Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
23-01-2025 19:22
General
-
Target
04fac6a1b51179f981cd3ca1ffe82e0914d0c2b7c3940076c5c9cf6cec31f83e.exe
-
Size
38KB
-
MD5
702e759d83be51924e4726381bb4d8d0
-
SHA1
7f7c6e0c2c8418dd69e731915b28985ad381682d
-
SHA256
04fac6a1b51179f981cd3ca1ffe82e0914d0c2b7c3940076c5c9cf6cec31f83e
-
SHA512
f549ee20b8e3ca866fcf32b3a769b3f4907ed0230c9bd9da92bcd4f7f884e1aed68ad7a86ea6aeb66349c965a74ddb9fd96cfb75ac7ac89d811cc3b44db9b5ee
-
SSDEEP
768:bHZNZhqYjOjtg+3H6BQCAbN6yfwwMOYhRrhz0HY:bHZwfgiiQCAbN6ymOY9h
Malware Config
Extracted
xworm
abolhb.com:1870
-
Install_directory
%ProgramData%
-
install_file
Mason.exe
Signatures
-
Detect Xworm Payload 3 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Executes dropped EXE 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\04fac6a1b51179f981cd3ca1ffe82e0914d0c2b7c3940076c5c9cf6cec31f83e.exe"C:\Users\Admin\AppData\Local\Temp\04fac6a1b51179f981cd3ca1ffe82e0914d0c2b7c3940076c5c9cf6cec31f83e.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "04fac6a1b51179f981cd3ca1ffe82e0914d0c2b7c3940076c5c9cf6cec31f83e" /tr "C:\ProgramData\04fac6a1b51179f981cd3ca1ffe82e0914d0c2b7c3940076c5c9cf6cec31f83e.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {1B6B1CB7-1DD8-455D-B39B-E499ECB7B60E} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\04fac6a1b51179f981cd3ca1ffe82e0914d0c2b7c3940076c5c9cf6cec31f83e.exeC:\ProgramData\04fac6a1b51179f981cd3ca1ffe82e0914d0c2b7c3940076c5c9cf6cec31f83e.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\04fac6a1b51179f981cd3ca1ffe82e0914d0c2b7c3940076c5c9cf6cec31f83e.exeC:\ProgramData\04fac6a1b51179f981cd3ca1ffe82e0914d0c2b7c3940076c5c9cf6cec31f83e.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD5702e759d83be51924e4726381bb4d8d0
SHA17f7c6e0c2c8418dd69e731915b28985ad381682d
SHA25604fac6a1b51179f981cd3ca1ffe82e0914d0c2b7c3940076c5c9cf6cec31f83e
SHA512f549ee20b8e3ca866fcf32b3a769b3f4907ed0230c9bd9da92bcd4f7f884e1aed68ad7a86ea6aeb66349c965a74ddb9fd96cfb75ac7ac89d811cc3b44db9b5ee
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
64KB