Overview

overview

10

Static

static

10

uil.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    59s
  • max time network
    58s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2025, 20:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    uil.exe

  • Size

    34KB

  • MD5

    9a27af6e5ad0be342404fc36327274b9

  • SHA1

    fef9c5b16c357ce08e5146c751821a6bb635f5fa

  • SHA256

    19b4961b0fdcc4e320a6f2becd59f5918fc727db685140f64413a82f9235c962

  • SHA512

    811e46e0091b05d281b3d0bb1cd39278b4c20b606620be6de924b7936673d548145fb953b020ce08462f603fa59942762ec6894e7d4770a9307290b77965f56d

  • SSDEEP

    768:MiNxtIWYUcWXNmFdnf1COFy9jvOjhq/UZe:/xt3cWXYzzFy9jvOjkMZe

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

gLXBFwOrGsx6hRJl

Attributes
  • Install_directory

    %AppData%

  • install_file

    Edgeupdater.exe

  • pastebin_url

    https://pastebin.com/raw/MNz8CDNG

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Drops startup file 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 42 IoCs
  • Suspicious use of SendNotifyMessage 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\uil.exe
    "C:\Users\Admin\AppData\Local\Temp\uil.exe"
    1⤵
    • Drops startup file
    • Suspicious use of AdjustPrivilegeToken
    PID:3408
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Edgeupdater.exe
    Filesize

    34KB

    MD5

    9a27af6e5ad0be342404fc36327274b9

    SHA1

    fef9c5b16c357ce08e5146c751821a6bb635f5fa

    SHA256

    19b4961b0fdcc4e320a6f2becd59f5918fc727db685140f64413a82f9235c962

    SHA512

    811e46e0091b05d281b3d0bb1cd39278b4c20b606620be6de924b7936673d548145fb953b020ce08462f603fa59942762ec6894e7d4770a9307290b77965f56d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Edgeupdater.lnk
    Filesize

    793B

    MD5

    a6397f58116fd30cd7995f7fc279be23

    SHA1

    eef57d8f5daafe31d360a39a208b79f2e6ed1acb

    SHA256

    1f5c09e527d2d0a715719ab7e2e76605d30ac23cf50717918c9cd8cd4bd3686f

    SHA512

    67c3e6495e0c97cd525cfbcbba5dad235ea1db8f4c40c21631977e0e02670d83680be6e61f8fba46e1d76272219ef20d8a92e3029d0158372a79efe4f95ae4b0

    Download Submit

  • memory/3408-0-0x00007FF9B1E03000-0x00007FF9B1E05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3408-1-0x00000000008A0000-0x00000000008AE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3408-6-0x00007FF9B1E00000-0x00007FF9B28C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3408-7-0x00007FF9B1E03000-0x00007FF9B1E05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3408-8-0x00007FF9B1E00000-0x00007FF9B28C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4744-21-0x00000277B9B90000-0x00000277B9B91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4744-11-0x00000277B9B90000-0x00000277B9B91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4744-20-0x00000277B9B90000-0x00000277B9B91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4744-19-0x00000277B9B90000-0x00000277B9B91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4744-18-0x00000277B9B90000-0x00000277B9B91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4744-17-0x00000277B9B90000-0x00000277B9B91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4744-16-0x00000277B9B90000-0x00000277B9B91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4744-15-0x00000277B9B90000-0x00000277B9B91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4744-10-0x00000277B9B90000-0x00000277B9B91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4744-9-0x00000277B9B90000-0x00000277B9B91000-memory.dmp

    Filesize

    4KB

    Download