Overview

overview

10

Static

static

3

random.exe

windows7-x64

10

random.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/01/2025, 12:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    random.exe

  • Size

    1.4MB

  • MD5

    ebe8a0f61f53a3817c3fbcc3ab3a1f4c

  • SHA1

    d87d66d53f29464d1f32b2c1e3b7ce507c51c40d

  • SHA256

    27f53d6d1b4f4edb6c517ac1a517a4e9158d5d96eeccfd324c925d3772c3f44c

  • SHA512

    33138b6fc03af9598821377dfdacaad64a56b7a05e7c7ae48de958e0002c8eec695e49633aec8be212be321f525ca165e40abf81bf0c69a57a0582f94698385b

  • SSDEEP

    24576:HMjhUS5MaULo18LoNubLFwUoTh+tasCU1Yc0zRgYEz405bmktUNudtJjdPrF:6t5CLQ8sNg9oThYoic27cab7SNudXjdZ

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

91.212.166.99:4404

Mutex

f35pmRFzPiiasEf1

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    dllhost.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 12 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to execute payload.

    execution
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\random.exe
    "C:\Users\Admin\AppData\Local\Temp\random.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Users\Admin\AppData\Local\Temp\is-CCN16.tmp\random.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-CCN16.tmp\random.tmp" /SL5="$400E8,1104885,161792,C:\Users\Admin\AppData\Local\Temp\random.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Users\Admin\AppData\Local\Temp\random.exe
        "C:\Users\Admin\AppData\Local\Temp\random.exe" /VERYSILENT
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Users\Admin\AppData\Local\Temp\is-KO7PT.tmp\random.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-KO7PT.tmp\random.tmp" /SL5="$500E8,1104885,161792,C:\Users\Admin\AppData\Local\Temp\random.exe" /VERYSILENT
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2896
          • C:\Windows\SysWOW64\regsvr32.exe
            "regsvr32.exe" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\uxtheme_2.drv"
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1688
            • C:\Windows\system32\regsvr32.exe
              /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\uxtheme_2.drv"
              6⤵
              • Loads dropped DLL
              • Suspicious behavior: AddClipboardFormatListener
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2748
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2616
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\Admin\AppData\Roaming\uxtheme_2.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{4E2782E7-F911-42FD-92E1-CFA28DBCF717}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:568
              • C:\Windows\System32\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dllhost" /tr "C:\Users\Admin\AppData\Local\dllhost.exe"
                7⤵
                • Scheduled Task/Job: Scheduled Task
                PID:2992
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {D6D277FC-E1A6-423B-9B19-CB00AA398F17} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Users\Admin\AppData\Local\dllhost.exe
      C:\Users\Admin\AppData\Local\dllhost.exe
      2⤵
      • Executes dropped EXE
      PID:2324
    • C:\Users\Admin\AppData\Local\dllhost.exe
      C:\Users\Admin\AppData\Local\dllhost.exe
      2⤵
      • Executes dropped EXE
      PID:1292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    ed4463ffb1a9db8342ced4d5ea03fe62

    SHA1

    00905caf430294e23b51f966e1ea59e9c6ed61ca

    SHA256

    3885aba4ac4a5bb3ce3acdb8a985da20cf9b9bf47c1863d63596c62a1bb1bdbe

    SHA512

    3f93b493f5ad1ad3d67e562049d66f9eed91fbc52caca1180cb07acde8642d84d2f6dfaa9d57559d85764fd2601dc738fb2d5b85087662f8605efb3d0b93cc6d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\uxtheme_2.drv
    Filesize

    3.0MB

    MD5

    022a2e01cd6ff624652952cf43b0fe0d

    SHA1

    f3670138ac48304d5ce26202ed51b20ada4f0052

    SHA256

    f4213387bf82edf9929ba45b8c4d6942e99b31b7b3d155f0b7d1d22bffe1d607

    SHA512

    c0ad1737197ce2216287a2d53251048a8cfca7ee67a54f3316b0d7be12728114e2b68e8b92b67eb5b6e3115164a02589c449f4432c1b9a7dc35c2f49d44e6155

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-CCN16.tmp\random.tmp
    Filesize

    1.1MB

    MD5

    bcc236a3921e1388596a42b05686ff5e

    SHA1

    43bffbbac6a1bf5f1fa21e971e06e6f1d0af9263

    SHA256

    43a656bcd060e8a36502ca2deb878d56a99078f13d3e57dcd73a87128588c9e9

    SHA512

    e3baaf1a8f4eb0e1ab57a1fb35bc7ded476606b65fafb09835d34705d8c661819c3cfa0ecc43c5a0d0085fd570df581438de27944e054e12c09a6933bbf5ce04

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-IHQ0N.tmp\_isetup\_isdecmp.dll
    Filesize

    13KB

    MD5

    a813d18268affd4763dde940246dc7e5

    SHA1

    c7366e1fd925c17cc6068001bd38eaef5b42852f

    SHA256

    e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

    SHA512

    b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-IHQ0N.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit

  • \Users\Admin\AppData\Local\dllhost.exe
    Filesize

    19KB

    MD5

    59bce9f07985f8a4204f4d6554cff708

    SHA1

    645c424974fbe5fe7a04cac73f1c23c96e1570b8

    SHA256

    ca24aef558647274d019dfb4d7fd1506d84ec278795c30ba53b81bb36130dc57

    SHA512

    3cf5825a9c7fb80ea0bd36775a92d07f34cd3709ed2c7c8f500f1c8baa5242768f6d575bd2477b77e3f177e7a4994d5c5bddb24c6eb43b60a6bd83ea026a8198

    Download Submit

  • memory/568-69-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/568-70-0x0000000001F10000-0x0000000001F18000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2616-61-0x000000001B6A0000-0x000000001B982000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2616-62-0x00000000027A0000-0x00000000027A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2680-0-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2680-2-0x0000000000401000-0x0000000000417000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2680-26-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2736-28-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2736-53-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2736-21-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2748-72-0x0000000000330000-0x0000000000340000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2748-73-0x000007FEF6730000-0x000007FEF6A30000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2788-15-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2788-24-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2896-51-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB

    Download