Overview

overview

10

Static

static

3

RobloxExecutor.exe

windows11-21h2-x64

Resubmissions

01-07-2024 16:09

240701-tl9n3ascnn 10

01-07-2024 00:42

240701-a2hqqstgjn 10

Analysis

  • max time kernel
    9s
  • max time network
    77s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01-07-2024 00:42

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    RobloxExecutor.exe

  • Size

    316KB

  • MD5

    f0c864fee64edd613b413ddb7c559446

  • SHA1

    87e75a58eef9f3765a2eed498f6aca135b1ef7c4

  • SHA256

    f20df849f7284d15b7915badc28f7afaad9e1a768279ced17db67796f2f883fd

  • SHA512

    9c8e90d0a04740ed6e36d886bb13bb9df3b963236eaca0b2fd0db6bfce1d4052761d689d77dcf66c7c07df53295751f0ff8907a8f426ccc4391b365b282bd154

  • SSDEEP

    3072:0n2Af+SLiJO+Y7mR9USl6yOiGB3PSQQivLXdn+mvo+vuChrZtwkYZBwOepe4PUe1:1E+yclwQKjdn+WPtYVJIoBfTVRsjbQ2p

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

allows-welfare.gl.at.ply.gg:49180

Mutex

B2qPpHuLCfcwYFiL

Attributes
  • Install_directory

    %AppData%

  • install_file

    System.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RobloxExecutor.exe
    "C:\Users\Admin\AppData\Local\Temp\RobloxExecutor.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start "" "Systemdefault.exe" & start "" "LOLPOOP.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3684
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Systemdefault.exe
        "Systemdefault.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4748
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Systemdefault.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1592
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Systemdefault.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3216
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3460
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2536
        • C:\Windows\SYSTEM32\shutdown.exe
          shutdown.exe /f /r /t 0
          4⤵
            PID:4212
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\LOLPOOP.exe
          "LOLPOOP.exe"
          3⤵
          • Executes dropped EXE
          PID:5036
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa3a05055 /state1:0x41c64e6d
      1⤵
        PID:780

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        627073ee3ca9676911bee35548eff2b8

        SHA1

        4c4b68c65e2cab9864b51167d710aa29ebdcff2e

        SHA256

        85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

        SHA512

        3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        d0a4a3b9a52b8fe3b019f6cd0ef3dad6

        SHA1

        fed70ce7834c3b97edbd078eccda1e5effa527cd

        SHA256

        21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

        SHA512

        1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        e07eea85a8893f23fb814cf4b3ed974c

        SHA1

        8a8125b2890bbddbfc3531d0ee4393dbbf5936fe

        SHA256

        83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea

        SHA512

        9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        b0a85f07903eaad4aace8865ff28679f

        SHA1

        caa147464cf2e31bf9b482c3ba3c5c71951566d1

        SHA256

        c85c7915e0bcc6cc3d7dd2f6b9d9e4f9a3cf0ccefa043b1c500facac8428bfd5

        SHA512

        7a650a74a049e71b748f60614723de2b9d2385a0f404606bcb22ae807e22a74c53cf672df9e7a23605dfff37865443a5899eafea323134a818eb59c96e0f94bd

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\LOLPOOP.exe
        Filesize

        9KB

        MD5

        c9bd5672882c79b5f7977fc3c37dc9b6

        SHA1

        90cfa0e99aacd42bd2561cdb218fd618f0ed4b9f

        SHA256

        c6594102d290245d0830cead7f7e3cacf79db881358f001373fcca0d625d0998

        SHA512

        5586496c54c7c33c3e3f1cd6c4e0117b8e34d42846f55aadf22314144e1e27691e8c7fef924386cd5ae01a958d7437ab1a0b6c709ca06f25f6deab82f6171038

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Systemdefault.exe
        Filesize

        40KB

        MD5

        2b7216f79728eb5ff4b5553737685a99

        SHA1

        d7f4f41f03485eb76326c75ec2ae0fe53282ebd0

        SHA256

        5a40bff3109b83243b53bf7439dc5e66e29c923363c02d49fa93614c19ce36f5

        SHA512

        b9f4c8e9b5b46785806eb498028e85d2515d743a518c0ecfd9269e8f4cb2351da0bcd9a6bc0e74eabc33e8dd2374bee46566b188d5f4ee49ba3384ece7a54982

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a0znn3gf.fy1.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • memory/1592-19-0x000001C01EB60000-0x000001C01EB82000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4748-18-0x000000001B7D0000-0x000000001B7E0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4748-11-0x0000000000BC0000-0x0000000000BD0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4748-68-0x000000001B7D0000-0x000000001B7E0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4748-67-0x000000001C7F0000-0x000000001C7FA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4748-10-0x00007FFB2CC93000-0x00007FFB2CC95000-memory.dmp
        Filesize

        8KB

        Download
      • memory/5036-14-0x0000000005500000-0x0000000005AA6000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/5036-12-0x000000007295E000-0x000000007295F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/5036-13-0x00000000003C0000-0x00000000003C8000-memory.dmp
        Filesize

        32KB

        Download
      • memory/5036-17-0x0000000072950000-0x0000000073101000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/5036-65-0x000000007295E000-0x000000007295F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/5036-66-0x0000000072950000-0x0000000073101000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/5036-15-0x0000000004E90000-0x0000000004F22000-memory.dmp
        Filesize

        584KB

        Download
      • memory/5036-16-0x0000000004E80000-0x0000000004E8A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/5036-70-0x0000000072950000-0x0000000073101000-memory.dmp
        Filesize

        7.7MB

        Download