Overview

overview

10

Static

static

10

SamsungCom...al.exe

windows10-2004-x64

10

SamsungCom...al.exe

windows10-ltsc 2021-x64

10

Resubmissions

22-01-2025 17:15

250122-vs2sgaxmhk 10

22-01-2025 14:51

250122-r75k5a1nft 10

Analysis

  • max time kernel
    99s
  • max time network
    153s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    22-01-2025 14:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SamsungCommisionExternal.exe

  • Size

    63KB

  • MD5

    6f30a565049364df3068b5bc88fd36d6

  • SHA1

    2ca485eb96156bfc561acd69649cf3339da6c610

  • SHA256

    e65d7f5beb1f383e07917e867fb3b18a59a597319d152ad148b37a8924b8780d

  • SHA512

    c01edc2fe4e5ad26b9511cc0bc114221878cf961b436a091a79611ce27da69ce7cf58afdcc71d295ad25f08701b1eb16c0c298fd22fbcb69004f760ea2b89ffe

  • SSDEEP

    1536:9VbfG3pj8mIfpubPOggHEyj26+6POhjV5yD/9:/fGZrIf0bPDgkyjnPOhp5U9

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:24707

modified-begun.gl.at.ply.gg:24707
Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SamsungCommisionExternal.exe
    "C:\Users\Admin\AppData\Local\Temp\SamsungCommisionExternal.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SamsungCommisionExternal.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4656
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SamsungCommisionExternal.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4788
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Smasmug'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1936
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Smasmug'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    3eb3833f769dd890afc295b977eab4b4

    SHA1

    e857649b037939602c72ad003e5d3698695f436f

    SHA256

    c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

    SHA512

    c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    60b3262c3163ee3d466199160b9ed07d

    SHA1

    994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

    SHA256

    e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

    SHA512

    081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    690c2bd2f10cc1857a717259b1bac1cb

    SHA1

    431d633e63f5ea8f7551a0a1e5a0fe421527fe5d

    SHA256

    c4bd3b662c1de00edd77cd43c3a47a68f272955f6bb4a35a1548ff0f29ed04d7

    SHA512

    045e3aa227b81f3f42430aee77e63efa68d7de087ddd3ae10c855a2b6c56a9144e452109ac267715615d8a12145c6072226e75f6e8f855e9aa08a8405a8a5cd5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    f4cba69beab6fa0de059d0a0ddc4dd87

    SHA1

    fb243a93ba81d097e248093800d0fc5f4fb8d8c5

    SHA256

    f0368bbcd56197e3274863b8f35e6c87cf7d476ba54ecd3c1fa954f82be0d7dc

    SHA512

    edcc61f1a8baa5a713f667fb8c139be71b258785177f2fcd067d423eb60368f5fa1c8d7fba1097a1b78fd859fa0089ce3c6963f526f025b714e66159a4673c15

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r3az4jin.3hz.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/2644-1-0x0000000000030000-0x0000000000046000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2644-2-0x00007FFFC5BD0000-0x00007FFFC6692000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2644-60-0x00007FFFC5BD0000-0x00007FFFC6692000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2644-0-0x00007FFFC5BD3000-0x00007FFFC5BD5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2644-33-0x00007FFFC5BD3000-0x00007FFFC5BD5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4656-4-0x00007FFFC5BD0000-0x00007FFFC6692000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4656-21-0x00007FFFC5BD0000-0x00007FFFC6692000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4656-20-0x000001BE36080000-0x000001BE3629D000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4656-17-0x00007FFFC5BD0000-0x00007FFFC6692000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4656-16-0x00007FFFC5BD0000-0x00007FFFC6692000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4656-6-0x000001BE36050000-0x000001BE36072000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4656-5-0x00007FFFC5BD0000-0x00007FFFC6692000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4656-3-0x00007FFFC5BD0000-0x00007FFFC6692000-memory.dmp

    Filesize

    10.8MB

    Download