Analysis

  • max time kernel
    132s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 17:43

General

  • Target

    FatalityCrack.exe

  • Size

    74KB

  • MD5

    44217b6e8f45f82ebffe92321639290b

  • SHA1

    6bd7da4585d438bc28d5350b9415b6d73b32e807

  • SHA256

    657dcc3378b3dbbd131926612fb00e67683ccbc64dc2d743fce213734804f427

  • SHA512

    a68f7f194aadd63dcfad5af49dac4def19748e8fb657ab4cc06b514a1a7a2f5fb42424cb1a54a259987487558f2f2c950a1fd219a59f9b27ef826774ae27e7c8

  • SSDEEP

    1536:FNhc3BhmLTzjuReXV2y+bo0QnRr6wDeTJPovOoRnaRxsZP:1cxEWRsV2y+boveoOoRN5

Malware Config

Extracted

Family

xworm

C2

userxmorma-27072.portmap.host:27072

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot8050356849:AAGkujkVbiAoFzC-JTeiZPs5sCb3sdrY2sU/sendMessage?chat_id=8050356849

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FatalityCrack.exe
    "C:\Users\Admin\AppData\Local\Temp\FatalityCrack.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FatalityCrack.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2172
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FatalityCrack.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2512
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2696

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

          Filesize

          7KB

          MD5

          8e840721ec9d0989f41306bb1f7bb46f

          SHA1

          a9603b6606978355ac9a7d672e68f02c07a8b86d

          SHA256

          27a6c8f3ce6e558dba7b32ca59b8ee5e759e96ae6eb0172fa8e2a3396a4b6955

          SHA512

          72c63931172431619edcca7b056f3ebb12717deabe2ee50595053ce3122794ecc1f857d5262b9fc7bcdffcd423b71beed4ec61c7615fce6d70fb652900c0e139

        • memory/2172-6-0x00000000025F0000-0x0000000002670000-memory.dmp

          Filesize

          512KB

        • memory/2172-7-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

          Filesize

          2.9MB

        • memory/2172-8-0x0000000002410000-0x0000000002418000-memory.dmp

          Filesize

          32KB

        • memory/2304-0-0x000007FEF5A93000-0x000007FEF5A94000-memory.dmp

          Filesize

          4KB

        • memory/2304-1-0x00000000000B0000-0x00000000000C8000-memory.dmp

          Filesize

          96KB

        • memory/2304-23-0x000007FEF5A93000-0x000007FEF5A94000-memory.dmp

          Filesize

          4KB

        • memory/2304-33-0x000000001B310000-0x000000001B390000-memory.dmp

          Filesize

          512KB

        • memory/2304-34-0x000000001B310000-0x000000001B390000-memory.dmp

          Filesize

          512KB

        • memory/2512-14-0x000000001B180000-0x000000001B462000-memory.dmp

          Filesize

          2.9MB

        • memory/2512-15-0x0000000002490000-0x0000000002498000-memory.dmp

          Filesize

          32KB