Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
04/03/2025, 08:08
General
-
Target
FFDOC-2025210pdf.exe
-
Size
319KB
-
MD5
d8ea07f0f0072e6ae8ac3b7996941eb7
-
SHA1
24a6d36259ca0d0c89f46411da822a7f2683beaf
-
SHA256
6857d59d1179d9e3745115f7e08cde964c3cee54bb91fd891bba282fe226eb2b
-
SHA512
7c44f2746117f35e8bd8cf40327390edfd7a33650a42f3a8e110de3f1eac02649ec50988c9be956968627af0682e22edbfa442fbf6f206a770c086289d88bbd3
-
SSDEEP
6144:Lyh4ZwGcFZxO4MvaL7eS7sZXl1YoEhVJGfT/zoMWk:LaZc4MBS7s6sfXotk
Malware Config
Extracted
xworm
5.0
56TvElZMbqDoRvU7
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 4 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\FFDOC-2025210pdf.exe"C:\Users\Admin\AppData\Local\Temp\FFDOC-2025210pdf.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Users\Admin\AppData\Local\Temp\FFDOC-2025210pdf.exe"C:\Users\Admin\AppData\Local\Temp\FFDOC-2025210pdf.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\imzluw.exe"C:\Users\Admin\AppData\Local\Temp\imzluw.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Users\Admin\AppData\Local\Temp\irurcy.exe"C:\Users\Admin\AppData\Local\Temp\irurcy.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
-
C:\Users\Admin\AppData\Local\Temp\imzluw.exe"C:\Users\Admin\AppData\Local\Temp\imzluw.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\irurcy.exe"C:\Users\Admin\AppData\Local\Temp\irurcy.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
321KB
MD55138a5678f8982621ea73a6335b7b38b
SHA18c2d602d5666b03fbc3ec1decce2b28d6bd7ca5f
SHA256ebb556e873ef35d93c5c62404263659ac3f2604cea643015f29fee85c3a3a167
SHA512289732f4ab4a7bae27b24e6d272832f0d43824f3dc03c1554b5c8cf1a24f0f25d18ae794c3ece142716b3e82319a3317a17f909af780ae258fc2a9d831f7ef50
-
Filesize
321KB
MD562e28c115b73a2b918fe4a33148f36e4
SHA10601aba05513fdf160a9f10a92dca288bb0cd981
SHA256d0e058ee5585d906c9dab04a5399cedbec52a97416e201f59714d8da7d99b3b3
SHA51217af001fe8c5411b44fe0384471ab86de58fcc4620b0205fa47d9968b861bbcd7644f0876dfe6d3559cef88b0a294d71ebf695aaeccf1d5f71b098595497fe9d
-
Filesize
82B
MD589d8c2a9f15a247516fed10895467a3b
SHA1b411d417c30da83dfbd39ecc44f0dde0529fdeaf
SHA2567b5f7caf04bbc0eeef94c49e6bbef4b40253724c893c3055215974c730413aa5
SHA512f6a0652703cc6f0d1329b8cdd8414246df9801390a779cf38c49e3be080e709bd6b96f7de80a8f36e918ba35a50ec0a8cf916d523961338312d8ac7937ca676d
-
Filesize
321KB
MD5452984f98fdad49b2077f586842d3fe8
SHA1a285ca52d31785be9c1e0b4794432f090a17d614
SHA2568ce5dea53cccf5c37f4b0452952b15e90965bb8120a32fd312ed6e4df67f8b76
SHA5126ff4905e421637e8672c8a498ea6e40375a0e6224bed8a62e2ab968106f2daa977acd9b1524e2bd363b1c71e107ec5292a7dc0b00910c86a905f70bd94ab6458
-
Filesize
1004KB
-
Filesize
7.7MB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
5.6MB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
368KB
-
Filesize
584KB
-
Filesize
1004KB
-
Filesize
1004KB
-
Filesize
352KB
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
336KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
344KB
-
Filesize
7.7MB
-
Filesize
1024KB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
344KB
-
Filesize
7.7MB
-
Filesize
1.3MB
-
Filesize
7.7MB
-
Filesize
608KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
56KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
1.2MB
-
Filesize
344KB
-
Filesize
592KB