Overview

overview

10

Static

static

3

d079eeadd9...f5.exe

windows7-x64

10

d079eeadd9...f5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    123s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-01-2025 13:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d079eeadd916559533a7789cdc3a5bdb06800ac937a74bb6d32445f58ec307f5.exe

  • Size

    66KB

  • MD5

    38b7ff17f563154a615410ae22573f13

  • SHA1

    eda84541084a7020b4b08c8696d8bde0dd4c7602

  • SHA256

    d079eeadd916559533a7789cdc3a5bdb06800ac937a74bb6d32445f58ec307f5

  • SHA512

    b87d58b8338f29278fb0563be72fc90c894b4206979f0f28897ebd384dcc5c2bba4112a031c24dcd18844d7765b904d0376767a72b65eee8b74b5d7a2c199e24

  • SSDEEP

    1536:3neHSDcksj3CGVAfBeVjFu/fWHE0uGxvV6PGE:3neHgfsjFVAfBcvceE

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

perfect-ringtones.gl.at.ply.gg:15597

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\d079eeadd916559533a7789cdc3a5bdb06800ac937a74bb6d32445f58ec307f5.exe
    "C:\Users\Admin\AppData\Local\Temp\d079eeadd916559533a7789cdc3a5bdb06800ac937a74bb6d32445f58ec307f5.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Users\Admin\AppData\Roaming\Xclient.exe
      "C:\Users\Admin\AppData\Roaming\Xclient.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Xclient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2564
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xclient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3004
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2872
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1192
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1620
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {76CEA43B-BB6F-4AEA-8D01-F8835D6050AA} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2148
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    078d6f0b1569133ce56280ed1ebcc2b7

    SHA1

    5dd1c007382a856d5fbd10c854bb4f962aca64b2

    SHA256

    fdd1219a8d998b3123b2fa566396e9773e94be60a5674ec9fd5af14b2e7cb894

    SHA512

    d5a2d94b5fdc1f3add756cec59b05c954fdf430c58ef43affa3573d5ea669604ce4358671eabaee59441142311a60d6490029fdaab79d9291ff95713c3906065

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Xclient.exe
    Filesize

    56KB

    MD5

    361befaf798238d6fa0eb9a33e6c0857

    SHA1

    eea78ed5fb05ca4cdd5b287b33d50226cd0586da

    SHA256

    b0b9917c1fbd92139d919ef85206a6503489a0327053700beee5f1819dec2404

    SHA512

    3704cab8c32a5a50f8c5c7b68eed3a45dcce89065177322767bbd08c0bd8e98db7c1af86bf86f93164c0d18eaba82935a1e88c4b2e376ea2ddbfb3ed5b6bc01e

    Download Submit

  • memory/1508-1-0x00000000009B0000-0x00000000009C6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1508-0-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2564-15-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2564-14-0x000000001B680000-0x000000001B962000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2816-7-0x0000000000DB0000-0x0000000000DC4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2816-9-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2816-8-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2816-35-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2816-36-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3004-21-0x000000001B700000-0x000000001B9E2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3004-22-0x0000000001F40000-0x0000000001F48000-memory.dmp

    Filesize

    32KB

    Download