Resubmissions

30/12/2024, 18:08

241230-wq65vasldj 10

30/12/2024, 17:46

241230-wcs13atqgv 10

Analysis

  • max time kernel
    134s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 17:46

General

  • Target

    FatalityCrack.exe

  • Size

    74KB

  • MD5

    44217b6e8f45f82ebffe92321639290b

  • SHA1

    6bd7da4585d438bc28d5350b9415b6d73b32e807

  • SHA256

    657dcc3378b3dbbd131926612fb00e67683ccbc64dc2d743fce213734804f427

  • SHA512

    a68f7f194aadd63dcfad5af49dac4def19748e8fb657ab4cc06b514a1a7a2f5fb42424cb1a54a259987487558f2f2c950a1fd219a59f9b27ef826774ae27e7c8

  • SSDEEP

    1536:FNhc3BhmLTzjuReXV2y+bo0QnRr6wDeTJPovOoRnaRxsZP:1cxEWRsV2y+boveoOoRN5

Malware Config

Extracted

Family

xworm

C2

userxmorma-27072.portmap.host:27072

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot8050356849:AAGkujkVbiAoFzC-JTeiZPs5sCb3sdrY2sU/sendMessage?chat_id=8050356849

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FatalityCrack.exe
    "C:\Users\Admin\AppData\Local\Temp\FatalityCrack.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FatalityCrack.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2776
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FatalityCrack.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2740
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2212
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2808

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

          Filesize

          7KB

          MD5

          9baefc4aa26fd23023e087a78289110e

          SHA1

          bc28e8a45bb38479e5e83f97040792efcb7a5069

          SHA256

          d892311ede2c1d2831c61b905c25b1b9229384a11dc5c5ba0f2cd6cad2975b96

          SHA512

          93355a84948545f029d1157c4e62c74a602660e933be41c928cbafc279184fddf995f35d699d40279909e62c5b36bfa34e18069bfee9638739dce5523de3239a

        • memory/2736-0-0x000007FEF5FF3000-0x000007FEF5FF4000-memory.dmp

          Filesize

          4KB

        • memory/2736-1-0x0000000000A30000-0x0000000000A48000-memory.dmp

          Filesize

          96KB

        • memory/2736-30-0x000000001B250000-0x000000001B2D0000-memory.dmp

          Filesize

          512KB

        • memory/2736-31-0x000007FEF5FF3000-0x000007FEF5FF4000-memory.dmp

          Filesize

          4KB

        • memory/2736-32-0x000000001B250000-0x000000001B2D0000-memory.dmp

          Filesize

          512KB

        • memory/2740-14-0x000000001B6A0000-0x000000001B982000-memory.dmp

          Filesize

          2.9MB

        • memory/2740-15-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

          Filesize

          32KB

        • memory/2776-6-0x0000000002B10000-0x0000000002B90000-memory.dmp

          Filesize

          512KB

        • memory/2776-7-0x000000001B7A0000-0x000000001BA82000-memory.dmp

          Filesize

          2.9MB

        • memory/2776-8-0x0000000000560000-0x0000000000568000-memory.dmp

          Filesize

          32KB