Overview

overview

10

Static

static

3

Output.exe

windows7-x64

10

Output.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    4s
  • max time network
    5s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    20-04-2024 15:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Output.exe

  • Size

    98KB

  • MD5

    d7557a4322101418a54b3ba0d973bdb1

  • SHA1

    57ae796673ce3d7d32dc4490f5e331c643aa8228

  • SHA256

    8f26c490abbe3b76d42635347d83ffa6387888021d4909fcfd63e3dcc25540d2

  • SHA512

    d2118512333b3e72eb1fad020082468b6d67689e104fcb4a0bb455c4870b429eff119987ca87d697398572e022a38949f5d3b75c3fd4c6106057d84ff786d773

  • SSDEEP

    1536:ijXg7n3OaMrKTV82jTj5I6Ws5SZYSx8fWL5uWQaIK0naap+/l8NXftTOqg:ijw7n+NKTZFPkZvT5uCIak+/l8lfE

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

million-houston.gl.at.ply.gg:27705

Attributes
  • Install_directory

    %AppData%

  • install_file

    BloxstrapModded.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Output.exe
    "C:\Users\Admin\AppData\Local\Temp\Output.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2080
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:2660

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\README.txt
    Filesize

    438B

    MD5

    659061a5689cae197b49f62be53bcf40

    SHA1

    6467f2252645e7ce87932aad37e24a6eed3fefeb

    SHA256

    0ca739b146beb166072cb199c8090f98140b88c5a7c251cf4ed730487507936c

    SHA512

    f5933100e6ce6a030cb7ee36213308cfa4b05859b903564c4d711e60433079dd8182922ea45f25ec8b8defca90c5aa56a94bce031e5aa0e35e11ae19fb858567

    Download Submit
  • C:\Users\Admin\AppData\Roaming\XClient.exe
    Filesize

    80KB

    MD5

    cfeb71480542c9b6d6aec88f02e6d820

    SHA1

    4fcf90f5f8e16dcee2fa5ee1611394533f7ff740

    SHA256

    ebabe3ead25f28d4fe0a3ab1a592d7160065995da465ec549ebe8f27ba5eeee9

    SHA512

    e5d1a95fe948e295f0f7cc55f88464136e088b0c7f531a132eab76025885f2de93d101981fc3dedc4bd7ed271b58578bcab235fc9d2bedca6e209fb3f7d594bd

    Download Submit
  • memory/2080-8-0x0000000000180000-0x000000000019A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2080-9-0x000007FEF5890000-0x000007FEF627C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2080-12-0x000000001B400000-0x000000001B480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2468-0-0x0000000000B60000-0x0000000000B7E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2468-1-0x000007FEF5890000-0x000007FEF627C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2468-11-0x000007FEF5890000-0x000007FEF627C000-memory.dmp
    Filesize

    9.9MB

    Download