Overview

overview

10

Static

static

10

2477.exe

windows7-x64

10

2477.exe

windows10-2004-x64

10

2477.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2024 14:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2477.exe

  • Size

    125KB

  • MD5

    02201ab0ffca3905fbf110296fd58298

  • SHA1

    4068eb4c09f6e09637588ee3cf62bf7229a25faa

  • SHA256

    4d0f2f8fd89fec7e4f1348b5b6a0ea528d2b391f48e69df140b91845c0989abe

  • SHA512

    4f2d86d8dbdb6946bdd982b7c48aea803eccd99c51ddbd6edcb1f7301f9a8f255953210b5b47ecd6e6a8f1bf93269bb519b3a83548f7d3ea63ded3980bef3705

  • SSDEEP

    1536:Rn7TvjnE1RowM/gZbgjx1LAYivy6sDOsyrXdtyVt3A7HPd4n+lbeRZIbSQPYU:RHovoX/0bgAoORHyHQbPRyZ2pPYU

Score
10/10
xwormdiscoveryexecutionpersistenceransomwarerattrojan

Malware Config

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2477.exe
    "C:\Users\Admin\AppData\Local\Temp\2477.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2477.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1512
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2477.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2804
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\spoolsv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'spoolsv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2576
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "spoolsv" /tr "C:\Users\Admin\AppData\Roaming\spoolsv.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3032
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1708 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:264
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {DF5AA979-28BA-44B1-826C-498C76C145C2} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:584
    • C:\Users\Admin\AppData\Roaming\spoolsv.exe
      C:\Users\Admin\AppData\Roaming\spoolsv.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2464
    • C:\Users\Admin\AppData\Roaming\spoolsv.exe
      C:\Users\Admin\AppData\Roaming\spoolsv.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    090eefec2a0f8059bc222e6166cb2e8e

    SHA1

    09ad9f48b72dc7d5a9ade1c97593dc41b66d8ebe

    SHA256

    e9971ca723ae6f2bf1a569264aac6271c0403954449ca7256ca18a598da8ada9

    SHA512

    c06bdf304303258cc2375fe190fdac44660328fa027094b11d641d166175ff429bb5c0df838795550f6e224d409ba26a5b708667d7e7aae8e5df8f31bc030e30

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    66fe11cdaf1e6b1289c3763e852859f0

    SHA1

    9cf41008a6259035c757d362d2b63eae5a3b7a69

    SHA256

    5f16ecf327fe4b8760913162a87c43c18856ac2f4ad68d2bfe91f539a2d1f128

    SHA512

    54cbbc5d3bae50eb99326779fb85bc9224896a3df31990f875b8040eaedf1f880f71cf6b3b1774367186fd6f2ce804dfa4c40e4b7ab63a343a2b63f78de529d6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    d3c802e947ad320044c7451429d4d34f

    SHA1

    20a2d4c9b226cbcb7b07d1c04ad4a6b8604a8033

    SHA256

    72fd30a64fb5285bc9fe206f133b6b11ff2c6b7be41fbf9d71c314c140a23983

    SHA512

    8dd4a27392fc2ec51a3e26c5ae1fc1152583799a9259312b779e23bbd16ed9ffccb753069226b08e28575bd87fdc16316381316f2100b3d53cb1b941aace29c7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    825119f0d7696973a2765d7e8f5e8951

    SHA1

    7a9c20fdda6286eae3d3b39ac9373f6ea0a42b75

    SHA256

    dc44af04a45539ce326519f0c97a50b9bb469aeedf33c00e8f4ed6413e1ef545

    SHA512

    82502fb6318aa3d03449c5533574320334a6bdcf87cec68b0b55bce1d09dc24a4a94499627320bcaf2be1acfaf7a14ffe6d313de7e3ecb6f1f8cf955a66f1305

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    7c59d6873c0ea2ad10357cb0a33563c2

    SHA1

    d672d3b8e8d1973dd107a951111e3b04c3b4d700

    SHA256

    19bfc8a7a20555d8bd80d0949d09081bfaa03ed9653685c7e06fab2dbcbe5932

    SHA512

    90fd899b3178271722c4d09931449c096570190129335407bf908f756c78e4f9579ab1e59d4f22a5785112e85ce03384ec886f5b7be068b958f69780ec8a0da5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    35340483a91f148ecf4f7def7e11cb61

    SHA1

    4511ace7818a86eb55ea6515c991357e2e9b8b79

    SHA256

    9274fd0b3b26c57be2177ebba3be2600c1e622ef5466766303d115e9cd98e088

    SHA512

    fdae092a953151549dd392f709f74fd319c4513c8336663383c00fa825f7609edb94f1de6f5391a7f69e35723ac9c20b8b58c0f191aa61626536617ea4fedfe4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1bdceb374721e4396820fb382bb8159d

    SHA1

    b46d2712f2db768d8cc283ebc27ede7bf37d3ad1

    SHA256

    8e4bc63b8f35893930e352b23c8d10b74ef593d129ad5bbea7588998f860687e

    SHA512

    93707b10dc7b2f84fb0105c8e978a7e58eabe767cdfd68a65c2d9bbb459ae516da3f1620c4d3f6c00e61d77b14b3d44b205f0b175acb116dc463abd97b2e50ad

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    bd06157ef7c8add5289b83bcc1b45f5f

    SHA1

    3613a414c7e8b35f95d6cfa83094255b0d70d4d0

    SHA256

    8dbdd79ea99c8f1f8f730eca4e7880e2a03c5b3835f26df8df17f8009cb1a104

    SHA512

    e76e24c016f12428c3493a8a33fa4f8e53fd0f4dc6d4ab0cd037cbc4fc9b37af25d56ead95df781c9bd4b23dc479b63d13f0ecdb884251af951244b3f993ec3a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5c945860785c0d607538ae91b36934e1

    SHA1

    0bc487ae858e5aad9365be1aa2d44ce4e7941261

    SHA256

    eae8cbadf454f7cef975ccc65ffa1f7d13f46935adb0186516cd1170f7795806

    SHA512

    f55631f7c612b0d6b6e5fe4736bcba6df3d069be9702a083ad1fcbd501a6d1ad035173607d0a86a29d8d56e6074a19a50d269d5fc036690f5bf7d28dfba923de

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab957.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar9C7.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    e0bb3f13d26d346acfccd776f7b212c5

    SHA1

    14562593e4a72512d0f29536b05357959d243566

    SHA256

    fefdbd60a736f8b47d542d34fd13c946889f06eb97ae917a2a2181f8801fb1e8

    SHA512

    abf7cde4b9639afeea08a0929caa6ab53bb8d71e9b2911f7b1ccf667de5c0d1036b151bd237a877b3ecccd191379ef08f18ae1412a6fa22344306a54064a39e0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\spoolsv.exe
    Filesize

    125KB

    MD5

    02201ab0ffca3905fbf110296fd58298

    SHA1

    4068eb4c09f6e09637588ee3cf62bf7229a25faa

    SHA256

    4d0f2f8fd89fec7e4f1348b5b6a0ea528d2b391f48e69df140b91845c0989abe

    SHA512

    4f2d86d8dbdb6946bdd982b7c48aea803eccd99c51ddbd6edcb1f7301f9a8f255953210b5b47ecd6e6a8f1bf93269bb519b3a83548f7d3ea63ded3980bef3705

    Download Submit

  • C:\Users\Admin\Desktop\How To Decrypt My Files.html
    Filesize

    639B

    MD5

    d2dbbc3383add4cbd9ba8e1e35872552

    SHA1

    020abbc821b2fe22c4b2a89d413d382e48770b6f

    SHA256

    5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

    SHA512

    bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

    Download Submit

  • C:\Users\Admin\Documents\SelectTrace.xlsx.ENC
    Filesize

    10KB

    MD5

    d2876d67e17336d57c6046ea6c90b39b

    SHA1

    fe1ed4157b45cab725cc22345446176e8701b4ec

    SHA256

    ad94a5f344a7dccce70d536908496d0e2d523350f51ef268965d3d89bdb5d317

    SHA512

    2060b937b4b8695030e11d93fecae67978a8ae0a81bf18a32ae9d1ffea962a18a99f1a00cfa785d5da491334da214ba65355cf2a8508d60054c0df3fcbe56d53

    Download Submit

  • C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.ENC
    Filesize

    16B

    MD5

    f20a51d364241c5206e1a99d07c15948

    SHA1

    a0d0f2dcdd48b46a0ba0f8b7f3b03ac423114fa6

    SHA256

    a8b4ef0da05e026f9faea7c431657616ee1503594672304666bf22436a64d936

    SHA512

    ca817447b0533f0f7629be5fadc0f25fe32dccf4941a9c5923293c9f9dbbf5b3bd7d4936018ed2928c571f832ddfe2e15dfa0cc25a15adfea7713102f7ce746c

    Download Submit

  • memory/1512-9-0x000000001B650000-0x000000001B932000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1512-10-0x0000000002800000-0x0000000002808000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1512-8-0x0000000002C70000-0x0000000002CF0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2248-33-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2248-40-0x0000000000DD0000-0x0000000000DDC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2248-0-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2248-3-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2248-2-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2248-1-0x0000000000DE0000-0x0000000000E06000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2464-38-0x0000000001340000-0x0000000001366000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2804-17-0x0000000001E00000-0x0000000001E08000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2804-16-0x000000001B710000-0x000000001B9F2000-memory.dmp

    Filesize

    2.9MB

    Download