Overview

overview

10

Static

static

1

download.html

windows11-21h2-x64

10

Analysis

  • max time kernel
    68s
  • max time network
    63s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    23-01-2025 22:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    download.html

  • Size

    2KB

  • MD5

    8c07f2e4c587ddb33c32e034fe17149c

  • SHA1

    18e31d80138535b44b5715e75e52efb08ecb136f

  • SHA256

    de9aa87bc82a074d5c5df9bea385442e878b2ecdfbb0c47c864fb19756a6f4e6

  • SHA512

    320bee58ed20a737c34d03aee9c875efdfa7877c26e9da0daeec092721b0bc52406c08ebe308becc3534a75da869d9b0839cf93bb1aac8f698a0851ee0e774ba

Score
10/10
xwormdiscoverypersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

87.120.116.179:1300

Mutex

k2ajRGAWWdwZwgsE

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\download.html
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3460
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeaf9fcc40,0x7ffeaf9fcc4c,0x7ffeaf9fcc58
      2⤵
        PID:4596
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1792,i,14725677028379976909,13846027689550625616,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1788 /prefetch:2
        2⤵
          PID:3644
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,14725677028379976909,13846027689550625616,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2096 /prefetch:3
          2⤵
            PID:3396
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,14725677028379976909,13846027689550625616,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2344 /prefetch:8
            2⤵
              PID:704
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,14725677028379976909,13846027689550625616,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3104 /prefetch:1
              2⤵
                PID:4792
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,14725677028379976909,13846027689550625616,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3268 /prefetch:1
                2⤵
                  PID:4968
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4532,i,14725677028379976909,13846027689550625616,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4544 /prefetch:8
                  2⤵
                    PID:2448
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4612,i,14725677028379976909,13846027689550625616,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4540 /prefetch:1
                    2⤵
                      PID:632
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4900,i,14725677028379976909,13846027689550625616,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4468 /prefetch:8
                      2⤵
                      • NTFS ADS
                      PID:2124
                  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                    1⤵
                      PID:4932
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                      1⤵
                        PID:2756
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        1⤵
                          PID:3708
                        • C:\Users\Admin\AppData\Local\Temp\Temp1_FINALIZACIÓN DE GESTIÓN DE CARTERA FINANCIERA ACH.zip\FINALIZACIÓN DE GESTIÓN DE CARTERA FINANCIERA ACH.exe
                          "C:\Users\Admin\AppData\Local\Temp\Temp1_FINALIZACIÓN DE GESTIÓN DE CARTERA FINANCIERA ACH.zip\FINALIZACIÓN DE GESTIÓN DE CARTERA FINANCIERA ACH.exe"
                          1⤵
                          • Adds Run key to start application
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2860
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                            2⤵
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of SetWindowsHookEx
                            PID:4348

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                          Filesize

                          649B

                          MD5

                          770115b9892554a1aa0b87533fa024f2

                          SHA1

                          f4114b19a9030f6e6dc6f3b15d36271390d6ef9d

                          SHA256

                          a50597eea502baa7d3fe689116559983ae3ddf1200e987df95419cd22b9c0621

                          SHA512

                          1914e2f6567c3bef0da03f6d5b319fca641e58eefff88e0aa0dbd463aeab1590f49f4cbdb99d07c1ca1cb5940752a975cf91f1965fd47fd4be1e01a742ed588a

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                          Filesize

                          2B

                          MD5

                          d751713988987e9331980363e24189ce

                          SHA1

                          97d170e1550eee4afc0af065b78cda302a97674c

                          SHA256

                          4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                          SHA512

                          b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                          Filesize

                          9KB

                          MD5

                          0339f8692f1cd12b7e56d6a8e744190b

                          SHA1

                          2ae0f08aa2f39abef9b6d5e65dee65c4d37feef4

                          SHA256

                          9029fbf275a233f1de1974c629fd9c21c415df13f21eb58b8d9498ee031b5bb9

                          SHA512

                          f4c71f63f982681b2699290bef4e099c4b81d60f5b41382a54abc36c386e54775880dc10c41a6a42bfbcbf98bf6f24759f5092004950b0cd22bb8f3c3f03b7e1

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                          Filesize

                          9KB

                          MD5

                          174c5a0b8e6ce264e9241382c6d1520e

                          SHA1

                          8f4dc206a3dd11cc924d35ccf3ff7f078aac74fc

                          SHA256

                          d33b76dd360b5303b8d87081cbdd17250d3ecdcfe08b0f1230034a87ae6ac726

                          SHA512

                          69241a707f897eb6ed120181c00d48153aff3e8ad08f56475808c66405f76fd98c3d7e8f17a8b59699ed5d6eda3f8103348c10743471012e85f133fee321fc67

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                          Filesize

                          9KB

                          MD5

                          4997b7ac967b678aec8de75310fe67f4

                          SHA1

                          2649fad131ed1ef61879d6e027d92ac8e401d186

                          SHA256

                          56db9ec8a7628fde1bf7306e76174d86c14d5be57579cf685f1cd08a87732240

                          SHA512

                          1b6938d2c815c5064920b5f24730aa4134d50a45be4ad27f7cb1a36d0af2e3e8d6d5bde827976dd4e41df8e8dbb76b4a41dad5070d72826576178f797aa7c8a9

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                          Filesize

                          9KB

                          MD5

                          3a050e26259d3c226433eca74fb2be9b

                          SHA1

                          dee60438773cd42ccc053f2dc55f41359a409e3e

                          SHA256

                          ac45f8b144006220e2e7de6af770331ad524545aecd1b9b6bbbfb0380dc0750d

                          SHA512

                          0def3444c0e5b03b47be22d3d073751d0cd86b3f4274f38576f41d305a8f98a015be06fc1ba205306627af5c9fc05043cede852c56de6739120fabc6d3e064be

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                          Filesize

                          228KB

                          MD5

                          2436e24c37336431efe5199431d9b5b8

                          SHA1

                          23d146f3928f9e6d3bb4ece11cefa634d8e1af64

                          SHA256

                          606c5f0d415eb5a0674d5e42b4805f1826c8bd1beb973e73d0361514af25b78a

                          SHA512

                          d3c3f82d65dfefe1ae55361f3e3100e31783a5a3ed4589068f798c2a82932adcc980cd778546bf37f028378efa54bbee726b2d0d8437736f418336c828f9d45f

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                          Filesize

                          228KB

                          MD5

                          a455b27d7c9792d1a0e719bf5d6d9612

                          SHA1

                          bddce305770cc2c52635b58eebaa9941d3f95ae6

                          SHA256

                          333b2cb72e78341fa936f587f407bdfc16793c341b21fc0fa8bec6ddcb1dbfe7

                          SHA512

                          7c31c3eb1416a80d2854ee21a7396f78f0a441d4e4482556fc19c17698d81f0b59cdf23f54249a2a24d3aea0a75b44fcb387f95bc1ff647285cda7035009103a

                          Download Submit

                        • C:\Users\Admin\Downloads\FINALIZACIÓN DE GESTIÓN DE CARTERA FINANCIERA ACH.zip
                          Filesize

                          933KB

                          MD5

                          0a565aabde7c9a81abe29eb6dd93765a

                          SHA1

                          27bf403a4dad1e384b3609692e6bbc7dafc074a4

                          SHA256

                          b2966d0a78a55d219bf46400590b789cd680fd1136e19cc3474acca2d9800a9e

                          SHA512

                          d486e7a33a952057d45ff0a40ed699de43a5772d1f25a194cf060552d40a7f0a1fbb7021e9c483c58196f27b9f52be16d7bf9cbc650601fd91d508b15f428627

                          Download Submit

                        • C:\Users\Admin\Downloads\FINALIZACIÓN DE GESTIÓN DE CARTERA FINANCIERA ACH.zip:Zone.Identifier
                          Filesize

                          26B

                          MD5

                          fbccf14d504b7b2dbcb5a5bda75bd93b

                          SHA1

                          d59fc84cdd5217c6cf74785703655f78da6b582b

                          SHA256

                          eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                          SHA512

                          aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

                          Download Submit

                        • memory/2860-83-0x00000000024A0000-0x00000000024C9000-memory.dmp

                          Filesize

                          164KB

                          Download

                        • memory/2860-87-0x0000000002620000-0x0000000002678000-memory.dmp

                          Filesize

                          352KB

                          Download

                        • memory/4348-85-0x0000000000FB0000-0x0000000000FC0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4348-86-0x0000000005CA0000-0x0000000005D3C000-memory.dmp

                          Filesize

                          624KB

                          Download

                        • memory/4348-88-0x0000000005BC0000-0x0000000005BD0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4348-89-0x0000000006930000-0x0000000006ED6000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/4348-90-0x0000000006FE0000-0x0000000007072000-memory.dmp

                          Filesize

                          584KB

                          Download

                        • memory/4348-91-0x00000000068D0000-0x00000000068DA000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/4348-84-0x000000007441E000-0x000000007441F000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4348-101-0x0000000007240000-0x00000000072A6000-memory.dmp

                          Filesize

                          408KB

                          Download

                        • memory/4348-102-0x000000007441E000-0x000000007441F000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4348-104-0x0000000005BC0000-0x0000000005BD0000-memory.dmp

                          Filesize

                          64KB

                          Download