Overview

overview

10

Static

static

10

0a6b6f9b9c...8N.exe

windows7-x64

10

0a6b6f9b9c...8N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2025 02:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a6b6f9b9cbf8a15660c1d5472f620a16aedc318041c00d59bedf220e697e408N.exe

  • Size

    85KB

  • MD5

    70447dbf18d9dc8426a9900ad6c28700

  • SHA1

    ce72e3dafd211af37ee84c07850ecf4b126fdee8

  • SHA256

    0a6b6f9b9cbf8a15660c1d5472f620a16aedc318041c00d59bedf220e697e408

  • SHA512

    87c41914eb2297fc510c65a54957abdead439a1b42cb3a3d1593474d3d3e8a42e42e8341521e12e60fdd0385243dfcb48422e0d84e32d417e08249c963fd58ce

  • SSDEEP

    1536:wgLOZCLbRcbwXpTpli0/eC/CiAQRbAwO4c06Qe6ulOfBIWZ65hUV6faF:NLECL9cbIf6KRbAm6QelOffeLaF

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

asia-capabilities.gl.at.ply.gg:63098

Attributes
  • Install_directory

    %Temp%

  • install_file

    Explorer.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a6b6f9b9cbf8a15660c1d5472f620a16aedc318041c00d59bedf220e697e408N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a6b6f9b9cbf8a15660c1d5472f620a16aedc318041c00d59bedf220e697e408N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0a6b6f9b9cbf8a15660c1d5472f620a16aedc318041c00d59bedf220e697e408N.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2392
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '0a6b6f9b9cbf8a15660c1d5472f620a16aedc318041c00d59bedf220e697e408N.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2924
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Explorer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2496
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Explorer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2928
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Explorer" /tr "C:\Users\Admin\AppData\Local\Temp\Explorer.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2604
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {BA4AC7BA-6718-4BF9-909C-9DF318BE5BA5} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1452
    • C:\Users\Admin\AppData\Local\Temp\Explorer.exe
      C:\Users\Admin\AppData\Local\Temp\Explorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2776
    • C:\Users\Admin\AppData\Local\Temp\Explorer.exe
      C:\Users\Admin\AppData\Local\Temp\Explorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2444

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Explorer.exe
    Filesize

    85KB

    MD5

    70447dbf18d9dc8426a9900ad6c28700

    SHA1

    ce72e3dafd211af37ee84c07850ecf4b126fdee8

    SHA256

    0a6b6f9b9cbf8a15660c1d5472f620a16aedc318041c00d59bedf220e697e408

    SHA512

    87c41914eb2297fc510c65a54957abdead439a1b42cb3a3d1593474d3d3e8a42e42e8341521e12e60fdd0385243dfcb48422e0d84e32d417e08249c963fd58ce

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    275f8bd2a87391975c90aec942e95711

    SHA1

    4c63a5cb77e4c9e8afb919a990cda54ce20379b6

    SHA256

    b6f3131111467a354c2537a584b758023598e4667f9f46c6ddbb73cbf9c67ce6

    SHA512

    6e7aba1d9a469baca3921efd90216b2deafa095887c0db086755f2894eb9b0cf36e2c720b26e28fdf1a3d717de9ebfaaad8d7e6785f54bba56015849579155d5

    Download Submit

  • memory/2392-6-0x0000000002C30000-0x0000000002CB0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2392-7-0x000000001B720000-0x000000001BA02000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2392-8-0x0000000001E10000-0x0000000001E18000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2444-41-0x0000000000D50000-0x0000000000D6C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2504-32-0x0000000000310000-0x0000000000390000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2504-0-0x000007FEF5A03000-0x000007FEF5A04000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2504-33-0x000007FEF5A03000-0x000007FEF5A04000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2504-38-0x0000000000310000-0x0000000000390000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2504-1-0x00000000010D0000-0x00000000010EC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2776-37-0x00000000001E0000-0x00000000001FC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2924-15-0x0000000002960000-0x0000000002968000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2924-14-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

    Filesize

    2.9MB

    Download