Overview

overview

10

Static

static

10

windowspowershell.exe

windows7-x64

10

windowspowershell.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    28s
  • max time network
    15s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 05:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    windowspowershell.exe

  • Size

    70KB

  • MD5

    a65730c3385f81d9dd1245fd6a7dd8bc

  • SHA1

    bfea51aad8077ffbe0893687c6706449e0204f07

  • SHA256

    f3e91c0e63a38f99af50221e9215315f401d591968c9e76d2d786908a6cccf1b

  • SHA512

    6e0327af881fbc18dc8542835513e502e1575aa4b94ced9b752194eb3d84014b0e8d47e9a44d0dc2d8eac9552b4fab7744ec4a486879d4242bd57a04ab6256c6

  • SSDEEP

    1536:4xr5e+IPIyYGFZabUnYmjLha8qB2nD6T9aZOLTST6:gFE7YWQbUmt2cKOLM6

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

so-presently.gl.at.ply.gg :59751

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\windowspowershell.exe
    "C:\Users\Admin\AppData\Local\Temp\windowspowershell.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\windowspowershell.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2884
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'windowspowershell.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2828
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\windowspowershell.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2492
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "windowspowershell" /tr "C:\Users\Admin\AppData\Roaming\windowspowershell.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1172

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    d48106efff15bfb186c384b1c0ddd862

    SHA1

    c7dd7205f254b3ee2b46b837e89f8f1f7ecb0e55

    SHA256

    335e79dd57ac4d8b7175075567059bcac31f303c8221d87b4826ceebbeb84da8

    SHA512

    16b29ecb3fa647511489acfc5e6aa2946d5093b9758c3df431fe8359f1bbe5343200aac493736aeca4a08754eb29cf757afa328cb83e2f25897e6d3ed4453033

    Download Submit
  • C:\Users\Admin\AppData\Roaming\windowspowershell.exe
    Filesize

    70KB

    MD5

    a65730c3385f81d9dd1245fd6a7dd8bc

    SHA1

    bfea51aad8077ffbe0893687c6706449e0204f07

    SHA256

    f3e91c0e63a38f99af50221e9215315f401d591968c9e76d2d786908a6cccf1b

    SHA512

    6e0327af881fbc18dc8542835513e502e1575aa4b94ced9b752194eb3d84014b0e8d47e9a44d0dc2d8eac9552b4fab7744ec4a486879d4242bd57a04ab6256c6

    Download Submit
  • memory/1708-0-0x000007FEF5153000-0x000007FEF5154000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1708-1-0x0000000000240000-0x0000000000258000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1708-2-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1708-30-0x000007FEF5153000-0x000007FEF5154000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1708-31-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2828-15-0x000000001B5B0000-0x000000001B892000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2828-16-0x0000000002250000-0x0000000002258000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2884-7-0x0000000002900000-0x0000000002980000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2884-8-0x000000001B5D0000-0x000000001B8B2000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2884-9-0x00000000029E0000-0x00000000029E8000-memory.dmp
    Filesize

    32KB

    Download