Overview

overview

10

Static

static

3

idk.exe

windows7-x64

10

idk.exe

windows10-2004-x64

10

idk.exe

windows10-ltsc 2021-x64

10

idk.exe

windows11-21h2-x64

10

Resubmissions

22-01-2025 16:19

250122-tsmg4swjcl 10

22-01-2025 16:17

250122-trdtksvrhj 10

22-01-2025 16:14

250122-tpwllsvrdj 10

22-01-2025 16:12

250122-tnlp1svjc1 10

22-01-2025 16:10

250122-tml96avqem 10

22-01-2025 16:09

250122-tlwgfatrgs 10

22-01-2025 13:40

250122-qylwzsymez 10

Analysis

  • max time kernel
    59s
  • max time network
    60s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22-01-2025 16:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    idk.exe

  • Size

    94KB

  • MD5

    f88781b7415e7b04fd13b1bbbf2009b2

  • SHA1

    df9072bf61727db083155c04b47ce48744b23ee5

  • SHA256

    ccaf48cc722a2f0f9766cc4e83c1469e498fc67d2f8ed96942a5764d3591050e

  • SHA512

    6c16f8287f2f14b452025be0638fb827fa6e4a3556b21119c6195bc066d577f2c1df9a8b3f500f7e56d2b33e0552c7cbec8730bd3ac14704a6250280b1aac3db

  • SSDEEP

    1536:BItB2JRcId+cS7K/aATFcmJi1vJYbmG0VaTCVp8tA8qbQXpPQ8Qep+MDaj361dw:CyFdDSWjB0vcL0VwCz8+8qbwPtVkOg3r

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

IDKTOBEHONESTNIGAS-56344.portmap.io:56344

Attributes
  • Install_directory

    %LocalAppData%

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\idk.exe
    "C:\Users\Admin\AppData\Local\Temp\idk.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Users\Admin\AppData\Roaming\svchost.scr
      "C:\Users\Admin\AppData\Roaming\svchost.scr" /S
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:716
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.scr'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4628
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.scr'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3156
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.scr'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1400
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.scr"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    5ba388a6597d5e09191c2c88d2fdf598

    SHA1

    13516f8ec5a99298f6952438055c39330feae5d8

    SHA256

    e6b6223094e8fc598ad12b3849e49f03a141ccd21e0eaa336f81791ad8443eca

    SHA512

    ead2a2b5a1c2fad70c1cf570b2c9bfcb7364dd9f257a834eb819e55b8fee78e3f191f93044f07d51c259ca77a90ee8530f9204cbae080fba1d5705e1209f5b19

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    687b3558d687becb30ad8f90997723cc

    SHA1

    fb326d7d105aba4d26e1764e73fd124cad23f298

    SHA256

    5283507c63132fdaf5d64bb0a09bcd6ae6d412a4df0be934268bf8e774207ece

    SHA512

    f827d61fad06764cefbca1688b8b2df7c07a1080be42f524de9765650382db84151ee90dd74b6568ea6f5bc582399695ec2c1c598256076f2dc91ff250450abd

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    6f0e62045515b66d0a0105abc22dbf19

    SHA1

    894d685122f3f3c9a3457df2f0b12b0e851b394c

    SHA256

    529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319

    SHA512

    f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xnut0u53.lfm.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchost.scr
    Filesize

    79KB

    MD5

    0b192c8ec04f4dcd360957eb478221d2

    SHA1

    522a5c7336a31c23efec4b8ccab7ce7c17d620d4

    SHA256

    ea6a26539f74891663a03fc3cf348ef53c14295ef3662b9a29b211a8d0503e1c

    SHA512

    7d5dd7c9aca799a8dc15eea9bf767ca6c7e2145ad848d2b2cefb3548cffb30bbbb3e3933aac7c602e4a1b5f02e14e46b7edbcc3945e1aa2e3cc6219941e90eb6

    Download Submit

  • memory/716-9-0x00007FFCC53F0000-0x00007FFCC5EB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/716-10-0x00007FFCC53F0000-0x00007FFCC5EB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/716-8-0x0000000000F40000-0x0000000000F5A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/716-50-0x00007FFCC53F0000-0x00007FFCC5EB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/716-51-0x00007FFCC53F0000-0x00007FFCC5EB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1628-0-0x00007FFCC53F3000-0x00007FFCC53F5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1628-1-0x0000000000CC0000-0x0000000000CDE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4628-19-0x000001C8B21F0000-0x000001C8B2212000-memory.dmp

    Filesize

    136KB

    Download