Overview

overview

10

Static

static

10

fix.exe

windows7-x64

10

fix.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/11/2024, 01:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fix.exe

  • Size

    40KB

  • MD5

    b959b8c3505c2e17d3d944ba48d285f8

  • SHA1

    0155afd2d2a57d3070a900bbb405145977300b7c

  • SHA256

    ea8cd343d704a76b3f3dc8ffacdcfefb56f2d7571a68b42381146d91a9bb5526

  • SHA512

    4fdef5114503fd8be5cfd64e945994dcde399239f0c03873a6cd48b2e7a030b99fb755e23f6dfc185274eb4f6712dee0d1ffc68b11d148e701819ebf576d6c47

  • SSDEEP

    768:OFrGIhUKXBeFQOnHAvrSH7tF5Pa9qB9Owh43/mXZ:OueBehHAv6xF49qB9Owu+XZ

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

behind-h.gl.at.ply.gg:44133

Mutex

B9kO57FG9eew8BnL

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fix.exe
    "C:\Users\Admin\AppData\Local\Temp\fix.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4504-0-0x00007FFA73F03000-0x00007FFA73F05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4504-1-0x00000000003A0000-0x00000000003B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4504-2-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4504-3-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

    Filesize

    10.8MB

    Download