Overview

overview

10

Static

static

10

af6abc8184...07.exe

windows7-x64

10

af6abc8184...07.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-01-2025 06:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    af6abc818434e7e0fb9205d31918243b17d843c38e3148ec78172fb6a9d2d807.exe

  • Size

    238KB

  • MD5

    a3f033788623e354934c5bd0d2e532ab

  • SHA1

    0356845c39af18ffbc03b1262278badcd8875437

  • SHA256

    af6abc818434e7e0fb9205d31918243b17d843c38e3148ec78172fb6a9d2d807

  • SHA512

    bfb042dcdc18e9af463140f134de3e349561f8f70c31864686a759683838cef0011337394ee19d0f0cdfd62cacb40bbc165afc8232213f64a11f3b15cf17d4d5

  • SSDEEP

    6144:VJW3bxeS3krUhcX7elbKTua9bfF/H9d9n:4eSUr3X3u+

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

45.141.27.242:7777

Attributes
  • Install_directory

    %Temp%

  • install_file

    conhost.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\af6abc818434e7e0fb9205d31918243b17d843c38e3148ec78172fb6a9d2d807.exe
    "C:\Users\Admin\AppData\Local\Temp\af6abc818434e7e0fb9205d31918243b17d843c38e3148ec78172fb6a9d2d807.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\af6abc818434e7e0fb9205d31918243b17d843c38e3148ec78172fb6a9d2d807.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2592
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'af6abc818434e7e0fb9205d31918243b17d843c38e3148ec78172fb6a9d2d807.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:472
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\conhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1856
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1972
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "conhost" /tr "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2020
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {7F55CDD5-937E-4B9F-BDD4-93E7ECD62C25} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Users\Admin\AppData\Local\Temp\conhost.exe
      C:\Users\Admin\AppData\Local\Temp\conhost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1952
    • C:\Users\Admin\AppData\Local\Temp\conhost.exe
      C:\Users\Admin\AppData\Local\Temp\conhost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\conhost.exe
    Filesize

    238KB

    MD5

    a3f033788623e354934c5bd0d2e532ab

    SHA1

    0356845c39af18ffbc03b1262278badcd8875437

    SHA256

    af6abc818434e7e0fb9205d31918243b17d843c38e3148ec78172fb6a9d2d807

    SHA512

    bfb042dcdc18e9af463140f134de3e349561f8f70c31864686a759683838cef0011337394ee19d0f0cdfd62cacb40bbc165afc8232213f64a11f3b15cf17d4d5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    f2b3a5d8ace4afc05f50a7622a01eedf

    SHA1

    d735ef2f4936423c996ad8f2690f35ba182b4fa1

    SHA256

    a390267e1d308b76f1020e22dbcddf45942b7118fd2a405d8ab680a490dfdf6c

    SHA512

    e9dae1f7b0b3503b2234d275dd5bf7aaa85cd611caa9e72047e974ed3c4576a9bcbd07f8667eda0c64cc9f8d58739d23ed97688dc167a35586326172ed50b2de

    Download Submit

  • memory/472-15-0x000000001B730000-0x000000001BA12000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/472-16-0x0000000001E90000-0x0000000001E98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/748-40-0x00000000013B0000-0x00000000013F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1952-37-0x00000000011C0000-0x0000000001200000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2592-7-0x0000000002DE0000-0x0000000002E60000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2592-9-0x0000000000310000-0x0000000000318000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2592-8-0x000000001B7B0000-0x000000001BA92000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2940-27-0x000007FEF4E83000-0x000007FEF4E84000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2940-33-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2940-0-0x000007FEF4E83000-0x000007FEF4E84000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2940-2-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2940-1-0x00000000001F0000-0x0000000000230000-memory.dmp

    Filesize

    256KB

    Download