Overview

overview

10

Static

static

3

d3c5e789d1...52.exe

windows7-x64

10

d3c5e789d1...52.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    30-06-2024 03:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d3c5e789d12756e34a5461e809640b52.exe

  • Size

    15.2MB

  • MD5

    d3c5e789d12756e34a5461e809640b52

  • SHA1

    d8b9710872f0c3ba3e75e3bcd56071625cf4592e

  • SHA256

    b1c30897a9ce11448790b40a820dd26571c9815b277b229715fadf0199870ac2

  • SHA512

    267624b56bb7901fa66d7f8cd9fb5e0602a9054649b15738f84eafd06b56997f552310228a01087e5558725b43c38af87e224570e0e3a4ec570d8f6e0159481e

  • SSDEEP

    393216:AlAEncAYaYUCwkm0r0McGg9p+aBfdRG1itJLr:SnOUCwL/2mpLf/G1YLr

Score
10/10
xwormpersistencepyinstallerrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

5.tcp.eu.ngrok.io:14831

Mutex

tGWGfcswkH2xASVw

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

aes.plain

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\d3c5e789d12756e34a5461e809640b52.exe
    "C:\Users\Admin\AppData\Local\Temp\d3c5e789d12756e34a5461e809640b52.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Users\Admin\XClient.exe
      "C:\Users\Admin\XClient.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2900
    • C:\Users\Admin\cstealer.exe
      "C:\Users\Admin\cstealer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Users\Admin\cstealer.exe
        "C:\Users\Admin\cstealer.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:264
    • C:\Users\Admin\XWorm V3.1.exe
      "C:\Users\Admin\XWorm V3.1.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1500
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {FE502E2D-48DA-4458-818E-3657D2CF37E9} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2384
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI26962\python310.dll
    Filesize

    4.3MB

    MD5

    deaf0c0cc3369363b800d2e8e756a402

    SHA1

    3085778735dd8badad4e39df688139f4eed5f954

    SHA256

    156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

    SHA512

    5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

    Download Submit
  • C:\Users\Admin\XClient.exe
    Filesize

    44KB

    MD5

    cb6f9a73c242da249935950cbb0d4768

    SHA1

    f3562339911c4783e1957e6f87abbcff9ec989dc

    SHA256

    fe0b5c8df242e03f89a6fcebbc23611ec3bd59fe082659eaf67adf0444879a4b

    SHA512

    46280158482f0a73fff728317c2d9413d25bbcce9827af5393696cab9978d4b507975519c87ba175b4064a0db5fc1881b905f3af82acf5ee29be3d371ee71bc5

    Download Submit
  • C:\Users\Admin\XWorm V3.1.exe
    Filesize

    6.9MB

    MD5

    37a9fdc56e605d2342da88a6e6182b4b

    SHA1

    20bc3df33bbbb676d2a3c572cff4c1d58c79055d

    SHA256

    422ba689937e3748a4b6bd3c5af2dce0211e8a48eb25767e6d1d2192d27f1f58

    SHA512

    f556805142b77b549845c0fa2206a4cb29d54752dc5650d9db58c1bbe1f7d0fc15ce04551853fb6454873877dbb88bebd15d81b875b405cdcc2fd21a515820d3

    Download Submit
  • \Users\Admin\cstealer.exe
    Filesize

    8.2MB

    MD5

    772fd94b8537d5e9390c9d3ae39fedba

    SHA1

    1be9196b05f9134a60a9b8e96c7c2c35db6e0430

    SHA256

    bf4cf925cbe3a7e1e55c35f153a08dbaec5f873629a4e8fd78a1c645d6dfc520

    SHA512

    98a90466b56bf088926b7b24b36f155e6f008eb0236f090241798d97c411899c9a9587f28c4cfb7fd4cd4e3eef89f6e42e456bfd013da34b1c239a3c1dd3c780

    Download Submit
  • memory/1500-91-0x000000001EB10000-0x000000001F67A000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1500-86-0x0000000000370000-0x0000000000A66000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/2204-1-0x0000000000920000-0x000000000185C000-memory.dmp
    Filesize

    15.2MB

    Download
  • memory/2204-0-0x000007FEF55A3000-0x000007FEF55A4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2384-164-0x00000000011D0000-0x00000000011E2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2516-167-0x0000000000100000-0x0000000000112000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3068-7-0x00000000010D0000-0x00000000010E2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3068-159-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/3068-160-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/3068-89-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/3068-88-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp
    Filesize

    9.9MB

    Download