Overview

overview

10

Static

static

10

wave.executor.exe

windows7-x64

10

wave.executor.exe

windows10-2004-x64

Analysis

  • max time kernel
    43s
  • max time network
    38s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-01-2025 23:23

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    wave.executor.exe

  • Size

    79KB

  • MD5

    810d912112f579781879ada392b70a53

  • SHA1

    247bc212d2d44184bae484049765240ac9fa5c32

  • SHA256

    aee4ca6b2f3b07e85920f81b32acc5350d198439b181e997cd6a8e3ecbe9c939

  • SHA512

    30fb6d77563a3a0d6b94a9ea9fc2f67c6dda3dc3ac2afd4e968ec998f2eabd1797d751fdac491a979e68301efc633c47fb2668a8abd0c5f0dcff6d12ed8ead0e

  • SSDEEP

    1536:N/SpZjwaZD0YqEnwqaDrMk+bXxNEPZSBVGGmMRZOf4miljMt8xwR2:CEYqEwjrv+bB8DMRZOf4m8M+a2

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

daily-sexually.gl.at.ply.gg:25670

Attributes
  • Install_directory

    %AppData%

  • install_file

    Update.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wave.executor.exe
    "C:\Users\Admin\AppData\Local\Temp\wave.executor.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3596
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4524

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk
    Filesize

    766B

    MD5

    3f69f6477e5485eb5bcbd8002c0e0126

    SHA1

    5dfbd5bf999c7cbae0a09f76114c827cae01d396

    SHA256

    91cbc1cbcc7c5bc7347c487d162424cb970d1bbeab6ad0e393ad8666cfa1d92c

    SHA512

    0aed5cb8902a4bfb5f7e345bed4c48c290a68d942d4cf89c4808c20f8e770cc24caec900eee08a01eed39713f789d0372ced4480e98e497b96cd561c9a7af101

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Update.exe
    Filesize

    79KB

    MD5

    810d912112f579781879ada392b70a53

    SHA1

    247bc212d2d44184bae484049765240ac9fa5c32

    SHA256

    aee4ca6b2f3b07e85920f81b32acc5350d198439b181e997cd6a8e3ecbe9c939

    SHA512

    30fb6d77563a3a0d6b94a9ea9fc2f67c6dda3dc3ac2afd4e968ec998f2eabd1797d751fdac491a979e68301efc633c47fb2668a8abd0c5f0dcff6d12ed8ead0e

    Download Submit

  • memory/3596-1-0x0000000000D30000-0x0000000000D4A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3596-6-0x00007FF8221A0000-0x00007FF822C61000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3596-7-0x00007FF8221A3000-0x00007FF8221A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3596-8-0x00007FF8221A0000-0x00007FF822C61000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3596-20-0x00007FF8221A0000-0x00007FF822C61000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3596-38-0x00007FF8221A0000-0x00007FF822C61000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3596-0-0x00007FF8221A3000-0x00007FF8221A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4524-25-0x0000023556EE0000-0x0000023556EE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4524-34-0x0000023556EE0000-0x0000023556EE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4524-33-0x0000023556EE0000-0x0000023556EE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4524-32-0x0000023556EE0000-0x0000023556EE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4524-31-0x0000023556EE0000-0x0000023556EE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4524-30-0x0000023556EE0000-0x0000023556EE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4524-29-0x0000023556EE0000-0x0000023556EE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4524-35-0x0000023556EE0000-0x0000023556EE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4524-24-0x0000023556EE0000-0x0000023556EE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4524-23-0x0000023556EE0000-0x0000023556EE1000-memory.dmp

    Filesize

    4KB

    Download