Overview

overview

10

Static

static

1

vt0.msi

windows7-x64

6

vt0.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/02/2025, 09:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vt0.msi

  • Size

    39.9MB

  • MD5

    58729f548d660722ab09292e15a0fe45

  • SHA1

    8a29bb19fd4f42fc4ef1af32d65265fb152b6f99

  • SHA256

    a6382c10dfd269e3315fe4cdfb158c00aea1a179450cf3d3b633acf7e2123d74

  • SHA512

    fa75ab3e28d829f39b14fd9e490d7247e102a81ff668468bd44cfc9c553e1f44d7df9d71d8e4517cdd086e23bae192ee1cad0ca96c57f465c4e8dc4ee539e0e2

  • SSDEEP

    786432:CueucOCp8Ax4Hl/wBg1z9/XUbEBWExPRXG5pYolpXOUGPY9E9jzfGnHvga4I8Q:Cue3NpJx4tRz9CoPRXWYHHNJbGnP

Score
10/10
xwormdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

154.197.33.29:7000

Mutex

3MKBwUt55yRv3NZh

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 12 IoCs
  • Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
    defense_evasionprivilege_escalation
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\vt0.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:464
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 58273DAC7768D2F20BFC21689F075456 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Program Files (x86)\Firefox-latest\Firefox-latest\wininstall.exe
        "C:\Program Files (x86)\Firefox-latest\Firefox-latest\wininstall.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4356
        • C:\Windows\system32\schtasks.exe
          "schtasks" /Query /TN SysMaintenanceService
          4⤵
            PID:1576
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "$action = New-ScheduledTaskAction -Execute 'C:\\Program Files (x86)\\Firefox-latest\\Firefox-latest\\wininstall.exe'; $trigger = New-ScheduledTaskTrigger -AtLogon -User 'Admin'; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit (New-TimeSpan -Minutes 0) -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) -RunOnlyIfNetworkAvailable; $principal = New-ScheduledTaskPrincipal -UserId 'Admin' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -TaskName 'SysMaintenanceService' -Action $action -Trigger $trigger -Settings $settings -Principal $principal -Force"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:2708
          • C:\Windows\system32\schtasks.exe
            "schtasks" /Query /TN SysMaintenanceService
            4⤵
              PID:1640
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding 4C0F6A09A6E8802DBB724C131CC920C7
          2⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:516
        • C:\Windows\Installer\MSI3273.tmp
          "C:\Windows\Installer\MSI3273.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin "C:\Program Files (x86)\Firefox-latest\Firefox-latest\Firefox-latest.exe"
          2⤵
          • Executes dropped EXE
          • Access Token Manipulation: Create Process with Token
          PID:4484

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\e592e6a.rbs
        Filesize

        8KB

        MD5

        b03be0a96fe02f35c5067371ebaf2de3

        SHA1

        0d24a449f25cd9c7478c8cf28f12edcf112f8fb3

        SHA256

        8fa5d18ef0fd32d40796340e251252b00bdb6a19854676cc74cde991cdd6e214

        SHA512

        a17ed64ed003cbbc7ae64484664d3790773bd3b624898efeb816bf851565c7cf0b31250f8c623e6881a3131e629a67d6dee96e78834ac1790f3d556bd7836947

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSI5493.tmp
        Filesize

        381KB

        MD5

        891de63dad09d3f100263727297e9205

        SHA1

        aeb1c23ab5014dca9d5208afe96585b40ac2a27e

        SHA256

        96513f32d35ccdc3fe50eee2ee7b30836d1e5f09f73c13f151f13091464e0b50

        SHA512

        f517dfecf4d89ed140a9e31ab6e02da64d32070660494f18ea3d8a62228c30d89822e24a86ff0112d42a8b5cb90bb5e4d3e34e83697cf4cca7224a24fe2c45e6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSI57E4.tmp
        Filesize

        828KB

        MD5

        7f335df3a986fe5e0ee5d482f309aea6

        SHA1

        919c0c558eacc6ec0eefb053143034ebddc62aaf

        SHA256

        f9b5641d0c863da052f8a42c075cc006768fcee9c67e6721571a795c25f42746

        SHA512

        e18b68865514a03b52a3a76ffba62884ed10f0443774dd1647f8ecde71117fd5fbd9cc377a9a3c777366b205f8a88f9f9b4aa32df2ccdf26f0110d06253678e1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q4qiqi2a.suz.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Windows\Installer\MSI3273.tmp
        Filesize

        517KB

        MD5

        028c9c708d810aba9603b63a8283d014

        SHA1

        ed4724e84c4ceb6a1619d34cc06369a1ab4d3d7d

        SHA256

        67504c94e46e70980cc5bbc0ea926e01fbd6116560304029261e2455004dc098

        SHA512

        9262da976a064732f8d12301d178d65d6df90c195937ff6e882c9de781d2ecabc3594cd71a1490b5c69b1c85da3c8bac8e4cee080f1055bcf51e50318f9e8d5f

        Download Submit

      • C:\Windows\Installer\e592e69.msi
        Filesize

        39.9MB

        MD5

        58729f548d660722ab09292e15a0fe45

        SHA1

        8a29bb19fd4f42fc4ef1af32d65265fb152b6f99

        SHA256

        a6382c10dfd269e3315fe4cdfb158c00aea1a179450cf3d3b633acf7e2123d74

        SHA512

        fa75ab3e28d829f39b14fd9e490d7247e102a81ff668468bd44cfc9c553e1f44d7df9d71d8e4517cdd086e23bae192ee1cad0ca96c57f465c4e8dc4ee539e0e2

        Download Submit

      • memory/2708-84-0x0000020BF34A0000-0x0000020BF34C2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4356-91-0x000002239D660000-0x000002239D670000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4356-92-0x000002239EEF0000-0x000002239EEFE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4356-93-0x00007FF77AA90000-0x00007FF77FD6E000-memory.dmp

        Filesize

        82.9MB

        Download