Overview

overview

10

Static

static

3

XwormV5.6.exe

windows7-x64

10

XwormV5.6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2025 15:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XwormV5.6.exe

  • Size

    7.7MB

  • MD5

    027ad6a104d074597068c1781cc0c90d

  • SHA1

    b489c6f4d29db588ecfc65df7ea92d6c23de4a20

  • SHA256

    238bd89de11cbe6b00e7bf57f13863394bed494b73d09570011f27b87270b51a

  • SHA512

    0e3beecff23c8d426d859758b5c9aa4490e5d47ea69e4301c73fe499bd6535ec8dfe22dae552c8e14203d78768cd2ccfb70f78e876de2ba4b2532cf502b40e4f

  • SSDEEP

    196608:xKLCFU/jHq/puROyhxeyOC7+oiRkbtejBe5:xmq/pkOYxehohbt

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:18194

soon-logical.gl.at.ply.gg:18194
Mutex

APoxCrOmNOvTLB4L

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    chrome.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XwormV5.6.exe
    "C:\Users\Admin\AppData\Local\Temp\XwormV5.6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
      "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
      2⤵
      • Executes dropped EXE
      PID:3112
    • C:\Users\Admin\AppData\Local\Temp\start.exe
      "C:\Users\Admin\AppData\Local\Temp\start.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\start.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3328
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'start.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4436
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\chrome.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3196
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'chrome.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    d28a889fd956d5cb3accfbaf1143eb6f

    SHA1

    157ba54b365341f8ff06707d996b3635da8446f7

    SHA256

    21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

    SHA512

    0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    96e3b86880fedd5afc001d108732a3e5

    SHA1

    8fc17b39d744a9590a6d5897012da5e6757439a3

    SHA256

    c3077e4cadb4ed246c02abe55aa6cf832fee4c2546b7addb7d22cd1c7c8c1294

    SHA512

    909b1968f7204fa7029109b02232d8cc5438f6b4dc7c9044e4e47c59fcee538199b13029e36592b12ed573d48a308dd4822d2ced4129ab08d4111897e02be55d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    2253c665505da63342ef14dd8197f0b5

    SHA1

    466f37281031aea4ac775d9fb8e91489a85faf82

    SHA256

    27948dca356cfdff3a5480bdca63a66963505ad1bdc7ff42d1380bf418667436

    SHA512

    c45fd978256c168493b900ffddded099e0717068b772012bdebfcdcb2377f7a4adf2b968eb37125ed98fdcfb277c9f81fa02f90cfec60f4915d3027c27d7da0d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
    Filesize

    14.9MB

    MD5

    56ccb739926a725e78a7acf9af52c4bb

    SHA1

    5b01b90137871c3c8f0d04f510c4d56b23932cbc

    SHA256

    90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

    SHA512

    2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_emqbxgz2.zeu.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\start.exe
    Filesize

    39KB

    MD5

    51e4348a35c9b40b0136fa204442f9c2

    SHA1

    aea47a3a717ca9cce49966093def7d8f5a53709a

    SHA256

    a8047efe920772b13508683a7d80de379b0cf2dc40b39a9cd37f949de6a90479

    SHA512

    f15353f1b29ead57efe865935ef0cbd9efa2f0e81e47a92993279a59ea4174fde1e9bb2546c35deda6cfa641cfa0ecd58f8a2f6006f0589ce95553d7debfa3bd

    Download Submit

  • memory/1712-30-0x0000000000240000-0x0000000000250000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1712-85-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1712-27-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1712-84-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1712-81-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2992-1-0x0000000000AA0000-0x0000000001256000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2992-2-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2992-28-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2992-0-0x00007FF9D97A3000-0x00007FF9D97A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3112-26-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3112-82-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3112-83-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3112-29-0x000001E0A6FC0000-0x000001E0A7EA8000-memory.dmp

    Filesize

    14.9MB

    Download

  • memory/3328-37-0x0000028D7A730000-0x0000028D7A752000-memory.dmp

    Filesize

    136KB

    Download