Overview

overview

10

Static

static

10

28132ef9c2...cs.exe

windows7-x64

10

28132ef9c2...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    7s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 00:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    28132ef9c24ea461015be0ca1a6f775d28e36c28d59df1f24a0527aa5c043695_NeikiAnalytics.exe

  • Size

    37KB

  • MD5

    a1e092a1d81eb20d8d5904b6cbab7160

  • SHA1

    333fb684353cc1e8dfe6206cd3b9721c5574a05d

  • SHA256

    28132ef9c24ea461015be0ca1a6f775d28e36c28d59df1f24a0527aa5c043695

  • SHA512

    883088a4ebb323698f50fcad2db43a88c96bc6379eabeb1b169b097ba8f4fa9b4d48390e5f24c5b3d3ca15b105121739987dcb5514aa58b441ae777930901537

  • SSDEEP

    768:H5gTXwbLsAheofRhTUOe9tLFyc9PoO/hiDy0R:H5gTgUAhHKOSF39PoO/R0R

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

modern-educators.gl.at.ply.gg:23695

Mutex

8N14jzyvJ63EProc

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28132ef9c24ea461015be0ca1a6f775d28e36c28d59df1f24a0527aa5c043695_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\28132ef9c24ea461015be0ca1a6f775d28e36c28d59df1f24a0527aa5c043695_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1964
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows backup" /tr "C:\Users\Admin\Windows backup"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2332
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {69EDA391-F9AF-4B2A-B8B3-E733B8BBABB9} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
    1⤵
      PID:2508

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1964-0-0x000007FEF6193000-0x000007FEF6194000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1964-1-0x0000000000EF0000-0x0000000000F00000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1964-2-0x000007FEF6190000-0x000007FEF6B7C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/1964-6-0x000007FEF6193000-0x000007FEF6194000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1964-7-0x000007FEF6190000-0x000007FEF6B7C000-memory.dmp
      Filesize

      9.9MB

      Download