Overview

overview

10

Static

static

10

d0877554e8...f3.exe

windows7-x64

10

d0877554e8...f3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2024 13:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0877554e828d2ffd5c8592256b697690f578818064c0b028117fed0ba64fdf3.exe

  • Size

    64KB

  • MD5

    2f994e4870a23f49fb779d1bda780941

  • SHA1

    99b8dfffb69ec2b7193320a7f8a08b7da64be7bf

  • SHA256

    d0877554e828d2ffd5c8592256b697690f578818064c0b028117fed0ba64fdf3

  • SHA512

    9138e89454f9f56a0540a33bccc8e62710a447033e6ea53732d625b2b7635a973c7308f86dda5ff60c1a80c00dc36428ca0b9d9fb590f837648a9dd9b5ea7e86

  • SSDEEP

    1536:+EVRBKXfmrbLO+BBUsbJU5fRqw6LCLOO4wH/:RVRwunLbHbJUNYoOOrH/

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

disclaimer-hose.gl.at.ply.gg:11906

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Microsoft Edge.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0877554e828d2ffd5c8592256b697690f578818064c0b028117fed0ba64fdf3.exe
    "C:\Users\Admin\AppData\Local\Temp\d0877554e828d2ffd5c8592256b697690f578818064c0b028117fed0ba64fdf3.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d0877554e828d2ffd5c8592256b697690f578818064c0b028117fed0ba64fdf3.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2752
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'd0877554e828d2ffd5c8592256b697690f578818064c0b028117fed0ba64fdf3.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2756
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Microsoft Edge.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2788
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Edge.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2664
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Edge" /tr "C:\Users\Admin\Microsoft Edge.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1716
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {115D7F49-34BF-43DE-81EE-78C55CEE4F85} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
    1⤵
      PID:2992

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YDSB5YWVXKCMMXN3TQ81.temp
      Filesize

      7KB

      MD5

      18a465ca09c5c63d662769454ec4aa1f

      SHA1

      f46391d23c0e0b13d3f783a96a72e54e764b6798

      SHA256

      f29a0181605e7d1cb66c554b2dbd3ca04466714a4fe0ef6df64288556ef9b7f5

      SHA512

      d227c494b5422547cc07076efce065ffb6e2e8c4046e5b9dbd604d4cd0a8c53e392bd844a4302623b2580bfbdc1daf3d9a2ee4dc1c6b62ef03283f84162a4acb

      Download Submit

    • \??\PIPE\srvsvc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit

    • memory/1728-0-0x000007FEF5E73000-0x000007FEF5E74000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1728-1-0x00000000002A0000-0x00000000002B6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1728-2-0x000007FEF5E70000-0x000007FEF685C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1728-28-0x000007FEF5E73000-0x000007FEF5E74000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1728-33-0x000007FEF5E70000-0x000007FEF685C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2752-7-0x0000000002260000-0x00000000022E0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2752-8-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2752-9-0x0000000002240000-0x0000000002248000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2756-15-0x000000001B560000-0x000000001B842000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2756-16-0x0000000002310000-0x0000000002318000-memory.dmp

      Filesize

      32KB

      Download