Overview

overview

10

Static

static

10

LibraryDownload.exe

windows7-x64

10

LibraryDownload.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2024 17:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LibraryDownload.exe

  • Size

    171KB

  • MD5

    0f4733702f7441130c76f92271e33d52

  • SHA1

    962c64538ad4b11b0a57a269e726476eaf1e5cd4

  • SHA256

    b96640cb2a36f9bbaf48fe4798091068b9f518af783236e759763f2386f6a157

  • SHA512

    3718e10cdbb2dd1089a3cc4437c0884593ed0194953e0e0d6865b33475ffd2d8b9bcdffe5e8fade78eb4078b6777ca65618617a2563007b77998c273d85be0f5

  • SSDEEP

    3072:vOMQnN3iDf+bpT7E3ubGoOmaG8vwps/Bz65/M6If+3Js+3JFkKeTnu:vOnxwWboub+As/xBt25

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

designed-paragraph.gl.at.ply.gg:6553

Attributes
  • Install_directory

    %AppData%

  • install_file

    OneDrive.exe

  • telegram

    https://api.telegram.org/bot7632521130:AAFUdxmN095QSre97Sy3YKm36m78BuQCg7g/sendMessage?chat_id=6370415730

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\LibraryDownload.exe
    "C:\Users\Admin\AppData\Local\Temp\LibraryDownload.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4828
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LibraryDownload.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3956
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LibraryDownload.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:852
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:312
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3720
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\Users\Admin\AppData\Roaming\OneDrive.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:936
  • C:\Users\Admin\AppData\Roaming\OneDrive.exe
    C:\Users\Admin\AppData\Roaming\OneDrive.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3204
  • C:\Users\Admin\AppData\Roaming\OneDrive.exe
    C:\Users\Admin\AppData\Roaming\OneDrive.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1888
  • C:\Users\Admin\AppData\Roaming\OneDrive.exe
    C:\Users\Admin\AppData\Roaming\OneDrive.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OneDrive.exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    bd5940f08d0be56e65e5f2aaf47c538e

    SHA1

    d7e31b87866e5e383ab5499da64aba50f03e8443

    SHA256

    2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

    SHA512

    c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    be67063c62a242565760a02a642a9f02

    SHA1

    d1043a892b44d6676f71b568f578fff947266a19

    SHA256

    56f158298dc5f781d6636a0b15d040f9cffb1d46cd11079aa40a26b662217f48

    SHA512

    90d2cbd882ff8043412ad25e74df0cf6b71d6f3fbdfa6f1efa0efc8eed86a925606c7d2e967f112a34d3f0e04f01a396898508571400dcf7e6fd69e78f406638

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    b0df02c89de5323c66e7a803fe7605b7

    SHA1

    405dc6f27a84c05ac15535a694d488219f7de074

    SHA256

    4641b96a0db742e3a95513298cb64030622d70ea6530bee1dae0577db981c84a

    SHA512

    d9f2269fcfd69448b4d563ff4455099d77e185784b80c9427267a1768a7afa95ed7c1c343929cfad82043f8bf1e6b48a7fdacdbbbccbdbdc63421027deb9a8ad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jbzwxgop.eau.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\OneDrive.exe
    Filesize

    171KB

    MD5

    0f4733702f7441130c76f92271e33d52

    SHA1

    962c64538ad4b11b0a57a269e726476eaf1e5cd4

    SHA256

    b96640cb2a36f9bbaf48fe4798091068b9f518af783236e759763f2386f6a157

    SHA512

    3718e10cdbb2dd1089a3cc4437c0884593ed0194953e0e0d6865b33475ffd2d8b9bcdffe5e8fade78eb4078b6777ca65618617a2563007b77998c273d85be0f5

    Download Submit

  • memory/3956-12-0x00007FFEEE0C0000-0x00007FFEEEB81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3956-17-0x00007FFEEE0C0000-0x00007FFEEEB81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3956-14-0x00007FFEEE0C0000-0x00007FFEEEB81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3956-13-0x00007FFEEE0C0000-0x00007FFEEEB81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3956-2-0x000001E3C4BF0000-0x000001E3C4C12000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4828-0-0x00007FFEEE0C3000-0x00007FFEEE0C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4828-56-0x00007FFEEE0C0000-0x00007FFEEEB81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4828-57-0x00007FFEEE0C3000-0x00007FFEEE0C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4828-61-0x00007FFEEE0C0000-0x00007FFEEEB81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4828-1-0x0000000000D00000-0x0000000000D30000-memory.dmp

    Filesize

    192KB

    Download