Overview

overview

10

Static

static

3

Output.exe

windows7-x64

10

Output.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1036s
  • max time network
    1044s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/03/2025, 22:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Output.exe

  • Size

    76KB

  • MD5

    3609d5f3be639dfe2c7f3f0e7401b388

  • SHA1

    f6720729a2af46c119922183b1932cff8cb2ff49

  • SHA256

    ef5217e1b0ebd6fc1a8a75de80230998c30f810be4b594ddc711a587c34e12f7

  • SHA512

    0aeb9abec472926d57e2441885cb88344ab5ff479149695ffc2ff394321b2b35301dd2b786d191fe9b8c67046a63baff46aa5c9a08c8934c0132483f46f99bca

  • SSDEEP

    1536:71DLyqLA3qC85n5kuObTDLyqIA3qC85n5kuZb72:71DLvLA385n5zO/DLvIA385n5zZe

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

192.168.1.3:9999

Mutex

0x6vtRiVIhgdKOaX

Attributes
  • install_file

    USB.exe

aes.plain
aes.plain

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Output.exe
    "C:\Users\Admin\AppData\Local\Temp\Output.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Users\Admin\AppData\Roaming\XClie2nt.exe
      "C:\Users\Admin\AppData\Roaming\XClie2nt.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1036
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\XClie2nt.exe
    Filesize

    33KB

    MD5

    3e9272dbd6c68f0e34c615cc4c6ff14a

    SHA1

    adce5d14cf7d799fd1b21bb51fa6ba45bb9cb706

    SHA256

    933f628c9feaaa7264b39ac4b46b7451045840f3b5a0cf1bf5ab7a01cc7cab6d

    SHA512

    624220b3a924d5256f7b9e9f5d4816684d61fd570f78735f6e3702db5d82c9b51a8d1df2d50fb9f9c196b7244ff7da135adfb957c71aee4e257d732a8b0fa909

    Download Submit

  • C:\Users\Admin\AppData\Roaming\XClient.exe
    Filesize

    33KB

    MD5

    72e79fbac6daff0e93f1dc928f0c7a5b

    SHA1

    e9955d767ba0d559ac4eda0f4008731db8d31d34

    SHA256

    d30ef103972d2ad8920d95b16c406af4cdfb6cfd26a920bede3a7563c5d062b7

    SHA512

    0959fd5f602f5ff62b500730193cf130ffa388271d3135a6730554bba446619c38a7764b0d1618f1346ee70c3e903a984b06ee115453e8d05d46439e18f90189

    Download Submit

  • memory/1036-27-0x00007FFB007B0000-0x00007FFB01271000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1036-25-0x0000000000EF0000-0x0000000000EFE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1036-30-0x00007FFB007B0000-0x00007FFB01271000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1036-31-0x00007FFB007B0000-0x00007FFB01271000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1036-33-0x00007FFB007B0000-0x00007FFB01271000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1936-1-0x00000000009E0000-0x00000000009FA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1936-0-0x00007FFB007B3000-0x00007FFB007B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4888-26-0x00000000000C0000-0x00000000000CE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4888-28-0x00007FFB007B0000-0x00007FFB01271000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4888-29-0x00007FFB007B0000-0x00007FFB01271000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4888-32-0x00007FFB007B0000-0x00007FFB01271000-memory.dmp

    Filesize

    10.8MB

    Download