Overview

overview

10

Static

static

3

TRXLoader.exe

windows10-ltsc 2021-x64

10

TRXLoader.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    13s
  • max time network
    15s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11-11-2024 11:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TRXLoader.exe

  • Size

    44.0MB

  • MD5

    a4b651742b17fcb894107862b5587344

  • SHA1

    9fb0be5290ff4cb8a7e7a41656beb950f7718f8d

  • SHA256

    3f862630ab1f165e33bdf388a4829a0274abd88ee783273f03353857c21aa9a0

  • SHA512

    ba19d8bc1aa69553f1ea1ab3937e226b4664be81fa77371d093a52f23a9806e7f7e9f3f11dbec805b7ed943cb571984774c5591dbedf816c7ff05aaf7da062b3

  • SSDEEP

    1536:j3eHtRfrimdNmkKZr311OGAiQj39IdcCqcAPt9TeKd+k:KHtRp6r311RAzj390VAPt9P+k

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:38492

warning-ms.gl.at.ply.gg:38492
Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TRXLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\TRXLoader.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4576
    • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
      "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3284

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
    Filesize

    87KB

    MD5

    38fc92faaaa97884e49674a2fb59dffa

    SHA1

    d2fdfcd6a426e4a0eb3dfc3b1c0d09ea0db945a2

    SHA256

    26d868f392303276bb62ce6771ec4bae63add8874e2621549d447490112ba992

    SHA512

    b8d4a64a9e02e96848d9285b3a6e7986cf4c54a520f75354008815790d7001361b3e570d9ff1c2d5e747ee1943b6bee791012120b536b06edb534aa76c445777

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_urnseqco.njg.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/3252-20-0x00007FF985CE3000-0x00007FF985CE5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3252-1-0x0000000000EE0000-0x0000000000F08000-memory.dmp

    Filesize

    160KB

    Download

  • memory/3252-35-0x00007FF985CE0000-0x00007FF9867A2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3252-0-0x00007FF985CE3000-0x00007FF985CE5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3252-33-0x00007FF985CE0000-0x00007FF9867A2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3284-32-0x0000000000370000-0x000000000038C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/4576-11-0x00007FF985CE0000-0x00007FF9867A2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4576-18-0x000001D4C4130000-0x000001D4C427F000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4576-19-0x00007FF985CE0000-0x00007FF9867A2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4576-15-0x00007FF985CE0000-0x00007FF9867A2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4576-14-0x00007FF985CE0000-0x00007FF9867A2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4576-13-0x00007FF985CE0000-0x00007FF9867A2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4576-12-0x00007FF985CE0000-0x00007FF9867A2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4576-10-0x000001D4C40C0000-0x000001D4C40E2000-memory.dmp

    Filesize

    136KB

    Download