Overview

overview

10

Static

static

10

36.exe

windows7-x64

3

36.exe

windows10-2004-x64

3

Enalib.exe

windows7-x64

10

Enalib.exe

windows10-2004-x64

10

RDriver.exe

windows7-x64

8

RDriver.exe

windows10-2004-x64

8

SDriver.exe

windows7-x64

3

SDriver.exe

windows10-2004-x64

3

T.exe

windows7-x64

10

T.exe

windows10-2004-x64

10

autoruns.exe

windows7-x64

3

autoruns.exe

windows10-2004-x64

3

e.exe

windows7-x64

10

e.exe

windows10-2004-x64

10

fake jpg shit.lnk

windows7-x64

10

fake jpg shit.lnk

windows10-2004-x64

10

fake photo.lnk

windows7-x64

3

fake photo.lnk

windows10-2004-x64

7

noyjhoadw.exe

windows7-x64

10

noyjhoadw.exe

windows10-2004-x64

10

unins000.exe

windows7-x64

3

unins000.exe

windows10-2004-x64

3

use for by...ck.exe

windows7-x64

8

use for by...ck.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    30s
  • max time network
    33s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2025, 13:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    T.exe

  • Size

    28KB

  • MD5

    78fc1101948b2fd65e52e09f037bac45

  • SHA1

    ba3fc0499ee83a3522c0d50d9faa8edcbd50ad44

  • SHA256

    d3c5ed75f450a48329ca5647cb7d201ba347bd07138ee9b43716df56dd7a1dc2

  • SHA512

    e89ffe3f5e15bbffd0cacf596439b622827fa9ca5eac2fcfd6617b84660673df18a0b50f27fda04310204f7501819865c54dc60a2ee092af8d5ce83ce4d048f4

  • SSDEEP

    768:yQJGNK7vTOcsLqtcD9CHCQyYF4i5+kQjj3:9JGm6sHCQPMZjT

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

WlO6Om8yfxIARVE4

Attributes
  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/7G6zzQwJ

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Drops startup file 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\T.exe
    "C:\Users\Admin\AppData\Local\Temp\T.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3696
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
      "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\AppData\Local\Temp\T.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T.exe' -Force
      2⤵
      • Drops startup file
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4232

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3duo4dor.opb.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/3696-32-0x0000000007DE0000-0x0000000007DF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3696-10-0x00000000753AE000-0x00000000753AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3696-3-0x0000000005790000-0x0000000005822000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3696-4-0x00000000753A0000-0x0000000075B50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3696-5-0x0000000005850000-0x000000000585A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3696-6-0x0000000005A60000-0x0000000005AD6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3696-7-0x0000000007930000-0x000000000794E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3696-8-0x00000000079A0000-0x00000000079C8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/3696-43-0x00000000753A0000-0x0000000075B50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3696-1-0x0000000000DB0000-0x0000000000DBC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3696-33-0x00000000753A0000-0x0000000075B50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3696-12-0x00000000753A0000-0x0000000075B50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3696-0-0x00000000753AE000-0x00000000753AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3696-31-0x00000000753A0000-0x0000000075B50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3696-2-0x0000000005DF0000-0x0000000006394000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3696-30-0x00000000079E0000-0x00000000079EE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3696-9-0x0000000007AD0000-0x0000000007B6C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4232-17-0x0000000004BE0000-0x0000000004C02000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4232-16-0x00000000753A0000-0x0000000075B50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4232-19-0x00000000055B0000-0x0000000005616000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4232-29-0x0000000005720000-0x0000000005A74000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4232-18-0x0000000004D00000-0x0000000004D66000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4232-11-0x00000000025B0000-0x00000000025E6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4232-14-0x00000000753A0000-0x0000000075B50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4232-34-0x0000000005BB0000-0x0000000005BCE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4232-13-0x0000000004E80000-0x00000000054A8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4232-35-0x0000000006150000-0x000000000619C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4232-36-0x0000000006B80000-0x0000000006C16000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4232-37-0x0000000006010000-0x000000000602A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4232-38-0x0000000006080000-0x00000000060A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4232-42-0x00000000753A0000-0x0000000075B50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4232-15-0x00000000753A0000-0x0000000075B50000-memory.dmp

    Filesize

    7.7MB

    Download