Overview

overview

10

Static

static

10

fixer for ...ol.exe

windows7-x64

10

fixer for ...ol.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    20/01/2025, 21:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fixer for multitool.exe

  • Size

    87KB

  • MD5

    99e39146427de4c24dd3f1ff1ed4debe

  • SHA1

    c7b51946c52c902c5af7f228613cb00660f15134

  • SHA256

    f4c783c56c8cf963890638302a5e92c8e49181b4813f7fa10f2f537ed944ae45

  • SHA512

    727a8ae888af56cdf680f163783c554c076451708a3d80c5147af3a10922d6a8edf65c2ec4cfe5552e79317f9be336623e7be4f0fa5ff6a29ed12e08a7fbcc98

  • SSDEEP

    1536:imR/EoP7RfUQ3ut4LhZm3BuASk1x9bpcRjkHM3amui1/cZ6DGiOKWP1WlGOOn+P:iW17R87UM3BVx9bpLHMqmuIEYOKWP6GW

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

blood-pattern.gl.at.ply.gg:24558

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7704029346:AAHPre1lXQa0UfPCpOUXJZ9UXA9mFxvH4Gk/sendMessage?chat_id=7590668020

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\fixer for multitool.exe
    "C:\Users\Admin\AppData\Local\Temp\fixer for multitool.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fixer for multitool.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fixer for multitool.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\security'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'security'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2892
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "security" /tr "C:\Users\Admin\AppData\Roaming\security"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2168
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {BCBB7629-FCBD-4847-9A1E-CC0B2138CCC0} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Users\Admin\AppData\Roaming\security
      C:\Users\Admin\AppData\Roaming\security
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1208
    • C:\Users\Admin\AppData\Roaming\security
      C:\Users\Admin\AppData\Roaming\security
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2096

Network

  • flag-us
    DNS
    api.telegram.org
    fixer for multitool.exe
    Remote address:
    8.8.8.8:53
    Request
    api.telegram.org
    IN A
    Response
    api.telegram.org
    IN A
    149.154.167.220
  • flag-us
    DNS
    blood-pattern.gl.at.ply.gg
    fixer for multitool.exe
    Remote address:
    8.8.8.8:53
    Request
    blood-pattern.gl.at.ply.gg
    IN A
    Response
    blood-pattern.gl.at.ply.gg
    IN A
    147.185.221.25
  • 149.154.167.220:443
    api.telegram.org
    tls
    fixer for multitool.exe
    388 B
     219 B
     5
    5
  • 147.185.221.25:24558
    blood-pattern.gl.at.ply.gg
    fixer for multitool.exe
    2.5kB
     52 B
     11
    1
  • 147.185.221.25:24558
    blood-pattern.gl.at.ply.gg
    fixer for multitool.exe
    1.9kB
     52 B
     9
    1
  • 147.185.221.25:24558
    blood-pattern.gl.at.ply.gg
    fixer for multitool.exe
    1.9kB
     52 B
     9
    1
  • 147.185.221.25:24558
    blood-pattern.gl.at.ply.gg
    fixer for multitool.exe
    1.9kB
     52 B
     9
    1
  • 147.185.221.25:24558
    blood-pattern.gl.at.ply.gg
    fixer for multitool.exe
    1.9kB
     52 B
     9
    1
  • 8.8.8.8:53
    api.telegram.org
    dns
    fixer for multitool.exe
    62 B
     78 B
     1
    1

    DNS Request

    api.telegram.org

    DNS Response

    149.154.167.220

  • 8.8.8.8:53
    blood-pattern.gl.at.ply.gg
    dns
    fixer for multitool.exe
    72 B
     88 B
     1
    1

    DNS Request

    blood-pattern.gl.at.ply.gg

    DNS Response

    147.185.221.25

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    7bf36c219c6a4681e1cd24edb0abf9dc

    SHA1

    69524563a5505bee505c26529eff7cd68a0f277a

    SHA256

    270a67e99bdb1cbf2cbd605b540da90e6556f853f04651228de62222a779c7d5

    SHA512

    a538a78889778d7ea1c3685ac64c53f30c5a4da57ea3caa9fb95d8437817b4e3095cc9e18e9f51f4597e7062f9ac8cca665ab6d14aadf487eac3046f25219447

    Download Submit

  • C:\Users\Admin\AppData\Roaming\security
    Filesize

    87KB

    MD5

    99e39146427de4c24dd3f1ff1ed4debe

    SHA1

    c7b51946c52c902c5af7f228613cb00660f15134

    SHA256

    f4c783c56c8cf963890638302a5e92c8e49181b4813f7fa10f2f537ed944ae45

    SHA512

    727a8ae888af56cdf680f163783c554c076451708a3d80c5147af3a10922d6a8edf65c2ec4cfe5552e79317f9be336623e7be4f0fa5ff6a29ed12e08a7fbcc98

    Download Submit

  • memory/1084-31-0x000000001B150000-0x000000001B1D0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1084-1-0x00000000001C0000-0x00000000001DC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1084-0-0x000007FEF5163000-0x000007FEF5164000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1084-32-0x000000001B150000-0x000000001B1D0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1084-21-0x000007FEF5163000-0x000007FEF5164000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1208-36-0x0000000000A80000-0x0000000000A9C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2096-39-0x0000000000FC0000-0x0000000000FDC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2724-7-0x000000001B140000-0x000000001B422000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2724-8-0x0000000002490000-0x0000000002498000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2724-6-0x00000000025B0000-0x0000000002630000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3028-15-0x0000000002560000-0x0000000002568000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3028-14-0x000000001B2B0000-0x000000001B592000-memory.dmp

    Filesize

    2.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.