Overview

overview

10

Static

static

10

FN CHECKER...ER.exe

windows7-x64

10

FN CHECKER...ER.exe

windows10-2004-x64

10

FN CHECKER...rp.dll

windows7-x64

1

FN CHECKER...rp.dll

windows10-2004-x64

1

FN CHECKER...et.dll

windows7-x64

1

FN CHECKER...et.dll

windows10-2004-x64

1

FN CHECKER...to.dll

windows7-x64

1

FN CHECKER...to.dll

windows10-2004-x64

1

FN CHECKER...re.dll

windows7-x64

1

FN CHECKER...re.dll

windows10-2004-x64

1

FN CHECKER...rp.dll

windows7-x64

1

FN CHECKER...rp.dll

windows10-2004-x64

1

FN CHECKER...Re.dll

windows7-x64

1

FN CHECKER...Re.dll

windows10-2004-x64

1

FN CHECKER...le.dll

windows7-x64

1

FN CHECKER...le.dll

windows10-2004-x64

1

FN CHECKER...ne.dll

windows7-x64

1

FN CHECKER...ne.dll

windows10-2004-x64

1

FN CHECKER...or.dll

windows7-x64

1

FN CHECKER...or.dll

windows10-2004-x64

1

FN CHECKER...rp.dll

windows7-x64

1

FN CHECKER...rp.dll

windows10-2004-x64

1

FN CHECKER...ma.dll

windows7-x64

1

FN CHECKER...ma.dll

windows10-2004-x64

1

FN CHECKER...et.dll

windows7-x64

1

FN CHECKER...et.dll

windows10-2004-x64

1

FN CHECKER...er.dll

windows7-x64

1

FN CHECKER...er.dll

windows10-2004-x64

1

FN CHECKER...er.exe

windows7-x64

10

FN CHECKER...er.exe

windows10-2004-x64

10

FN CHECKER...as.dll

windows7-x64

1

FN CHECKER...as.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2025 10:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FN CHECKER/FN CHECKER/FN CHECKER.exe

  • Size

    997KB

  • MD5

    d428119c48f140f0c31ebcef8d9d8f8a

  • SHA1

    af9e82b05da11ea19d3381829ae56d2c3e74491b

  • SHA256

    4b857cbd956518dfb4150be4da9e0c33eb31d086a99cae49c13713e32b24c9db

  • SHA512

    5b0e34fa4cdfbd7f1b959ca5d7d739340165d6e95fa4bb3e198d20043f790c5d42afb784b27828fa19493c8137e7a25abbdcf34846e211d33954349bafa680b8

  • SSDEEP

    24576:5FyISeHTiJKkt9SrQOLS7dUL/3rhEdMP9Mg:5EI1+IxrrLS0ThEdMKg

Score
10/10
neshtaxwormdiscoverypersistenceratspywaretrojanupx

Malware Config

Extracted

Family

xworm

Version

3.1

C2

daddy.linkpc.net:7000

Mutex

487KBZwHTRfdTb7E

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Neshta payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\FN CHECKER\FN CHECKER\FN CHECKER.exe
    "C:\Users\Admin\AppData\Local\Temp\FN CHECKER\FN CHECKER\FN CHECKER.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Users\Admin\AppData\Local\Temp\FN CHECKER.exe
      "C:\Users\Admin\AppData\Local\Temp\FN CHECKER.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3752
      • C:\Users\Admin\AppData\Local\Temp\3582-490\FN CHECKER.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\FN CHECKER.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3772
    • C:\Users\Admin\AppData\Local\Temp\FJQQND.exe
      "C:\Users\Admin\AppData\Local\Temp\FJQQND.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2648
    • C:\Users\Admin\AppData\Local\Temp\Payload.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3540
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /im "svchost‌.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:760
      • C:\Windows\SYSTEM32\schtasks.exe
        schtasks /run /TN "Update"
        3⤵
          PID:1244
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Del.vbs"
          3⤵
            PID:3896
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp81F1.tmp.bat""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1876
          • C:\Windows\system32\timeout.exe
            timeout 3
            3⤵
            • Delays execution with timeout.exe
            PID:2640
      • C:\Users\Admin\AppData\Roaming\svchost‌.exe
        C:\Users\Admin\AppData\Roaming\svchost‌.exe
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3544

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\3582-490\FN CHECKER.exe
        Filesize

        88KB

        MD5

        4ea5c70d869d3a252b80ded9d17b0476

        SHA1

        c459b39cb29705564b2b3f81a2679d048bb66a2f

        SHA256

        d5c059ac87836bcdb43e937544ed82fbb83f0b6e43b12559ec899c340f25640d

        SHA512

        f9b9fb91af71f527caa76886e6b3bc8fbea824efd98178a5631daec91582c4ca5c8a1d01aae6be2b06b338be1d03e5a0b7893d83988241a9f2e2fe682c94acd0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Del.vbs
        Filesize

        146B

        MD5

        a16d3da73c27fe0357e68065ddebb766

        SHA1

        5dd815f9b8696ec9537f5d8c89a71f14cdac650d

        SHA256

        64b7650c3b9dad3f49cd2a8a5aac82a3a8df1b8bd153a1b535e720d8c87f7ce7

        SHA512

        057388b481bd71aaebcae06d729875fb187eb12af8d1041e726f20d099859f1682304b8b3b5c7eacd19246d0c93405c3637ac546de6fa2c8e0a7945645a1940d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\FJQQND.exe
        Filesize

        781KB

        MD5

        68bcd60eb0ae68db9a6e2052df7b8270

        SHA1

        dc468b9b0b208511e6ddaeeb3acd4f43415d4fb6

        SHA256

        a287ab3424e595e875f31e4d893c14e70cf8cbd995ad38c6d29ce578c63e4a27

        SHA512

        68503c432c0199e62a82c857b2eef8a83dfc41513a37e36ed512668632f72d31fd646c4659376abbd4dc487ce0b739820e0ae16ddf76c4534eefeba1ce0567c7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\FN CHECKER.exe
        Filesize

        129KB

        MD5

        a446aa2b4904d28be4a7cc4c2490b1ed

        SHA1

        989a6f990fc6ef5e107b4d2883a8d47e2545ca76

        SHA256

        430241400ff1f21b9c90fd42ceebe570f67aa9e39a0e9002283eebd9b6b5f19c

        SHA512

        b8584f0a0d1e15594d7f1060a2883ab882b36673ff714b91bf9cab737cd685295fa142498d67fe0895d3cd5220a8f87c694fe7e11004eed02343fed953829d38

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Payload.exe
        Filesize

        262KB

        MD5

        1ecb45c5fcc8fe15e26cfa6eada84ed7

        SHA1

        798c9710e59324aef944c21b273206cdb1ece070

        SHA256

        d00e631cc47689cead47c38d535d8dc7bf8bbcc9f34ed46fa1d2b7fe232f0be5

        SHA512

        d26f9987f327ce5b5bfcc9dbcdbd19918e4b3a771d5a75b035dd6aab1ba0b43c92be0257451c26921a57ff4ddfac90a173e956f94113891bb19dc62b34dc2953

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp81F1.tmp.bat
        Filesize

        184B

        MD5

        a85e0447f7217da811840806b49e2db0

        SHA1

        a8116aba2c0acd905812791713be052f610c5953

        SHA256

        12dd32274eef33c4b3d39286816c67453d0a47f9f2a429a668ab047299908add

        SHA512

        b677863adc19b8b933c3f78d08567f2c4227b24274a51416ce4f8dbea6fd88a6bed203f6a18545b2ab6ed4af80622faaa837990ff38b323d8d51489855d50ebe

        Download Submit

      • C:\Users\Admin\AppData\Roaming\svchost‌.exe
        Filesize

        36KB

        MD5

        baf73551953ceb6ecbb13dbf164bfd6d

        SHA1

        19273b3eddbf9b9290401ae1cfcb3e664e042cfb

        SHA256

        b4de1d430d856f1fe1045eb90f8bf870795d0f6b09b930417d2648ebc64d69b4

        SHA512

        15a00412bb6c6095d2e05c62725c33bfff79a11f1f12435d964b3b9fe37bedb8b41e67e8e0f4b515b34fb22326424c3d3f3f4c04596c6973da56d50efa888943

        Download Submit

      • memory/1920-36-0x00007FFB42950000-0x00007FFB43411000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1920-0-0x00007FFB42953000-0x00007FFB42955000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1920-7-0x00007FFB42950000-0x00007FFB43411000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1920-1-0x0000000000830000-0x0000000000930000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2648-39-0x0000000000400000-0x00000000004B6000-memory.dmp

        Filesize

        728KB

        Download

      • memory/2648-27-0x0000000000400000-0x00000000004B6000-memory.dmp

        Filesize

        728KB

        Download

      • memory/3540-34-0x0000000000690000-0x00000000006DA000-memory.dmp

        Filesize

        296KB

        Download

      • memory/3544-58-0x00000000000C0000-0x00000000000D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3752-48-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download