Overview

overview

10

Static

static

10

sv.exe

windows10-1703-x64

10

sv.exe

windows7-x64

10

sv.exe

windows10-2004-x64

10

sv.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    3s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    30-06-2024 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sv.exe

  • Size

    63KB

  • MD5

    c095a62b525e62244cad230e696028cf

  • SHA1

    67232c186d3efe248b540f1f2fe3382770b5074a

  • SHA256

    a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

  • SHA512

    5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0

  • SSDEEP

    1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

amount-acceptance.gl.at.ply.gg:7420

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svhost.exe

Signatures

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sv.exe
    "C:\Users\Admin\AppData\Local\Temp\sv.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      PID:2832
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      PID:2680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      PID:2720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      PID:2520
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2924
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {90576933-B71C-48E5-BD67-E730087A804E} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
    1⤵
      PID:784
      • C:\ProgramData\svhost.exe
        C:\ProgramData\svhost.exe
        2⤵
          PID:1972
        • C:\ProgramData\svhost.exe
          C:\ProgramData\svhost.exe
          2⤵
            PID:1904
          • C:\ProgramData\svhost.exe
            C:\ProgramData\svhost.exe
            2⤵
              PID:2056

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\svhost.exe
            Filesize

            63KB

            MD5

            c095a62b525e62244cad230e696028cf

            SHA1

            67232c186d3efe248b540f1f2fe3382770b5074a

            SHA256

            a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

            SHA512

            5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            1f1f80cd789d6f150b2da694da6ca157

            SHA1

            f5b692906f86a6a4f5db4c4633301c3df92c7c25

            SHA256

            3dd01cc52f5ed83efb81f707ce77f696ce5df6905eb1d97d80daeb0195e19581

            SHA512

            be66e836c2db80f5364c2267692fc9c0931aa7a2b9f94a6018b84df214e8b643f533f4e6024ab3d533e98becda610ffc6dc42491926025b00047381b2b071fe1

            Download Submit
          • memory/1904-41-0x00000000000D0000-0x00000000000E6000-memory.dmp
            Filesize

            88KB

            Download
          • memory/1972-34-0x00000000011C0000-0x00000000011D6000-memory.dmp
            Filesize

            88KB

            Download
          • memory/2056-43-0x00000000009E0000-0x00000000009F6000-memory.dmp
            Filesize

            88KB

            Download
          • memory/2256-36-0x00000000020B0000-0x00000000020BC000-memory.dmp
            Filesize

            48KB

            Download
          • memory/2256-30-0x000000001AB60000-0x000000001ABE0000-memory.dmp
            Filesize

            512KB

            Download
          • memory/2256-35-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2256-0-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2256-37-0x000000001AB60000-0x000000001ABE0000-memory.dmp
            Filesize

            512KB

            Download
          • memory/2256-38-0x000000001A5F0000-0x000000001A5FA000-memory.dmp
            Filesize

            40KB

            Download
          • memory/2256-1-0x0000000000850000-0x0000000000866000-memory.dmp
            Filesize

            88KB

            Download
          • memory/2680-15-0x00000000023C0000-0x00000000023C8000-memory.dmp
            Filesize

            32KB

            Download
          • memory/2680-14-0x000000001B580000-0x000000001B862000-memory.dmp
            Filesize

            2.9MB

            Download
          • memory/2832-7-0x000000001B490000-0x000000001B772000-memory.dmp
            Filesize

            2.9MB

            Download
          • memory/2832-8-0x0000000002790000-0x0000000002798000-memory.dmp
            Filesize

            32KB

            Download
          • memory/2832-6-0x0000000002A40000-0x0000000002AC0000-memory.dmp
            Filesize

            512KB

            Download