Overview

overview

10

Static

static

5

WEN.exe

windows7-x64

10

WEN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/02/2025, 23:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WEN.exe

  • Size

    954KB

  • MD5

    64100e4131cedaf6a889f560bc1e1c9b

  • SHA1

    55f98aa796e01cea2cfd714770d974b9316bd848

  • SHA256

    d4746c577ffb7985fc33252c77365679a6a39b68e4c0f3c60fd27d34a7539ebe

  • SHA512

    ebcd5712c614a57dbb29539c8271b8adb23ab4615aa5b239b8eb59ef8fab458cd20154befcdb7fbdea19e7650ed14a14c8822662ffb70f4dba3e2a4e2d4177ad

  • SSDEEP

    24576:+u6J33O0c+JY5UZ+XC0kGso6FaOYF0DuyKWY:Qu0c++OCvkGs9FaOnqmY

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

176.96.137.181:2222

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient2.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WEN.exe
    "C:\Users\Admin\AppData\Local\Temp\WEN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Users\Admin\AppData\Local\surmit\sulfhydrate.exe
      "C:\Users\Admin\AppData\Local\Temp\WEN.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:5048
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\WEN.exe"
        3⤵
        • Drops startup file
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3620
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4232
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RegSvcs.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5056
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient2.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4184
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient2.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3988
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient2" /tr "C:\Users\Admin\AppData\Roaming\XClient2.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:1796
  • C:\Users\Admin\AppData\Roaming\XClient2.exe
    C:\Users\Admin\AppData\Roaming\XClient2.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:4952
  • C:\Users\Admin\AppData\Roaming\XClient2.exe
    C:\Users\Admin\AppData\Roaming\XClient2.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:4460

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XClient2.exe.log
    Filesize

    142B

    MD5

    8c0458bb9ea02d50565175e38d577e35

    SHA1

    f0b50702cd6470f3c17d637908f83212fdbdb2f2

    SHA256

    c578e86db701b9afa3626e804cf434f9d32272ff59fb32fa9a51835e5a148b53

    SHA512

    804a47494d9a462ffa6f39759480700ecbe5a7f3a15ec3a6330176ed9c04695d2684bf6bf85ab86286d52e7b727436d0bb2e8da96e20d47740b5ce3f856b5d0f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    72047861a7e1b401b9292d9f82c76872

    SHA1

    3b86b8b24c6ea06e31d8191e9793d21e8e1edbce

    SHA256

    9da87165552c895cd3cd74b0071907f50c55094f7019720585082cff3609270e

    SHA512

    fd1d6f59c68cdac3c4da9d7faa90923032bc3d24672adb37e27c2f80d6a18b8e39b30a7b3b61c740d2e15dc1745e181dffb83f759332936afd76d20c7aa97c05

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    e88057240b40ad3deab8dbed408091b2

    SHA1

    d9cbb2c60ccc1e2a5fa4ca4ed8c6c7d11fb646f2

    SHA256

    81b5257812cbd7c19b77b4509dc4f56f7deed8351728ff6840b629b9f2e84d72

    SHA512

    ac58c710b336fbdbcde832254fd48f7d23d36c3e9e493e962e16ad8be3cd6f14773b871cd5d2c14a4eafd1984a9f974a22446a9e1926163f75f8baac07a851eb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    fac059df3f7c5c55a4357cb5c2739fb5

    SHA1

    1730ac45abe14f887270be06e961ff6973c753ba

    SHA256

    17c6cedac35c01e7fa7ba65fbc9439b2e4dd1032e9bea2336bb3fd37604c44c2

    SHA512

    021a7aaf5bae9bca786426afa63fd45694bd8fbe14a32708daa6ff2f40b0b5b26f90b420585fba2e6e903fd6f45ca9c44761179ef242700348089fd9d47ddd07

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5fjnyxqr.uaz.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\surmit\sulfhydrate.exe
    Filesize

    954KB

    MD5

    64100e4131cedaf6a889f560bc1e1c9b

    SHA1

    55f98aa796e01cea2cfd714770d974b9316bd848

    SHA256

    d4746c577ffb7985fc33252c77365679a6a39b68e4c0f3c60fd27d34a7539ebe

    SHA512

    ebcd5712c614a57dbb29539c8271b8adb23ab4615aa5b239b8eb59ef8fab458cd20154befcdb7fbdea19e7650ed14a14c8822662ffb70f4dba3e2a4e2d4177ad

    Download Submit

  • C:\Users\Admin\AppData\Roaming\XClient2.exe
    Filesize

    44KB

    MD5

    9d352bc46709f0cb5ec974633a0c3c94

    SHA1

    1969771b2f022f9a86d77ac4d4d239becdf08d07

    SHA256

    2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

    SHA512

    13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

    Download Submit

  • memory/1192-5-0x0000000001040000-0x0000000001044000-memory.dmp

    Filesize

    16KB

    Download

  • memory/3620-133-0x0000000005B20000-0x0000000005BB2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3620-134-0x0000000005AF0000-0x0000000005AFA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3620-19-0x0000000004BA0000-0x0000000004C3C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3620-132-0x0000000074F90000-0x0000000075740000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3620-131-0x0000000005DA0000-0x0000000006344000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3620-135-0x0000000074F90000-0x0000000075740000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3620-17-0x00000000003D0000-0x00000000003EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3620-84-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3620-18-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3988-116-0x0000000070450000-0x000000007049C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4184-95-0x0000000070450000-0x000000007049C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4232-38-0x0000000070450000-0x000000007049C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4232-48-0x00000000064E0000-0x00000000064FE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4232-54-0x0000000007440000-0x0000000007451000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4232-55-0x0000000007470000-0x000000000747E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4232-56-0x0000000007480000-0x0000000007494000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4232-57-0x0000000007580000-0x000000000759A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4232-58-0x0000000007560000-0x0000000007568000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4232-52-0x00000000072B0000-0x00000000072BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4232-21-0x0000000005190000-0x00000000057B8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4232-51-0x0000000007240000-0x000000000725A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4232-22-0x0000000005070000-0x0000000005092000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4232-50-0x0000000007880000-0x0000000007EFA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4232-49-0x0000000007120000-0x00000000071C3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4232-53-0x00000000074C0000-0x0000000007556000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4232-20-0x0000000000D60000-0x0000000000D96000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4232-37-0x00000000070E0000-0x0000000007112000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4232-36-0x0000000005F50000-0x0000000005F9C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4232-35-0x0000000005F10000-0x0000000005F2E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4232-34-0x0000000005B30000-0x0000000005E84000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4232-23-0x0000000005870000-0x00000000058D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4232-24-0x00000000058E0000-0x0000000005946000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4952-138-0x0000000000CF0000-0x0000000000CFE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4952-139-0x0000000005520000-0x000000000555C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4952-140-0x0000000002EC0000-0x0000000002EE1000-memory.dmp

    Filesize

    132KB

    Download

  • memory/5056-73-0x0000000070450000-0x000000007049C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5056-71-0x0000000005B70000-0x0000000005EC4000-memory.dmp

    Filesize

    3.3MB

    Download