Overview

overview

10

Static

static

3

Rexon-Paid...or.exe

windows7-x64

10

Rexon-Paid...or.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    35s
  • max time network
    39s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/03/2025, 00:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Rexon-Paid_Executor.exe

  • Size

    1.9MB

  • MD5

    767e47b7200526d6d7b9f82d7d350523

  • SHA1

    7c3c57726639fd44cab7a0014e5cad278386cb6f

  • SHA256

    463d3278d31d58a43d7ee5716fc7040ca7f454778ff82595ae67e416a7219b0d

  • SHA512

    a467c77065293aca2c6bebc3c84c6b5584bd808cf7c8fe53794f02224a401eaebac7b7255ae1ef7081bc17b57abd1116e47a51b87b0f02bc41668f702da139f4

  • SSDEEP

    49152:ZCCiwOpZt1fyR59Z48fjQs9vlaEaBf6xxCWFWV/:gHjpAfrQw9i6xIWFc/

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

display-equivalent.gl.at.ply.gg:12744

Mutex

SkjG4THxcPjCb6Fx

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 44 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Rexon-Paid_Executor.exe
    "C:\Users\Admin\AppData\Local\Temp\Rexon-Paid_Executor.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3528
    • C:\Users\Admin\AppData\Roaming\Rexon-Paid_Executor.exe
      "C:\Users\Admin\AppData\Roaming\Rexon-Paid_Executor.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:2512
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\BAZINGA.mp4"
      2⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:224
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x514 0x51c
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2004

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\BAZINGA.mp4
    Filesize

    1.8MB

    MD5

    08a7079e32a92cc7daf474bfdfa5fe93

    SHA1

    f001555edb196d52cfe8b15f8b02beb98fd85c26

    SHA256

    5cf8689e1f429a23c74937fefb19e64e24870d37cd9856c2207b5dc9ee574fbd

    SHA512

    8115c8957427c479daf7f2a6ff97512c31bc781f7dc264acb58c976945f16cb854e1540e93483c4e3512b0a61fdcaa8ee67933820f04e549fb17ec1dcd86b091

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Rexon-Paid_Executor.exe
    Filesize

    47KB

    MD5

    1142855d6cfd0deb6799a776fd04074f

    SHA1

    5206e413c09808dcfd996c7e1f570827f596b0d2

    SHA256

    e38aa74da26c6d44a18639403ebe1d5a5ccf1aa4afd165983d8ee78861abb5d4

    SHA512

    3640fbacdfed60e29ef21d8fea56db5dab82eafec9d0dcdcd500c77c448b4a9f46ddbc0047681d6048bd7446dd481284a922755b1251e0cf17533094b2e8cd0e

    Download Submit

  • memory/224-42-0x00007FFB05290000-0x00007FFB0549B000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/224-47-0x00007FFB17B20000-0x00007FFB17B31000-memory.dmp

    Filesize

    68KB

    Download

  • memory/224-89-0x00007FFB03D30000-0x00007FFB04DE0000-memory.dmp

    Filesize

    16.7MB

    Download

  • memory/224-79-0x00007FFB04FD0000-0x00007FFB05286000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/224-65-0x00007FFB03D30000-0x00007FFB04DE0000-memory.dmp

    Filesize

    16.7MB

    Download

  • memory/224-32-0x00007FF79FCA0000-0x00007FF79FD98000-memory.dmp

    Filesize

    992KB

    Download

  • memory/224-33-0x00007FFB1C2D0000-0x00007FFB1C304000-memory.dmp

    Filesize

    208KB

    Download

  • memory/224-41-0x00007FFB181E0000-0x00007FFB181F1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/224-40-0x00007FFB18200000-0x00007FFB1821D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/224-34-0x00007FFB04FD0000-0x00007FFB05286000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/224-39-0x00007FFB1B1E0000-0x00007FFB1B1F1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/224-38-0x00007FFB1B200000-0x00007FFB1B217000-memory.dmp

    Filesize

    92KB

    Download

  • memory/224-37-0x00007FFB1B2B0000-0x00007FFB1B2C1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/224-43-0x00007FFB180F0000-0x00007FFB18131000-memory.dmp

    Filesize

    260KB

    Download

  • memory/224-55-0x00007FFB04FD0000-0x00007FFB05286000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/224-45-0x00007FFB181B0000-0x00007FFB181D1000-memory.dmp

    Filesize

    132KB

    Download

  • memory/224-44-0x00007FFB03D30000-0x00007FFB04DE0000-memory.dmp

    Filesize

    16.7MB

    Download

  • memory/224-49-0x00007FFB177A0000-0x00007FFB177B1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/224-48-0x00007FFB177C0000-0x00007FFB177D1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/224-50-0x0000018B1CC60000-0x0000018B1CDCB000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/224-36-0x00007FFB1C7F0000-0x00007FFB1C807000-memory.dmp

    Filesize

    92KB

    Download

  • memory/224-46-0x00007FFB17B40000-0x00007FFB17B58000-memory.dmp

    Filesize

    96KB

    Download

  • memory/224-35-0x00007FFB1CE90000-0x00007FFB1CEA8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2512-51-0x00007FFB08620000-0x00007FFB090E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2512-52-0x00007FFB08620000-0x00007FFB090E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2512-16-0x0000000000090000-0x00000000000A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2512-31-0x00007FFB08620000-0x00007FFB090E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2512-20-0x00007FFB08620000-0x00007FFB090E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3528-0-0x00007FFB08623000-0x00007FFB08625000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3528-1-0x0000000000800000-0x00000000009E4000-memory.dmp

    Filesize

    1.9MB

    Download