Overview

overview

10

Static

static

3

1337 Crack.exe

windows10-2004-x64

10

1337 Crack.exe

windows7-x64

10

1337 Crack.exe

windows10-2004-x64

10

1337 Crack.exe

windows10-ltsc 2021-x64

10

1337 Crack.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    22s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2025 21:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1337 Crack.exe

  • Size

    18.6MB

  • MD5

    9505ebe349e9fefa3eab68142b85fac8

  • SHA1

    2b33fc2d0aa8759d1e9535a829a68f68b0382f53

  • SHA256

    e6cd1d4f3e1ddb7cb9d41186bbf8c10494c91388f2aed84a95f62568ef11fcd1

  • SHA512

    72cce65ac22d7fcb41e63f6096de95114d5b359f75c97ccad14d5aaf9d1a64f8be1ac7f4b6228c9fbf4e8cf8012182eac3277cdd441edda08828c1e5712d51c1

  • SSDEEP

    1536:TcBSENyrdccjBReGabeGXVmiEEZ73C61SO4ors:TcHyrtnxabeGYy53YOnA

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:6673

accessories-fame.gl.at.ply.gg:6673
Attributes
  • Install_directory

    %Userprofile%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1337 Crack.exe
    "C:\Users\Admin\AppData\Local\Temp\1337 Crack.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1337 Crack.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1337 Crack.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2924
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4820
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:60
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\svchost.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1716
  • C:\Users\Admin\svchost.exe
    C:\Users\Admin\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    77d622bb1a5b250869a3238b9bc1402b

    SHA1

    d47f4003c2554b9dfc4c16f22460b331886b191b

    SHA256

    f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

    SHA512

    d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    34f595487e6bfd1d11c7de88ee50356a

    SHA1

    4caad088c15766cc0fa1f42009260e9a02f953bb

    SHA256

    0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

    SHA512

    10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    d7f4d4ca73f05b25181b68f11fef28df

    SHA1

    6ebb59914957f8e2ed0a4030141e38063430aeaa

    SHA256

    21420832ae8919c7a6b6ca850947f0d7c6d7330934c91e05b5a865e0bb43d099

    SHA512

    e6993f40cc78aaafcddce74e33c345fd2fb8801908a3e3ef87ec5ab9ad80f520c7aa80df9ee7eec376d4361e92b608a619d8383820b4c6211e61dbf0fb72fb0c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nzudeqbc.bfd.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\svchost.exe
    Filesize

    18.6MB

    MD5

    9505ebe349e9fefa3eab68142b85fac8

    SHA1

    2b33fc2d0aa8759d1e9535a829a68f68b0382f53

    SHA256

    e6cd1d4f3e1ddb7cb9d41186bbf8c10494c91388f2aed84a95f62568ef11fcd1

    SHA512

    72cce65ac22d7fcb41e63f6096de95114d5b359f75c97ccad14d5aaf9d1a64f8be1ac7f4b6228c9fbf4e8cf8012182eac3277cdd441edda08828c1e5712d51c1

    Download Submit

  • memory/3728-1-0x0000000000DA0000-0x0000000000DB6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3728-2-0x00007FFD35890000-0x00007FFD36351000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3728-61-0x00007FFD35890000-0x00007FFD36351000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3728-0-0x00007FFD35893000-0x00007FFD35895000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3728-58-0x00007FFD35893000-0x00007FFD35895000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4972-4-0x00000275C8240000-0x00000275C8262000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4972-19-0x00007FFD35890000-0x00007FFD36351000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4972-18-0x00007FFD35890000-0x00007FFD36351000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4972-15-0x00007FFD35890000-0x00007FFD36351000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4972-11-0x00007FFD35890000-0x00007FFD36351000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4972-3-0x00007FFD35890000-0x00007FFD36351000-memory.dmp

    Filesize

    10.8MB

    Download