Overview

overview

10

Static

static

5

Quotation.scr.exe

windows7-x64

10

Quotation.scr.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 12:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation.scr.exe

  • Size

    699KB

  • MD5

    c684a63e08404601807c7bd5af233d28

  • SHA1

    d9607463fcf1ce55eb8e5649b65047ee526d8060

  • SHA256

    f0045c024fc4e796911fa5a1e597c22f011723c8301c4a903dc140699a707621

  • SHA512

    ffd030b446965e404fd7b76bf2839a9dd620b4c1ded7e82c6b02f277219514de0489059617bc2ca5b560c767b401630d0b2d34ec056df514771a563a8e0f46cd

  • SSDEEP

    12288:rLkcoxg7v3qnC11ErwIhh0F4qwUgUny5QLxwxhzZ:ffmMv6Ckr7Mny5QLxwxhV

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

69.174.99.6:7000

Mutex

ZMMi52bfIGvYY0Ok

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation.scr.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4524
    • C:\Users\Admin\AppData\Local\anaboly\starbowlines.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation.scr.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1376
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\Quotation.scr.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\apostrophise
    Filesize

    30KB

    MD5

    d15f30aadcae7f87307e63e039228866

    SHA1

    61d3595411a9a2ff483a5e1b5a359ca7868d1f5a

    SHA256

    25ae69f8d71da3dbcde420c9a0abf90bbce046c27969580b2a37e289ce9b6205

    SHA512

    25e6801408e24b6c5a2472ed7218ff9a7e272b2b1747a9c2a7eb7ed40223649589daac713c08fe8015df89b5d0da176188345edcfbd0ef56e3a4151b12467fa0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\furcation
    Filesize

    29KB

    MD5

    a2a9ce81977085a400789d49db0f0250

    SHA1

    3ebe1a79d42e3bda77030fa6b26740bd7a287691

    SHA256

    4a3071b8298eb6dbc10141a491909fa7c726d68bc5721581587b09797e16bc58

    SHA512

    0919addf21283224eb83353d7f7a3e8ff62047699ab97bb3ac57a0aafe51e397465ef1be30808ff20b6b5e8a12a5a2000dfa76db6557b3f258bfc7c1c59082dc

    Download Submit

  • C:\Users\Admin\AppData\Local\anaboly\starbowlines.exe
    Filesize

    699KB

    MD5

    c684a63e08404601807c7bd5af233d28

    SHA1

    d9607463fcf1ce55eb8e5649b65047ee526d8060

    SHA256

    f0045c024fc4e796911fa5a1e597c22f011723c8301c4a903dc140699a707621

    SHA512

    ffd030b446965e404fd7b76bf2839a9dd620b4c1ded7e82c6b02f277219514de0489059617bc2ca5b560c767b401630d0b2d34ec056df514771a563a8e0f46cd

    Download Submit

  • memory/4524-10-0x0000000003290000-0x0000000003294000-memory.dmp

    Filesize

    16KB

    Download

  • memory/4904-30-0x0000000005150000-0x00000000051EC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4904-29-0x000000007553E000-0x000000007553F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4904-28-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4904-31-0x0000000075530000-0x0000000075CE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4904-32-0x000000007553E000-0x000000007553F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4904-33-0x0000000005820000-0x0000000005886000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4904-34-0x0000000075530000-0x0000000075CE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4904-35-0x0000000006160000-0x00000000061F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4904-36-0x00000000067B0000-0x0000000006D54000-memory.dmp

    Filesize

    5.6MB

    Download