Analysis

  • max time kernel
    148s
  • max time network
    139s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    03-12-2024 16:31

General

  • Target

    change your map in 5s.exe

  • Size

    103KB

  • MD5

    8544b7a07ac964e9398db5ced02de51f

  • SHA1

    9dd166931a20c364bf91726b19a8c66fc18495e0

  • SHA256

    d75d921b14ef15d53625282a961bfe8815c076c250fc6d06a4d535f4256beecd

  • SHA512

    3f2b24bf952b73954bbc2495423bebef7d44848a76a26a52bfd3521ef330389a81fddf963d3b2e5170a0381900fbc27a0aa900b1d8eea6009a94ec45f1e6c55d

  • SSDEEP

    1536:G0H/ps0R8ZAfDjxRux8iPtCofEJSnknpHQINH+IIdRh8z9z1cQTnr45LpF/9:VRs0YyLasMEgnD8Ib6zRnALpH

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:14333

previous-contests.gl.at.ply.gg:14333

Mutex

GH9VJU0DztsBgWNu

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\change your map in 5s.exe
    "C:\Users\Admin\AppData\Local\Temp\change your map in 5s.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3452
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\change your map in 5s.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3824
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'change your map in 5s.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:912
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:2092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    3eb3833f769dd890afc295b977eab4b4

    SHA1

    e857649b037939602c72ad003e5d3698695f436f

    SHA256

    c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

    SHA512

    c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    af1cc13f412ef37a00e668df293b1584

    SHA1

    8973b3e622f187fcf484a0eb9fa692bf3e2103cb

    SHA256

    449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037

    SHA512

    75d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    9a194f191956e9bf257c5b594e7a994a

    SHA1

    46dd61af2c025a8b3c74017d56d309154e6a1efc

    SHA256

    fe8468f17b76f055c7f4fddf99d2ef65306cc96758f74aee40b7d483472fdf59

    SHA512

    2134edf7e90fe0a3cb57ac79276ee1055f4050027f87481864cedeadeccee10b743f15bb4afed867bc9d23144b1c2e80ac8ca22effcc4bfc9d3aa8dfe4891d3b

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    e2e441208a8298347bd824130a479e5d

    SHA1

    8277105d8ac8c46ab73b148c1c3d28ed373edc5a

    SHA256

    d5361c3fcb6650f42e891732b821e2a6cea4c51d1c45b8a5392a07456d98418e

    SHA512

    d28fc3c85b97aaf172c506a548e0d23f528c1374a81d834160e2a90d5d045b131ebed5ec5571eaebdff7fa3a12b4e4287bfe1030003b5bf26493d1a141eb9022

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j34s1zvy.5bo.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/3452-1-0x000001E8F2170000-0x000001E8F217C000-memory.dmp

    Filesize

    48KB

  • memory/3452-2-0x000001E8F2500000-0x000001E8F2510000-memory.dmp

    Filesize

    64KB

  • memory/3452-3-0x00007FFDF33E0000-0x00007FFDF3EA2000-memory.dmp

    Filesize

    10.8MB

  • memory/3452-0-0x00007FFDF33E3000-0x00007FFDF33E5000-memory.dmp

    Filesize

    8KB

  • memory/3452-33-0x00007FFDF33E0000-0x00007FFDF3EA2000-memory.dmp

    Filesize

    10.8MB

  • memory/3824-4-0x00007FFDF33E0000-0x00007FFDF3EA2000-memory.dmp

    Filesize

    10.8MB

  • memory/3824-21-0x00007FFDF33E0000-0x00007FFDF3EA2000-memory.dmp

    Filesize

    10.8MB

  • memory/3824-18-0x00007FFDF33E0000-0x00007FFDF3EA2000-memory.dmp

    Filesize

    10.8MB

  • memory/3824-17-0x00007FFDF33E0000-0x00007FFDF3EA2000-memory.dmp

    Filesize

    10.8MB

  • memory/3824-16-0x000002A870880000-0x000002A8708A2000-memory.dmp

    Filesize

    136KB

  • memory/3824-6-0x00007FFDF33E0000-0x00007FFDF3EA2000-memory.dmp

    Filesize

    10.8MB

  • memory/3824-5-0x00007FFDF33E0000-0x00007FFDF3EA2000-memory.dmp

    Filesize

    10.8MB