Overview

overview

10

Static

static

10

29e6ce9c6f...b9.exe

windows7-x64

10

29e6ce9c6f...b9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    24-01-2025 21:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    29e6ce9c6fefbf33bc2dd3b46916280907c4fae8d8d8c15acd3436298e76d1b9.exe

  • Size

    171KB

  • MD5

    3962793abf417f180767e5657f8be0b1

  • SHA1

    15b7f2cd937a6f910d64ec3c9ed82c9c84165bb2

  • SHA256

    29e6ce9c6fefbf33bc2dd3b46916280907c4fae8d8d8c15acd3436298e76d1b9

  • SHA512

    735d24410d0ffc30471b1095b81efef0ea5a3c4bff7ed694ddea8f2335b57d16371a192792a72499cdf4f1443ac4ae077aee9b47806e01bdfe218346f527f625

  • SSDEEP

    3072:+0UcTmkb2YldqUOcs7Bz65/M6If+3Js+3JFkKeTno:sglbHOxBt25

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

warning-found.gl.at.ply.gg:29902

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • telegram

    https://api.telegram.org/bot7245901356:AAHYPFTv3LWcRGEqQpw-CbDblzq7UxWdbU8/sendMessage?chat_id=7538879815

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\29e6ce9c6fefbf33bc2dd3b46916280907c4fae8d8d8c15acd3436298e76d1b9.exe
    "C:\Users\Admin\AppData\Local\Temp\29e6ce9c6fefbf33bc2dd3b46916280907c4fae8d8d8c15acd3436298e76d1b9.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\29e6ce9c6fefbf33bc2dd3b46916280907c4fae8d8d8c15acd3436298e76d1b9.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:484
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '29e6ce9c6fefbf33bc2dd3b46916280907c4fae8d8d8c15acd3436298e76d1b9.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2956
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1756
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2352
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {E4F367AA-2C66-4D62-9ED4-DEAA650D9D38} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1348
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2136
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    76e6f7f0aa9ccaf6e17cf3fb6b3a46cd

    SHA1

    ac83761d908547125401b515f32e80830f7e2fd8

    SHA256

    61d5d12715c268ebf8f46debf4227eaf0c5f9bb6fde5cecedfdce0f4d4416ac0

    SHA512

    021394b4101d4a65f6f9468ff826e2799ed89f225f77fbb88ff3e4522b5d0ba11165dd9cdd2111580ef318ae8fddbb52e48b8021218dfa3cd56d546d53ff8e10

    Download Submit

  • C:\Users\Admin\AppData\Roaming\XClient.exe
    Filesize

    171KB

    MD5

    3962793abf417f180767e5657f8be0b1

    SHA1

    15b7f2cd937a6f910d64ec3c9ed82c9c84165bb2

    SHA256

    29e6ce9c6fefbf33bc2dd3b46916280907c4fae8d8d8c15acd3436298e76d1b9

    SHA512

    735d24410d0ffc30471b1095b81efef0ea5a3c4bff7ed694ddea8f2335b57d16371a192792a72499cdf4f1443ac4ae077aee9b47806e01bdfe218346f527f625

    Download Submit

  • memory/484-6-0x0000000001C30000-0x0000000001CB0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/484-7-0x000000001B600000-0x000000001B8E2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/484-8-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1348-33-0x0000000000AE0000-0x0000000000B10000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2316-28-0x000000001B480000-0x000000001B500000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2316-0-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2316-29-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2316-1-0x0000000001130000-0x0000000001160000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2316-34-0x000000001B480000-0x000000001B500000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2964-15-0x0000000002910000-0x0000000002918000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2964-14-0x000000001B640000-0x000000001B922000-memory.dmp

    Filesize

    2.9MB

    Download