Overview

overview

10

Static

static

10

questmodinstaller.exe

windows7-x64

questmodinstaller.exe

windows10-2004-x64

Analysis

  • max time kernel
    50s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2024 16:39

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    questmodinstaller.exe

  • Size

    176KB

  • MD5

    ed369f4bf4345b9a0680f904495cd101

  • SHA1

    6dceb43de613608cc8468998605eb4b7836b2412

  • SHA256

    8d59ef4f887ea68153faebb1ac97e69319087ff059903d4b26d1961828a8cbca

  • SHA512

    48b4f2b3a87b76985d6c1b513fa261c822ffd4ae5aa9f8b9cbd9e8dafa684bc0a4cb23a16b8202bd33717a3834c1b54ef9266ca1e27db251dc83752c54eb4761

  • SSDEEP

    3072:gNOFXeivN1tvdibFsmIlOo2FzRbSHNBz65/M6If+3Js+3JFkKeTno:g05vNwbFGHNxBt25

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:53655

147.185.221.24::53655

147.185.221.24:53655

topics-properties.gl.at.ply.gg:53655
Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\questmodinstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\questmodinstaller.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\questmodinstaller.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2796
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'questmodinstaller.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2452
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2776
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2340
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2996
    • C:\Windows\system32\shutdown.exe
      shutdown.exe /f /s /t 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:320
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {3D4DB127-CBE8-433E-A2D5-EEEB7D3B835E} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1644
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2144
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1060

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        d65a68e03e0b447bdcefd19c191decb9

        SHA1

        714a28083549200606ba97a34183d230dd12c7a1

        SHA256

        e1d368d6462332f717dc58566329def8fd444bfba1e211087a28b3dc8b02fd3f

        SHA512

        d55e5738b21205c44a79ae6004f753fbc38a6c9581ceee389dbf9d2df6f7354c23a2ef771713e21f4d52fd308f5bb5b9bcca8d104b7669f0b1d0960f11094655

        Download Submit

      • C:\Users\Admin\AppData\Roaming\XClient.exe
        Filesize

        176KB

        MD5

        ed369f4bf4345b9a0680f904495cd101

        SHA1

        6dceb43de613608cc8468998605eb4b7836b2412

        SHA256

        8d59ef4f887ea68153faebb1ac97e69319087ff059903d4b26d1961828a8cbca

        SHA512

        48b4f2b3a87b76985d6c1b513fa261c822ffd4ae5aa9f8b9cbd9e8dafa684bc0a4cb23a16b8202bd33717a3834c1b54ef9266ca1e27db251dc83752c54eb4761

        Download Submit

      • memory/1644-37-0x00000000011D0000-0x0000000001202000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1744-2-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1744-0-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1744-28-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1744-33-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1744-1-0x0000000001350000-0x0000000001382000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1744-38-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2452-15-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2452-16-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2796-7-0x0000000002DC0000-0x0000000002E40000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2796-8-0x000000001B710000-0x000000001B9F2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2796-9-0x0000000001E50000-0x0000000001E58000-memory.dmp

        Filesize

        32KB

        Download