Analysis

  • max time kernel
    135s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2024, 17:38

General

  • Target

    FatalityCrack.exe

  • Size

    74KB

  • MD5

    44217b6e8f45f82ebffe92321639290b

  • SHA1

    6bd7da4585d438bc28d5350b9415b6d73b32e807

  • SHA256

    657dcc3378b3dbbd131926612fb00e67683ccbc64dc2d743fce213734804f427

  • SHA512

    a68f7f194aadd63dcfad5af49dac4def19748e8fb657ab4cc06b514a1a7a2f5fb42424cb1a54a259987487558f2f2c950a1fd219a59f9b27ef826774ae27e7c8

  • SSDEEP

    1536:FNhc3BhmLTzjuReXV2y+bo0QnRr6wDeTJPovOoRnaRxsZP:1cxEWRsV2y+boveoOoRN5

Malware Config

Extracted

Family

xworm

C2

userxmorma-27072.portmap.host:27072

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot8050356849:AAGkujkVbiAoFzC-JTeiZPs5sCb3sdrY2sU/sendMessage?chat_id=8050356849

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FatalityCrack.exe
    "C:\Users\Admin\AppData\Local\Temp\FatalityCrack.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FatalityCrack.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2648
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FatalityCrack.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:428
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2308

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          09c38bf09493920e93b25f37f1ae4efe

          SHA1

          42e5d800056f08481870c4ca2d0d48181ca8edc8

          SHA256

          37874b332a80efcccee52825b3d71d1faaae3820e09b47c3f161628bf35cc255

          SHA512

          91eacaafc2cd9f80338302d6b3cc3a1aa957752f63a449fb2c1ebcac2bcc59fd8624d4e042c488b5fbe73b881da86c9de819d500de8c7eb6bc0d3951a2bf9123

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          28ca58288d3b7a6216f69a56b0f34fbe

          SHA1

          802089360b715e7c22cccd7b95ab4325ee389d87

          SHA256

          28033c0eddc6226e5f1d6f4362eff8407ce196e97821bc63ab260f2af929482a

          SHA512

          af4099c677d0122bc40599314ead2c4c69d254b4670baa42cf74906f28a16ac1e93bfa11e76ae9b23840f24decb4cdde82bfc039bda5297a07e5f2949b48b001

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          01fff31a70e26012f37789b179059e32

          SHA1

          555b6f05cce7daf46920df1c01eb5c55dc62c9e6

          SHA256

          adf65afaf1c83572f05a99bf2ede8eb7be1aab0717d5254f501d5e09ba6f587b

          SHA512

          ac310c9bc5c1effc45e1e425972b09d1f961af216b50e1a504caa046b7f1a5f3179760e0b29591d83756ecb686d17a24770cf06fcea57e6f287ca5bbf6b6971b

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          fd98baf5a9c30d41317663898985593b

          SHA1

          ea300b99f723d2429d75a6c40e0838bf60f17aad

          SHA256

          9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96

          SHA512

          bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1k5t2mbk.srd.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • memory/2648-11-0x000001FF34B10000-0x000001FF34B32000-memory.dmp

          Filesize

          136KB

        • memory/2648-14-0x00007FFEEDD40000-0x00007FFEEE801000-memory.dmp

          Filesize

          10.8MB

        • memory/2648-17-0x00007FFEEDD40000-0x00007FFEEE801000-memory.dmp

          Filesize

          10.8MB

        • memory/2648-13-0x00007FFEEDD40000-0x00007FFEEE801000-memory.dmp

          Filesize

          10.8MB

        • memory/2648-12-0x00007FFEEDD40000-0x00007FFEEE801000-memory.dmp

          Filesize

          10.8MB

        • memory/4932-0-0x00007FFEEDD43000-0x00007FFEEDD45000-memory.dmp

          Filesize

          8KB

        • memory/4932-1-0x0000000000CA0000-0x0000000000CB8000-memory.dmp

          Filesize

          96KB

        • memory/4932-56-0x00007FFEEDD40000-0x00007FFEEE801000-memory.dmp

          Filesize

          10.8MB

        • memory/4932-57-0x00007FFEEDD43000-0x00007FFEEDD45000-memory.dmp

          Filesize

          8KB

        • memory/4932-58-0x00007FFEEDD40000-0x00007FFEEE801000-memory.dmp

          Filesize

          10.8MB