA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4584-50-0x0000000007DE0000-0x0000000007E76000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4584-51-0x0000000007D50000-0x0000000007D61000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4584-52-0x0000000007D80000-0x0000000007D8E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4584-34-0x0000000006830000-0x000000000687C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4584-54-0x0000000007EA0000-0x0000000007EBA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4584-55-0x0000000007E80000-0x0000000007E88000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4584-33-0x0000000006800000-0x000000000681E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4584-19-0x0000000002FE0000-0x0000000003016000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4584-32-0x0000000006350000-0x00000000066A7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4584-20-0x0000000005BD0000-0x00000000061FA000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4584-23-0x00000000062E0000-0x0000000006346000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4584-22-0x0000000006270000-0x00000000062D6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4584-21-0x0000000005960000-0x0000000005982000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4720-69-0x000000006E4E0000-0x000000006E52C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4720-59-0x0000000005B30000-0x0000000005E87000-memory.dmp

      Filesize

      3.3MB

      Download