Overview

overview

10

Static

static

3

idk.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    39s
  • max time network
    32s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    22-01-2025 14:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    idk.exe

  • Size

    78KB

  • MD5

    662afd232c27ffeacb7e5e8659eeccec

  • SHA1

    3db0da6493cb893b06ae08380d118beeb15993bc

  • SHA256

    dd72847951db3e210cbd52e0d342f87dc7bbffbec60d7ed8d5f73aa63a0b36d3

  • SHA512

    42818adf68c7f5deec6e85bc70aea7428d85959391be9035e502cbe448d088375ea348886a6cac92542a67ac117cd52dbfe720ced89dcc97001cbc1761023135

  • SSDEEP

    1536:1pfrzPokYK9mUzEnTPJ5g6EKuKa36MSPoorfXr3ZoTH+aJWRTILUG:zLok9TzEnThFsJho5Nk4G

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

IDKTOBEHONESTNIGAS-56344.portmap.io:56344

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\idk.exe
    "C:\Users\Admin\AppData\Local\Temp\idk.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3716
    • C:\Users\Admin\AppData\Local\Temp\idk.exe
      "C:\Users\Admin\AppData\Local\Temp\idk.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1452
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\idk.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1408
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'idk.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4528
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4496
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        PID:4712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    f9349064c7c8f8467cc12d78a462e5f9

    SHA1

    5e1d27fc64751cd8c0e9448ee47741da588b3484

    SHA256

    883481fe331cb89fb6061e76b43acd4dd638c16f499b10088b261036c6d0547b

    SHA512

    3229668491b5e4068e743b31f2896b30b1842faf96aff09fad01b08771c2f11eb8d8f02a3b76e31f0d6ad650c2894c5ac1822204e132c03d9c2b8df6ca4cd7cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    21KB

    MD5

    a0d012b55b0598934456ec9f62524ddf

    SHA1

    8032dee11fb2d2e5c637c7c5ec12ecf2431790d5

    SHA256

    0939306b74c0886604574a3a45ecf3a284c5920b338d648d8f777849dfa51215

    SHA512

    8e04f73e88994f9d62a5c3a31f69162f65f1a9fbb08694753bb327e0e4a2a084ad334b5cd01107c134f2062e98ceb34e25c2154fd681a7c38b32d9ecef4f2d16

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    21KB

    MD5

    e1c261333065f99943aaaba74309b229

    SHA1

    193d46db9a87859a55116b5caed38ee7c4a06a93

    SHA256

    19e59b643d481ba02a01dae3b1febb8ca7d93c5b51fda9881f99353dde37825c

    SHA512

    0594e728fb8d5a6ac8cf4bc6fbb56f6ec92bd187a12d277c683f363c6a81b52259c0499a3a220e9c212b7ab5393e4f059d075c229993f431c65c1cec0261bf3f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    21KB

    MD5

    13bb4785d7c88b6be815fc87a8ba3c35

    SHA1

    e6648566f523c3a0257500c28d31a745bc7761a8

    SHA256

    d21054669455eb8ff70a086861725b39fc64d0a81d6eff129318fcd6d94e9a41

    SHA512

    b7d8c2a1c05c3379ca120460bb2c626d0c328972731fed1b747132225b4a55ac8c6ffb2cecc602fe65da8d84572cfe8e741c5ef66d78c51db22dbeb0b3e1b76b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vxvnraw2.liz.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1408-51-0x00000000072A0000-0x00000000072AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1408-29-0x00000000058A0000-0x0000000005BF7000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1408-55-0x0000000074FF0000-0x00000000757A1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1408-52-0x00000000074C0000-0x0000000007556000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1408-50-0x0000000007240000-0x000000000725A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1408-49-0x0000000007890000-0x0000000007F0A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1408-48-0x00000000070F0000-0x0000000007193000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1408-47-0x0000000006450000-0x000000000646E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1408-37-0x0000000070040000-0x000000007008C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1408-36-0x0000000007030000-0x0000000007062000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1408-35-0x0000000005F00000-0x0000000005F4C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1408-34-0x0000000004B80000-0x0000000004B9E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1408-18-0x00000000024A0000-0x00000000024D6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1408-20-0x0000000005070000-0x000000000573A000-memory.dmp

    Filesize

    6.8MB

    Download

  • memory/1408-19-0x0000000074FF0000-0x00000000757A1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1408-21-0x0000000074FF0000-0x00000000757A1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1408-22-0x0000000004F20000-0x0000000004F42000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1408-23-0x0000000004FC0000-0x0000000005026000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1452-17-0x0000000074FF0000-0x00000000757A1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1452-11-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1452-91-0x0000000074FF0000-0x00000000757A1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1452-16-0x0000000004E50000-0x0000000004EB6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1452-56-0x0000000074FF0000-0x00000000757A1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1452-14-0x0000000074FF0000-0x00000000757A1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1452-13-0x0000000004D60000-0x0000000004DFC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3716-8-0x0000000074FF0000-0x00000000757A1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3716-4-0x0000000005970000-0x000000000597A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3716-9-0x0000000005BD0000-0x0000000005BE8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3716-0-0x0000000074FFE000-0x0000000074FFF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3716-5-0x0000000074FF0000-0x00000000757A1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3716-7-0x0000000074FFE000-0x0000000074FFF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3716-15-0x0000000074FF0000-0x00000000757A1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3716-10-0x0000000005C20000-0x0000000005C3E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3716-1-0x0000000000EB0000-0x0000000000ECA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3716-3-0x00000000058A0000-0x0000000005932000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3716-6-0x0000000005A10000-0x0000000005A86000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3716-2-0x0000000005D60000-0x0000000006306000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4496-89-0x0000000005BE0000-0x0000000005F37000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4496-92-0x0000000070040000-0x000000007008C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4528-69-0x0000000070040000-0x000000007008C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4528-67-0x0000000005B20000-0x0000000005E77000-memory.dmp

    Filesize

    3.3MB

    Download