Analysis

  • max time kernel
    123s
  • max time network
    140s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    18-12-2024 19:34

General

  • Target

    Loli-Mod-main/y.exe

  • Size

    38KB

  • MD5

    9212396ec7e75aee632a2304c9050bb3

  • SHA1

    ecd187b60d5619ba78ab54bdd43ab9419ca4a72d

  • SHA256

    6b82fc5f7ed107648cdb24ebd5f2aa0cff16af9d736ac8455175498a7ad47266

  • SHA512

    b00528fa583cbd17b4a7b3f474c8177a288d95ab0f80aca1381434cb15df7fe0b2a9b7d6ea95d4ec55e8ad279f7473db07dde82d1ec408a46cbb60b4e4c5d2a4

  • SSDEEP

    768:AXI+D3yb6a5up+I3pHGFyw9/PO6rO/hbPNQU:AnDiHDsEFr9HO6rO/NOU

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

GQrSWs3TiKJsppyp

Attributes
  • Install_directory

    %AppData%

  • install_file

    COM Surogate.exe

  • pastebin_url

    https://pastebin.com/raw/EJ2UmS6u

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loli-Mod-main\y.exe
    "C:\Users\Admin\AppData\Local\Temp\Loli-Mod-main\y.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5108
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Loli-Mod-main\y.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3396
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'y.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4332
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\COM Surogate.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:812
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'COM Surogate.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:2584
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "COM Surogate" /tr "C:\Users\Admin\AppData\Roaming\COM Surogate.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    3eb3833f769dd890afc295b977eab4b4

    SHA1

    e857649b037939602c72ad003e5d3698695f436f

    SHA256

    c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

    SHA512

    c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    26c94c408a5a2e1e04f1191fc2902d3e

    SHA1

    ce50b153be03511bd62a477abf71a7e9f94e68a5

    SHA256

    86ad00a425874b935cc725f83780add09d08d7dc9cbfb705821955fe937c05ec

    SHA512

    70e7bc620b369d7d0fcf06f93da000819bf089a502f1014641ad14d56ead22f31c25b97363296fd3749c63bde6db3bf115b33504b160485d792e1331c337b586

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    cd3ff24033bcac59bacd562de7e8f81e

    SHA1

    eb9bf2d35583075801c7faf9705f5bcfea9b9cda

    SHA256

    786ab4b8f344487365ba7e3bbe4ea8a2e310a25a42a5c579dd647b807d8e3875

    SHA512

    9b86fd5d942fb9031a87bfc4c552fc1286b72e53da43b2cb6e256c9332c3310f92453e04779a0d95a29201d8b90c7b043b754e1f43ea30f4176191e8050e946a

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    29daeef2e92579b02c2a864fad203359

    SHA1

    2cd0b964ebcc0c7646370fe14416df2704f1d96f

    SHA256

    ffd227efd83ecda5b9716eea0086c1c71f76c6186cd0c1c3b60bd6a139e49d51

    SHA512

    7091fa3f254fbcc3dafc4f982960b673c672f04b87c1640a517edf0b47742f6d64ecda901a08ea5d949cef4914daadf1adea20260171d87d8e3d0a38f23d30c7

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ynla0cws.jhx.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/3396-13-0x00007FFC7DB00000-0x00007FFC7E5C2000-memory.dmp

    Filesize

    10.8MB

  • memory/3396-14-0x00007FFC7DB00000-0x00007FFC7E5C2000-memory.dmp

    Filesize

    10.8MB

  • memory/3396-15-0x00007FFC7DB00000-0x00007FFC7E5C2000-memory.dmp

    Filesize

    10.8MB

  • memory/3396-16-0x00007FFC7DB00000-0x00007FFC7E5C2000-memory.dmp

    Filesize

    10.8MB

  • memory/3396-17-0x00007FFC7DB00000-0x00007FFC7E5C2000-memory.dmp

    Filesize

    10.8MB

  • memory/3396-20-0x00007FFC7DB00000-0x00007FFC7E5C2000-memory.dmp

    Filesize

    10.8MB

  • memory/3396-12-0x000002265CDA0000-0x000002265CDC2000-memory.dmp

    Filesize

    136KB

  • memory/5108-0-0x00007FFC7DB03000-0x00007FFC7DB05000-memory.dmp

    Filesize

    8KB

  • memory/5108-2-0x00007FFC7DB00000-0x00007FFC7E5C2000-memory.dmp

    Filesize

    10.8MB

  • memory/5108-1-0x0000000000050000-0x0000000000060000-memory.dmp

    Filesize

    64KB

  • memory/5108-59-0x00007FFC7DB00000-0x00007FFC7E5C2000-memory.dmp

    Filesize

    10.8MB