Overview

overview

10

Static

static

10

webhack.exe

windows7-x64

10

webhack.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2025 09:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    webhack.exe

  • Size

    80KB

  • MD5

    bee4a56d9ba0426d3c95dde1970f6429

  • SHA1

    2bfa99521d4a4f2ed6f9b457074ecf1fae7cd712

  • SHA256

    d6684b27eb3b9913fd9742bf3ce9c38e5f089211b0c105893e44eeaf79f691a2

  • SHA512

    294855ac413dec844467c23ddef1dd87334d0f83f5053a6e9e0b66f032d48e748351f4fa95e166d33c4385c4734d4f4af27365d3379d480a5b5a8ecb30e5f660

  • SSDEEP

    1536:NF423Du5xn5JrsFkAZb1SfMP0I6naOwi0Wasei/mH:NF42zux5WFkAZb14xaObRoH

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\webhack.exe
    "C:\Users\Admin\AppData\Local\Temp\webhack.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\webhack.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'webhack.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2884
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\webhack.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2820
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "webhack" /tr "C:\Users\Admin\AppData\Local\webhack.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2772
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "webhack"
      2⤵
        PID:2572
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp163F.tmp.bat""
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:1632
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:1520
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {48644E6B-BFB4-49DC-AAC7-D06251E5E3C1} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Users\Admin\AppData\Local\webhack.exe
        C:\Users\Admin\AppData\Local\webhack.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1244
      • C:\Users\Admin\AppData\Local\webhack.exe
        C:\Users\Admin\AppData\Local\webhack.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1608

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp163F.tmp.bat
      Filesize

      159B

      MD5

      fe9579aee4b8d001a9469f4a732aa6a3

      SHA1

      f1667aed32771ea9e9414147c5c7b5455a40f50d

      SHA256

      753dd5fd92c7724ea7e73e5dd1aa0a93c3bcdddcb7a821caa825dc89b4cf5be4

      SHA512

      9547a82fba103660d8565dab8802a40f417ac2699fcc10e510b0a56bd468c9312ca7d57ca8b7070eccb33c79eda950e4fa984a7626127521493739b70d012427

      Download Submit

    • C:\Users\Admin\AppData\Local\webhack.exe
      Filesize

      80KB

      MD5

      bee4a56d9ba0426d3c95dde1970f6429

      SHA1

      2bfa99521d4a4f2ed6f9b457074ecf1fae7cd712

      SHA256

      d6684b27eb3b9913fd9742bf3ce9c38e5f089211b0c105893e44eeaf79f691a2

      SHA512

      294855ac413dec844467c23ddef1dd87334d0f83f5053a6e9e0b66f032d48e748351f4fa95e166d33c4385c4734d4f4af27365d3379d480a5b5a8ecb30e5f660

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      3ed501eb347a94dc2045c13010c2df43

      SHA1

      64ea25d6eff456bd5039fab8b3e11e0251068904

      SHA256

      46d32e4e4429808524481d0daee0c79dcabbfbdf7b93b14242f693be2ecbbbab

      SHA512

      9e92aa403e47372fb495ef1d76c5ab8dfc7a6005a3d87ab3361c5043cf8d8f8ae920f61c8bef5615645e1c05355bf55cc2530de58ec002717015492c11863b84

      Download Submit

    • memory/1244-36-0x0000000001250000-0x000000000126A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2072-31-0x000000001B270000-0x000000001B2F0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2072-1-0x00000000012E0000-0x00000000012FA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2072-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2072-32-0x000000001B270000-0x000000001B2F0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2072-30-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2524-7-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2524-8-0x0000000002820000-0x0000000002828000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2524-6-0x0000000002940000-0x00000000029C0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2884-15-0x0000000002350000-0x0000000002358000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2884-14-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

      Filesize

      2.9MB

      Download