Analysis
-
max time kernel
41s -
max time network
42s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-01-2025 07:43
General
-
Target
Sorry.exe
-
Size
481KB
-
MD5
5c152e46af6e1de7f406cea257af9d1e
-
SHA1
d8b830c0c2e0aa7daeaab5759dc2e71351e98e3f
-
SHA256
f6262425730236425df601e87f0742166849b0737a1d918c5a8609553f75630f
-
SHA512
f52e406d166f61319ef2cc781a9c90abab2714746ae3203a8f7f412b02c45aeeb48d4f6966e6bd99279a8f348ac96ef379dc3f58259331c480dd70bf734abb01
-
SSDEEP
12288:CF2itC7rxZjmoXuaiHi/Xy3I3sBmy1CLoMavQ9clJb8S:4HSZqoXuWPzloMaI9clD
Malware Config
Extracted
xworm
yNحكـX8ٍبAGLWِF6Jo2DiObلٍLZا3ا
-
Install_directory
%Port%
-
install_file
MicrosoftEdgeUpdateTaskMachineUAC.exe
Signatures
-
Detect Xworm Payload 1 IoCs
-
Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sorry.exe"C:\Users\Admin\AppData\Local\Temp\Sorry.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "MasonSorry.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Sorry.exe'" /sc onlogon /rl HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\u3hyivn3.lls.exe"C:\Users\Admin\AppData\Local\Temp\u3hyivn3.lls.exe"2⤵
- Modifies Windows Defender DisableAntiSpyware settings
- UAC bypass
- Windows security bypass
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\u3hyivn3.lls.exe" /rl HIGHEST /f3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\u3hyivn3.lls.exe'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify Tools
4Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
444KB
MD50cb0c98f19e1e14babd396af2fc05f42
SHA1626e7a6eac10f76cff1aab70e20ee73ac15cd7a1
SHA256e702e1c61802c8f3e6adc061c608d9e49c953cf8e040b5acf98a1c1a20735d00
SHA512f14a476b1eb9e78ee1bdbf17d4405b3285ddaa0fe2e08164dfd6ea1e0d99c5d63149571e849f09f19f4039e3cec4f0c801699b8c2c75c9f4b7777803ef455a77
-
Filesize
64KB
-
Filesize
504KB
-
Filesize
1.6MB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB