Overview

overview

10

Static

static

3

WinlockerB....6.exe

windows7-x64

10

WinlockerB....6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2025 00:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WinlockerBuilderv0.6.exe

  • Size

    1.3MB

  • MD5

    4f768716267ee42c40f6cb0578bae261

  • SHA1

    e143ab8ad439e224232bac5d0edc7f2051cbdc13

  • SHA256

    86bcea956a17faa66f5354fe890fae5fc41d2156b28ec1030d58aa9c51e32299

  • SHA512

    5f51a734c6eef7a9aba22e78c8dece02bff2adee06f8551f2f7fd57b77a6f2a22c39f46930bcf1f62c116725ef0fd5e56d7da7a893210a35c2f2721949de0a27

  • SSDEEP

    24576:DbXvsRLDInc+3WNyc4aKZQ6VvDrVq3EXcWdFVtV6d/PHk:U0c+Gr1YBrNXcEFVf6pPH

Score
10/10
xwormdefense_evasiondiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

vTtlhGPfn0ebMPsq

Attributes
  • Install_directory

    %Public%

  • install_file

    explorer.exe

  • pastebin_url

    https://pastebin.com/raw/4zaiEtZS

  • telegram

    https://api.telegram.org/bot8175192176:AAHZuZ0-rHS66YSwsvh8-gQjbZYSbY3IyXo/sendMessage?chat_id=7537927256

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    defense_evasion
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv0.6.exe
    "C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv0.6.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3932
    • C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.cpl",
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\svchost.cpl",
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Checks computer location settings
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5008
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\svchost.cpl"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:468
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /F /TN "svchost" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\svchost.lnk\"\"\"\"\"\",0:close\"")"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1632
        • C:\Windows\system32\SCHTASKS.exe
          SCHTASKS.exe /RUN /TN "svchost"
          4⤵
            PID:1812
      • C:\Users\Admin\AppData\Local\Temp\Winlocker Builder .exe
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder .exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1496
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7474.tmp\Builder #6.bat" "
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:60
          • C:\Users\Admin\AppData\Local\Temp\7474.tmp\builder.exe
            builder.exe
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1060
    • C:\Windows\system32\mshta.exe
      mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\svchost.lnk"""""",0:close")
      1⤵
      • Modifies registry class
      PID:2024
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
      1⤵
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:8
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\explorer.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:728
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3976
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\explorer.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4868
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2104
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Public\explorer.exe"
        2⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3288
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:1720
    • C:\Users\Public\explorer.exe
      C:\Users\Public\explorer.exe
      1⤵
      • Executes dropped EXE
      • Modifies registry class
      PID:2424
    • C:\Users\Public\explorer.exe
      C:\Users\Public\explorer.exe
      1⤵
      • Executes dropped EXE
      • Modifies registry class
      PID:3592

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      b46e0092d4ec5b1df4e5bbde2d8079b1

      SHA1

      fc95342a2ab48018c9687aa77b89df8df90f53a0

      SHA256

      4aed4d64a250671e7af6389f7480eb298f3a52599c45812706a52e02a1ac7b3d

      SHA512

      bc7a13cda121db38665ad49c0de0ce6e180ebbf97a079158de94fdf78ea2a4ca8cdecd4a548a773ed1a68d08f74f3177163c44312050853d80bdfa66c49bd8ba

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      77d622bb1a5b250869a3238b9bc1402b

      SHA1

      d47f4003c2554b9dfc4c16f22460b331886b191b

      SHA256

      f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

      SHA512

      d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      8f659389c6e21eb0c627fbae833500c7

      SHA1

      ae632f1e4af08587934ff168155b30e2b28d7475

      SHA256

      a12763453f79453dd8f25f0c90d001ffb5d409ec698491666c9f076c6bc60d8c

      SHA512

      f4849e0b1d6ab3d4dd054f590a359af8dd1b9d3df2ad78033ad1a59ebafb1ca96aa76fa9061a466d74e8e3266dc882818d79db47908b21ca3ef8be20e427d327

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      ce4540390cc4841c8973eb5a3e9f4f7d

      SHA1

      2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

      SHA256

      e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

      SHA512

      2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7474.tmp\Builder #6.bat
      Filesize

      28B

      MD5

      8051f1a637f4635ede0c96f81302993b

      SHA1

      1712fdb1a9d64edae50acc063574c1109d613546

      SHA256

      ff61e26e4d145be670bc4512afdf87210da097acaa43bf97cf278def640b3110

      SHA512

      b54aec0ff9ec591e2c8507ef4729c3b69e0263337eb52c58dd69f5b2e0b50d5d8f3bc17c32b5c55a2327809f0cd17713f511f3ab7a03bfa826e53da0d8a96c9d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7474.tmp\builder.exe
      Filesize

      2.4MB

      MD5

      9729d33f5cc788e9c1930bcc968acffa

      SHA1

      68c662875f7b805dd6f246919d406c8d92158073

      SHA256

      3711a334cb3c6e2a92461067f2d7db2946e9b139f1517b214bc929ba42a86aae

      SHA512

      af12beee6da79e5498eb292eb4a122667bf5dcdf840def97a5476adb31e0701a2aa0585b4266547bb4307c3524c7f9733dbf32f2a87c87b33fadb4bb1ecd0c3f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Winlocker Builder .exe
      Filesize

      1.3MB

      MD5

      4caed3373183b76693cebb8f917faa1f

      SHA1

      10d2a0c799b6231bc90d66fe59a8245e74bbbaf0

      SHA256

      a4b302ddaecc5ca50b48152644e3a101d389ed6b72abeb3c610f5f1facaf4547

      SHA512

      83670f489cb7e4be492e3361ba2291dc725ce5ce7694c5f6e9c988b680dca4147042b2ae8c0d2e78bbda5fa2d6b8c7ca83c8299bd4f1594107262ca26d276128

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nnwdtou4.5b4.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\svchost.cpl
      Filesize

      49KB

      MD5

      8fe4b2ca0b85980b73050ab7e8eb58a8

      SHA1

      d78af51db795dd51ffe48f96321d7a3fdd853117

      SHA256

      16160a0f94f668219b4b69aa3c396aef00388c305e66a887f7a891fb460bc914

      SHA512

      6d73f190d657b9f04887d7d88ef8aa913e61b3eb8de50de4607f035a32fde9f9bb2f76a9918d73039ca294a56d98e2a7de7f233ff5b43079a5d80bbf7b2392f1

      Download Submit

    • C:\Users\Public\explorer.exe
      Filesize

      4.6MB

      MD5

      30decee483a8196b30643ec6a453a7de

      SHA1

      92266131aff3595c5a95d3aa23c9e40c85d5f982

      SHA256

      3dc254ad131a691acb1f9e3a5bb5ca5b3ea891869e516f4b3580ea4fcfdf2e76

      SHA512

      a8f370c060223d4c2985ac16e78547779e584020e95428e85b497464fc487611d7b080908f904c11aa93bc7b56ec102845fbb6554d97dcba7fdc856c93087f00

      Download Submit

    • C:\Windows\System32\svchost.lnk
      Filesize

      104B

      MD5

      62658c068ffbf0e44a72ac7ad1d0de8c

      SHA1

      be24daae430936518ccafa73d53e64ca3f29f4b1

      SHA256

      b87ace89fe7d8861eaa93dde044ba1b74d7fb29b84ec945e5ec681511fe3096a

      SHA512

      0e56c57ebeaba882ce2b1290f053b2d95367b2809306b31cd7b0fbe7f47c7f656818f8a49311c8bccaa67c8f0b16d6c3d25119289adbfb27b275eb780e8dd036

      Download Submit

    • memory/8-63-0x0000000073160000-0x0000000073174000-memory.dmp

      Filesize

      80KB

      Download

    • memory/8-64-0x00000000074F0000-0x0000000007502000-memory.dmp

      Filesize

      72KB

      Download

    • memory/468-40-0x0000028441130000-0x0000028441152000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1060-111-0x0000000000400000-0x0000000000671000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/1496-55-0x0000000000400000-0x000000000067E000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/1496-25-0x0000000000400000-0x000000000067E000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/3932-0-0x00007FFFDA293000-0x00007FFFDA295000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3932-6-0x00007FFFDA290000-0x00007FFFDAD51000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3932-1-0x0000000000B10000-0x0000000000C6A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3932-27-0x00007FFFDA290000-0x00007FFFDAD51000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5008-24-0x0000000073160000-0x0000000073174000-memory.dmp

      Filesize

      80KB

      Download

    • memory/5008-47-0x0000011035C30000-0x0000011036158000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/5008-23-0x0000000000F90000-0x0000000000FA4000-memory.dmp

      Filesize

      80KB

      Download