Overview

overview

10

Static

static

10

305a039e94...33.exe

windows7-x64

10

305a039e94...33.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-01-2025 15:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    305a039e946b1940b70a70da8a01708263ed8cfa5f68252bd6cff1fde16eaa33.exe

  • Size

    199KB

  • MD5

    cc6a07e8eb3c8dea437966454382bcf8

  • SHA1

    3bc8c0e5dff8562047bc05aea555c35f7e47d9b1

  • SHA256

    305a039e946b1940b70a70da8a01708263ed8cfa5f68252bd6cff1fde16eaa33

  • SHA512

    cb7864f782c157c1d35c0403f06469800922ef626dae9493136215e535e3cbb3cca640110e93ee674719b47770456c7dbb1f0cc2daf13a7bc58ea9b676ee1038

  • SSDEEP

    3072:OF71uyVqkbwzBYOw5TJBlFYmHl5rbxBo:Oh19VxbwS9vYmFT

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:52585

oil-calculated.gl.at.ply.gg:52585
Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\305a039e946b1940b70a70da8a01708263ed8cfa5f68252bd6cff1fde16eaa33.exe
    "C:\Users\Admin\AppData\Local\Temp\305a039e946b1940b70a70da8a01708263ed8cfa5f68252bd6cff1fde16eaa33.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\305a039e946b1940b70a70da8a01708263ed8cfa5f68252bd6cff1fde16eaa33.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '305a039e946b1940b70a70da8a01708263ed8cfa5f68252bd6cff1fde16eaa33.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1920
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:956
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1936
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {AFB2F5DB-347C-4FD0-B448-F0F0B8D329F0} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:468
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2948
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1056
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    735f43360880ae14d2cae4faf89d200e

    SHA1

    0789b731e47659656eecf4c5f756622e2f57eb27

    SHA256

    7f4f5e0bc3e055feb1d54382c1a58059a364aaed21b09b49e415ebaa0fdc70b4

    SHA512

    d20c317b1cee79e63b24c711016634f11a6c3615178cd9e849970762fb349758f6a507360366020cd728816ef53c8eb07c0213d881c523ba5f81bf49439bf2a1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\XClient.exe
    Filesize

    199KB

    MD5

    cc6a07e8eb3c8dea437966454382bcf8

    SHA1

    3bc8c0e5dff8562047bc05aea555c35f7e47d9b1

    SHA256

    305a039e946b1940b70a70da8a01708263ed8cfa5f68252bd6cff1fde16eaa33

    SHA512

    cb7864f782c157c1d35c0403f06469800922ef626dae9493136215e535e3cbb3cca640110e93ee674719b47770456c7dbb1f0cc2daf13a7bc58ea9b676ee1038

    Download Submit

  • memory/1056-40-0x00000000010B0000-0x00000000010E8000-memory.dmp

    Filesize

    224KB

    Download

  • memory/2700-15-0x0000000002910000-0x0000000002918000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2700-14-0x000000001B780000-0x000000001BA62000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2808-7-0x000000001B750000-0x000000001BA32000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2808-8-0x0000000001E10000-0x0000000001E18000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2808-6-0x0000000002BB0000-0x0000000002C30000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2888-0-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2888-31-0x000000001AFB0000-0x000000001B030000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2888-32-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2888-37-0x000000001AFB0000-0x000000001B030000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2888-1-0x0000000001030000-0x0000000001068000-memory.dmp

    Filesize

    224KB

    Download

  • memory/2948-36-0x0000000000EA0000-0x0000000000ED8000-memory.dmp

    Filesize

    224KB

    Download