Overview

overview

10

Static

static

10

Doxgram.exe

windows7-x64

10

Doxgram.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2025 20:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Doxgram.exe

  • Size

    80KB

  • MD5

    bee4a56d9ba0426d3c95dde1970f6429

  • SHA1

    2bfa99521d4a4f2ed6f9b457074ecf1fae7cd712

  • SHA256

    d6684b27eb3b9913fd9742bf3ce9c38e5f089211b0c105893e44eeaf79f691a2

  • SHA512

    294855ac413dec844467c23ddef1dd87334d0f83f5053a6e9e0b66f032d48e748351f4fa95e166d33c4385c4734d4f4af27365d3379d480a5b5a8ecb30e5f660

  • SSDEEP

    1536:NF423Du5xn5JrsFkAZb1SfMP0I6naOwi0Wasei/mH:NF42zux5WFkAZb14xaObRoH

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Doxgram.exe
    "C:\Users\Admin\AppData\Local\Temp\Doxgram.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Doxgram.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1696
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Doxgram.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2924
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Doxgram.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2852
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Doxgram" /tr "C:\Users\Admin\AppData\Local\Doxgram.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2840
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {E1E71DC3-1AFD-4A2F-81DC-26E44FE1C395} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2592
    • C:\Users\Admin\AppData\Local\Doxgram.exe
      C:\Users\Admin\AppData\Local\Doxgram.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1504
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Doxgram.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1956
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Doxgram.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1644
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Doxgram.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2776
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Doxgram" /tr "C:\Users\Admin\AppData\Local\Doxgram.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1996
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /delete /f /tn "Doxgram"
        3⤵
          PID:2892
        • C:\Windows\system32\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB922.tmp.bat""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:840
          • C:\Windows\system32\timeout.exe
            timeout 3
            4⤵
            • Delays execution with timeout.exe
            PID:1976

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Doxgram.exe
      Filesize

      80KB

      MD5

      bee4a56d9ba0426d3c95dde1970f6429

      SHA1

      2bfa99521d4a4f2ed6f9b457074ecf1fae7cd712

      SHA256

      d6684b27eb3b9913fd9742bf3ce9c38e5f089211b0c105893e44eeaf79f691a2

      SHA512

      294855ac413dec844467c23ddef1dd87334d0f83f5053a6e9e0b66f032d48e748351f4fa95e166d33c4385c4734d4f4af27365d3379d480a5b5a8ecb30e5f660

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpB922.tmp.bat
      Filesize

      154B

      MD5

      5a299845a9179a79ff9d1826e536c2c8

      SHA1

      09a9fc6112ccb030df03d2769643a7619228b259

      SHA256

      9b8366bf5d435796ede4a36f9f3b77c69c759d10632928744f939fa8c3b404e5

      SHA512

      587a6b1e4cd1c10bf8b3ef271225f75af750a26d56360670b8eae223883680d25de856b9f0f0ab97d7f16d8cf149a9e729a8914e42fc36ac5eb0577b4cf8e5c7

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZPACFM73L1IWLX93J71N.temp
      Filesize

      7KB

      MD5

      371d3d945cb4ff8d44ecf47541dcecb2

      SHA1

      2039d9c4fd6e19035f6838f156d9c29ca229572f

      SHA256

      49ac6561382089de605ab315be700e9a169b93fef0e51cc82756b8390c9268c2

      SHA512

      99a575f20070a17bcc9051ecdabd8c30dddcbf36c9706f1309e14e3475167a7f4192706b31fc9f5ab692a7df7818b958b3225c8e3db4a4941b46a83b560b52bc

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Doxgram.lnk
      Filesize

      855B

      MD5

      bba50439aa151e7f6cbc1c0345e3e573

      SHA1

      8e9a6f799f24ac0353d0c9ed7dbe3475dea51424

      SHA256

      a5623662fa8be0f0011a5fb3e1c59f99265bf7c7ea5c85d8f03a9c262ac75c52

      SHA512

      56f6f75bd9949f3a188fe7be7191665670a20df169e6436a9de4988abf15c1e2eaa0b7e49e4e529f4f606ef7581032a498015b5fb2872a4cf4420c90ce4dba1b

      Download Submit

    • memory/1504-36-0x0000000000290000-0x00000000002AA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1644-49-0x0000000001D90000-0x0000000001D98000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1696-8-0x0000000002690000-0x0000000002698000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1696-6-0x00000000026D0000-0x0000000002750000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1696-7-0x000000001B630000-0x000000001B912000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1956-43-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1956-42-0x000000001B870000-0x000000001BB52000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2612-30-0x0000000001E80000-0x0000000001F00000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2612-31-0x0000000001E80000-0x0000000001F00000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2612-0-0x000007FEF53C3000-0x000007FEF53C4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2612-29-0x000007FEF53C3000-0x000007FEF53C4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2612-1-0x00000000002D0000-0x00000000002EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2924-14-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2924-15-0x0000000002810000-0x0000000002818000-memory.dmp

      Filesize

      32KB

      Download