Overview

overview

10

Static

static

10

Image Logg...V4.exe

windows10-2004-x64

10

Image Logg...V4.exe

windows11-21h2-x64

10

Resubmissions

30-06-2024 19:02

240630-xqax3swdnr 10

30-06-2024 18:53

240630-xjrx1swcnk 10

Analysis

  • max time kernel
    37s
  • max time network
    45s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-06-2024 18:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Image Logger Hybrid V4.exe

  • Size

    126KB

  • MD5

    6d103c685ef0960fab6eca5bf4617583

  • SHA1

    ea11a8ba30f54015d71ed646fbd14b8800fc2e3f

  • SHA256

    77d041474b58f2142077c3da4fc2d64c29a40eb400410c784e2606647028fa3f

  • SHA512

    2429d67cf73056d496ff4cff2b8a72e2bc643201616b969464543580bd027366e13c51fda4161e319af122fa22c088c1ec737e87e8528e09b4e450d84755732d

  • SSDEEP

    3072:RMSncRzAOLeCyRuZA3A+bZ5FFOOszPAv:ySncRl3Zebv

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    dllhost.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Image Logger Hybrid V4.exe
    "C:\Users\Admin\AppData\Local\Temp\Image Logger Hybrid V4.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3164
    • C:\Users\Admin\AppData\Local\Temp\S.EXE
      "C:\Users\Admin\AppData\Local\Temp\S.EXE"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gPNIGqDv.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2364
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo id. "
          4⤵
            PID:3264
          • C:\Windows\system32\findstr.exe
            findstr /c:"".png""
            4⤵
              PID:1608
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo idk.png "
              4⤵
                PID:1956
              • C:\Windows\system32\findstr.exe
                findstr /c:"".png""
                4⤵
                  PID:4864
            • C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE
              "C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE"
              2⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1540
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE'
                3⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1960
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TESTEE.EXE'
                3⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3812
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\dllhost.exe'
                3⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3364
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
                3⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3260
              • C:\Windows\System32\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dllhost" /tr "C:\Users\Admin\AppData\Roaming\dllhost.exe"
                3⤵
                • Scheduled Task/Job: Scheduled Task
                PID:2272
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1032,i,4778049104057176787,6631751660692402210,262144 --variations-seed-version --mojo-platform-channel-handle=3760 /prefetch:8
            1⤵
              PID:4480
            • C:\Users\Admin\AppData\Roaming\dllhost.exe
              C:\Users\Admin\AppData\Roaming\dllhost.exe
              1⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:3432

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Command and Scripting Interpreter

            1
            T1059

            PowerShell

            1
            T1059.001

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Defense Evasion

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            Query Registry

            2
            T1012

            System Information Discovery

            2
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              d28a889fd956d5cb3accfbaf1143eb6f

              SHA1

              157ba54b365341f8ff06707d996b3635da8446f7

              SHA256

              21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

              SHA512

              0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              cae60f0ddddac635da71bba775a2c5b4

              SHA1

              386f1a036af61345a7d303d45f5230e2df817477

              SHA256

              b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

              SHA512

              28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              22310ad6749d8cc38284aa616efcd100

              SHA1

              440ef4a0a53bfa7c83fe84326a1dff4326dcb515

              SHA256

              55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

              SHA512

              2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\S.EXE
              Filesize

              7KB

              MD5

              b8d58060de9ef19140c2801ea6c979bf

              SHA1

              f98094ff9101b483e7a0d2826884a351c734fa9b

              SHA256

              38d7a6d3e1fee555dd526ade1d5efaf18d62bb35dbcea1505f47fd6346b432a8

              SHA512

              3eec6801ce54fc2541374a6f97956186d17e841a35f039fce59d7b0143f31d9fe8efe33e89fd676311b79baf75b5fae04f785d493206b75e424ba8d4e56adc7d

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE
              Filesize

              66KB

              MD5

              04b8f12a041a2812f433aaf8f0a897e7

              SHA1

              b0680cf948c750266c565d21a100e8127d8bae40

              SHA256

              94fc19b165838e67bb83583d20b11d5acc7af865aa8a1c73691addd86975ac15

              SHA512

              018e3e534249abaa1d7da77566a3f1742e047a074ee07ae9a6cfcfa32d68f2b1bfb853360928cc9d2b28299d41803f7841aa5b5ef6431310b0b8b3ce0adf608e

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xntcrsi0.mg0.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\gPNIGqDv.bat
              Filesize

              2KB

              MD5

              f588fb26f7bb8500fe4235446e808d1d

              SHA1

              0d0029a41f068d8b2ace763b57a1a7cdca6ea86b

              SHA256

              70b6546689c6e17ce3da85e5d52f0b053fdc18579559f3477d3362e2cdaff41e

              SHA512

              fc84adc7447cb36b43aa9c90f395126622044c83321bc2c2c6791f8f4f6099b43137e5668f2eff5c1d9edec0f5af5ae2e7b22d64dc2307404c27291349822a1e

              Download Submit
            • memory/1540-90-0x00007FFB91823000-0x00007FFB91825000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1540-78-0x00007FFB91820000-0x00007FFB922E1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/1540-102-0x00007FFB91820000-0x00007FFB922E1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/1540-22-0x0000000000060000-0x0000000000076000-memory.dmp
              Filesize

              88KB

              Download
            • memory/1540-21-0x00007FFB91823000-0x00007FFB91825000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1724-24-0x0000000000DA0000-0x0000000000DA8000-memory.dmp
              Filesize

              32KB

              Download
            • memory/1724-97-0x00007FFB91820000-0x00007FFB922E1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/1724-101-0x00007FFB91820000-0x00007FFB922E1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/1724-29-0x00007FFB91820000-0x00007FFB922E1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/1960-40-0x000001FCC3400000-0x000001FCC3422000-memory.dmp
              Filesize

              136KB

              Download