Overview

overview

10

Static

static

3

UPS tracki...ls.exe

windows7-x64

7

UPS tracki...ls.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    100s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/03/2025, 14:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UPS tracking details.exe

  • Size

    851KB

  • MD5

    28badf3eb1aa6ce975fee86e6ec1dc14

  • SHA1

    8f19c7dbdde308e463b0412d73ea7083b1bcc816

  • SHA256

    7f1764a28d27f381701d9254166241607a37a02eb2fe80d682baf15236da5b7e

  • SHA512

    eb5da8590065d4a289c75c4f3d3124ecc854398a7e846ddb2c2aec5d136817e393ce8881c539b08d0f3eee79e56ccab5dbe0e57054eccbe97769189cc73f356e

  • SSDEEP

    12288:vWMnQ1Kfk7AEYQCJSsFlsIQfYl2N3qWkj9d/qArFK6eNXwC94EBTR+:uj7AEYQCQaKbA63+jPqAUNXjBBT0

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

56TvElZMbqDoRvU7

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3432
      • C:\Users\Admin\AppData\Local\Temp\UPS tracking details.exe
        "C:\Users\Admin\AppData\Local\Temp\UPS tracking details.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops startup file
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:492
      • C:\Users\Admin\AppData\Local\Temp\UPS tracking details.exe
        "C:\Users\Admin\AppData\Local\Temp\UPS tracking details.exe"
        2⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1660
        • C:\Users\Admin\AppData\Local\Temp\xciqtd.exe
          "C:\Users\Admin\AppData\Local\Temp\xciqtd.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Drops startup file
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:692
      • C:\Users\Admin\AppData\Local\Temp\xciqtd.exe
        "C:\Users\Admin\AppData\Local\Temp\xciqtd.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:5352

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\xciqtd.exe
      Filesize

      851KB

      MD5

      c0a50e2d3eeaea373b5a9f5b029b7487

      SHA1

      118a21295bfa0e6f6aad3ef8dffed967028872c8

      SHA256

      5ed36ab3f8243cc7adcbae0f26759e1877643b553e744f800e3dc3561a315586

      SHA512

      35e14aa13c2f01bf85f756ca81b5f6de7f3665830ad919772efd6128a082d476c8cfe5a7b8d659d10aaae7fba7a704e99ec3059c8c477a2970f68cc241f765f2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Remaining.vbs
      Filesize

      84B

      MD5

      653f5c1d2324fc1b05ef57c9cbb50aef

      SHA1

      211d276ced44ccb913c6dc3b0c105ec9ba05a1ba

      SHA256

      6d5c05293e79f123a27b49d29ecba56c92906d7011659d088e52fe4267cb434b

      SHA512

      7da31cc32d8b45c18819c1c13166a22c4909ff602ff7ae1658b295360d823dc6b2ef6a00f5fda5b21e037dfff7627dce8126eb6c366ac443755fa63f9407bee7

      Download Submit

    • \??\c:\users\admin\appdata\roaming\remaining.exe
      Filesize

      851KB

      MD5

      6164d0754f346ce79cc3aded624b574f

      SHA1

      eeee2ab483fc7d301b4936891c4160e1c38609dc

      SHA256

      21510f702e7c54434cd5d11912029c579721d8a59cde4f229f3472a98dfb0a69

      SHA512

      c38147be7159e86a7470147659b5bea6be8db33a7bdb823ffa1ce358a0ef64543a7ae5297c09c057d40588184f5da9f5e29d83e7ea446877130e06f992324056

      Download Submit

    • memory/492-19-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-9-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-4-0x0000000005450000-0x000000000545A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/492-5-0x0000000005DB0000-0x0000000005EB0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/492-6-0x0000000006460000-0x0000000006A04000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/492-7-0x0000000005F90000-0x0000000006022000-memory.dmp

      Filesize

      584KB

      Download

    • memory/492-8-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-17-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-16-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-71-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-69-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-67-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-63-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-61-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-59-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-57-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-55-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-53-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-51-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-49-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-47-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-45-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-43-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-41-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-39-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-11-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-35-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-33-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-31-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-29-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-27-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-25-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-21-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-2-0x0000000074C60000-0x0000000075410000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/492-65-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-3-0x0000000074C60000-0x0000000075410000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/492-37-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-13-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-23-0x0000000005DB0000-0x0000000005EAB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/492-1330-0x0000000074C60000-0x0000000075410000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/492-1331-0x0000000006180000-0x00000000061DC000-memory.dmp

      Filesize

      368KB

      Download

    • memory/492-1332-0x0000000006350000-0x00000000063A8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/492-1333-0x0000000006AA0000-0x0000000006AEC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/492-1334-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/492-1335-0x0000000074C60000-0x0000000075410000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/492-1336-0x0000000074C60000-0x0000000075410000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/492-1337-0x0000000074C60000-0x0000000075410000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/492-1338-0x0000000006AF0000-0x0000000006B44000-memory.dmp

      Filesize

      336KB

      Download

    • memory/492-1344-0x0000000074C60000-0x0000000075410000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/492-1347-0x0000000074C60000-0x0000000075410000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/492-1350-0x0000000074C60000-0x0000000075410000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/492-1349-0x0000000074C60000-0x0000000075410000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/492-1346-0x0000000074C60000-0x0000000075410000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/492-0-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/492-1-0x0000000000A80000-0x0000000000B5C000-memory.dmp

      Filesize

      880KB

      Download

    • memory/692-1369-0x0000000074C60000-0x0000000075410000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/692-2699-0x0000000074C60000-0x0000000075410000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/692-2710-0x0000000074C60000-0x0000000075410000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/692-1370-0x0000000074C60000-0x0000000075410000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/692-1373-0x0000000006080000-0x00000000061C2000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/692-2696-0x00000000064B0000-0x000000000654C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/692-2697-0x00000000066A0000-0x0000000006738000-memory.dmp

      Filesize

      608KB

      Download

    • memory/692-1372-0x0000000074C60000-0x0000000075410000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/692-1371-0x0000000005740000-0x000000000574A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/692-1368-0x0000000000E70000-0x0000000000F4C000-memory.dmp

      Filesize

      880KB

      Download

    • memory/692-2698-0x0000000074C60000-0x0000000075410000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1660-1353-0x0000000004AA0000-0x0000000004B3C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1660-1352-0x0000000074C60000-0x0000000075410000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1660-1351-0x00000000003E0000-0x00000000003EE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1660-1354-0x0000000074C60000-0x0000000075410000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1660-1355-0x0000000074C60000-0x0000000075410000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1660-1356-0x0000000005270000-0x00000000052D6000-memory.dmp

      Filesize

      408KB

      Download