Overview

overview

10

Static

static

10

9465f48edb...05.exe

windows7-x64

10

9465f48edb...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/03/2025, 02:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9465f48edb12c0ecfe182d5d6a91be86afd52c152b61c3916efb09df3a90cb05.exe

  • Size

    80KB

  • MD5

    39ffa7b287f2d822703a6deea560dcbd

  • SHA1

    34ae6406ec73ad02955cb7676b37489fdab1695b

  • SHA256

    9465f48edb12c0ecfe182d5d6a91be86afd52c152b61c3916efb09df3a90cb05

  • SHA512

    7efa49f3c9ba846d6382e7683d64a5b00232c459028a177b07c0e4f28f06682bd3a219421a355515766007bee9e0dfcce5e243afba73290487057542a644cc40

  • SSDEEP

    1536:GeKbbG1+cDVWr5hLbwWV5hcEW07Z4E+bCXsEN9qtgq6rLs4ORpmcG1h:GeKbb60r5hLbwWVcPk1+b8JY4ORpmth

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

cause-indexes.gl.at.ply.gg:17210

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9465f48edb12c0ecfe182d5d6a91be86afd52c152b61c3916efb09df3a90cb05.exe
    "C:\Users\Admin\AppData\Local\Temp\9465f48edb12c0ecfe182d5d6a91be86afd52c152b61c3916efb09df3a90cb05.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9465f48edb12c0ecfe182d5d6a91be86afd52c152b61c3916efb09df3a90cb05.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2804
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '9465f48edb12c0ecfe182d5d6a91be86afd52c152b61c3916efb09df3a90cb05.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2872
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2548
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    bf6e9b1f014c95b10ee4be8233591bf0

    SHA1

    4bf49440113aa531a326d2edfdf40aeafeeb04fd

    SHA256

    4ba2dc4bda40eca3e2b03e1481700c26a3aca8ea67ad1471d4819100ed0ba1a2

    SHA512

    2c7d6007b4f734d8d9ac432f1e7e69738538f256ddc7993f1b50b54f35ce8b431c4f196f85506343ed8525cbb33bbab2c59a554024dadb41d60b838c5b9b1872

    Download Submit

  • memory/2216-0-0x000007FEF54C3000-0x000007FEF54C4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2216-1-0x0000000000C40000-0x0000000000C5A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2216-31-0x000000001B210000-0x000000001B290000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2216-32-0x000007FEF54C3000-0x000007FEF54C4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2216-33-0x000000001B210000-0x000000001B290000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2804-6-0x0000000001E90000-0x0000000001F10000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2804-7-0x000000001B680000-0x000000001B962000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2804-8-0x0000000001D80000-0x0000000001D88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2872-14-0x000000001B790000-0x000000001BA72000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2872-15-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB

    Download