Overview

overview

10

Static

static

10

flashETHv.1.exe

windows7-x64

10

flashETHv.1.exe

windows10-2004-x64

10

S444.exe

windows7-x64

10

S444.exe

windows10-2004-x64

10

SYS.exe

windows7-x64

10

SYS.exe

windows10-2004-x64

10

USDT Flasher.exe

windows7-x64

3

USDT Flasher.exe

windows10-2004-x64

3

ss32.exe

windows7-x64

10

ss32.exe

windows10-2004-x64

10

winlogoc.exe

windows7-x64

10

winlogoc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/12/2024, 23:08 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    winlogoc.exe

  • Size

    72KB

  • MD5

    33fba80c2580eebf95e25dea03331f68

  • SHA1

    d0ed67fbbff537eb393206fc41c18d59b9a4bb3c

  • SHA256

    4cbe94aefe8a24ebac9fb5c11c1efc89c15b1a7b1a2bf3587baface318ee4b2b

  • SHA512

    8213c45c68a38984a2ad11ab0651ae9933dc538ff260e31753f2f9c3aacff038048bcf2680bb7993b5f4005f48ae7e5c74e7325bdf6ef20df1ae7aa58f7ae4bc

  • SSDEEP

    1536:UzF1OeqsJlPPf/TpX0bOc2yu/n+77QOI3taVwi4y:yFBibOL/nSsOI3tR5y

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

SLL.casacam.net:4444

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    Interrupi.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\winlogoc.exe
    "C:\Users\Admin\AppData\Local\Temp\winlogoc.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Interrupi" /tr "C:\Users\Admin\AppData\Local\Interrupi.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3840
  • C:\Users\Admin\AppData\Local\Interrupi.exe
    C:\Users\Admin\AppData\Local\Interrupi.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4724
  • C:\Users\Admin\AppData\Local\Interrupi.exe
    C:\Users\Admin\AppData\Local\Interrupi.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3468
  • C:\Users\Admin\AppData\Local\Interrupi.exe
    C:\Users\Admin\AppData\Local\Interrupi.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4328

Network

  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    134.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    SLL.casacam.net
    winlogoc.exe
    Remote address:
    8.8.8.8:53
    Request
    SLL.casacam.net
    IN A
    Response
    SLL.casacam.net
    IN A
    45.245.249.248
  • flag-us
    DNS
    248.249.245.45.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    248.249.245.45.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    182.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    182.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 45.245.249.248:4444
    SLL.casacam.net
    winlogoc.exe
    287.6kB
     5.6kB
     257
    118
  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    134.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    134.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    SLL.casacam.net
    dns
    winlogoc.exe
    61 B
     77 B
     1
    1

    DNS Request

    SLL.casacam.net

    DNS Response

    45.245.249.248

  • 8.8.8.8:53
    248.249.245.45.in-addr.arpa
    dns
    73 B
     127 B
     1
    1

    DNS Request

    248.249.245.45.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    182.129.81.91.in-addr.arpa
    dns
    72 B
     147 B
     1
    1

    DNS Request

    182.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Interrupi.exe
    Filesize

    72KB

    MD5

    33fba80c2580eebf95e25dea03331f68

    SHA1

    d0ed67fbbff537eb393206fc41c18d59b9a4bb3c

    SHA256

    4cbe94aefe8a24ebac9fb5c11c1efc89c15b1a7b1a2bf3587baface318ee4b2b

    SHA512

    8213c45c68a38984a2ad11ab0651ae9933dc538ff260e31753f2f9c3aacff038048bcf2680bb7993b5f4005f48ae7e5c74e7325bdf6ef20df1ae7aa58f7ae4bc

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Interrupi.exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • memory/2988-0-0x00007FFCD91D3000-0x00007FFCD91D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2988-1-0x0000000000630000-0x0000000000648000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2988-6-0x00007FFCD91D0000-0x00007FFCD9C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2988-7-0x00007FFCD91D3000-0x00007FFCD91D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2988-8-0x00007FFCD91D0000-0x00007FFCD9C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4724-11-0x00007FFCD91D0000-0x00007FFCD9C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4724-13-0x00007FFCD91D0000-0x00007FFCD9C91000-memory.dmp

    Filesize

    10.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.