Overview

overview

10

Static

static

3

tergdfgdfg.exe

windows7-x64

10

tergdfgdfg.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/03/2025, 13:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tergdfgdfg.exe

  • Size

    80KB

  • MD5

    9410280381c7972ba775e13d094a87e0

  • SHA1

    3389d7bf5fdc0c613bb130da42d76968b221392d

  • SHA256

    f14d1d27a20ad79684026a18395389354d6dc0e529d2d795bf80e3b66f76913b

  • SHA512

    2c829e655ac71245f8258015556910b6f9eb2988c9e1bb1ecafedee7406b13a10f586f5d3cdecdc374fd8763d538eb2cf84db3a98aec6076629d87bcf998e5b9

  • SSDEEP

    1536:ccrBb0z39BE4SNMZlvaE67897ymsDKM88wEaCnbeHsy/yim/1y1ejY6yFOBa:zrBbcnCMZlvaZM2msWxEleJ/yjgf6yFD

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 10 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\tergdfgdfg.exe
      "C:\Users\Admin\AppData\Local\Temp\tergdfgdfg.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2072
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Explorer.EXE'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2380
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Explorer.EXE'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2784
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SubDir.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2872
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SubDir.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2648
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SubDir" /tr "C:\Users\Admin\AppData\Roaming\SubDir.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:780
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {E6AE421E-2A7C-4C99-8FB9-90CDBADCCD5B} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Users\Admin\AppData\Roaming\SubDir.exe
      C:\Users\Admin\AppData\Roaming\SubDir.exe
      2⤵
      • Executes dropped EXE
      PID:2464
    • C:\Users\Admin\AppData\Roaming\SubDir.exe
      C:\Users\Admin\AppData\Roaming\SubDir.exe
      2⤵
      • Executes dropped EXE
      PID:1992
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Checks processor information in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    PID:2412
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Checks processor information in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    PID:680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FT7EKE3BP8ETSXJJ8MEW.temp
    Filesize

    7KB

    MD5

    cb3c6d90e3f925702b017af21ae6ae80

    SHA1

    938d62c11b349795048711c32edaccde74d83ef6

    SHA256

    2ea2ca96e447b31034fdbcc8a3720a863626eb64f204aaac7bc07d21aa80a007

    SHA512

    b48f824c7a9f81d8a5208983a7a1605edd5fef05d31564863199fc57f9d7b2c2f71ad777dfabad3ce79a0732222f3e42a783a759b7dcd63f217e3c0fbe857908

    Download Submit

  • \Users\Admin\AppData\Roaming\SubDir.exe
    Filesize

    2.7MB

    MD5

    ac4c51eb24aa95b77f705ab159189e24

    SHA1

    4583daf9442880204730fb2c8a060430640494b1

    SHA256

    6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a

    SHA512

    011bfe19bd15dcc0f9850575e20d7f2c01160ec98ba461ad59a51b9417049e6475648b9056990247699624b080cf609ec7b5409231cfb46a012d723f7db08d81

    Download Submit

  • memory/1192-6-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1192-4-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1192-5-0x0000000003DA0000-0x0000000003DB2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1192-2-0x0000000002EF0000-0x0000000002F03000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1192-7-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1192-50-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1192-49-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1192-46-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1192-47-0x00000000077F0000-0x0000000007870000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1192-45-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1192-3-0x0000000002EF0000-0x0000000002F03000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1192-51-0x00000000077F0000-0x0000000007870000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2072-39-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2072-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2072-1-0x0000000000B40000-0x0000000000B5A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2380-14-0x0000000002670000-0x0000000002678000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2380-18-0x000007FEF1D90000-0x000007FEF272D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2380-19-0x0000000002CC4000-0x0000000002CC7000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2380-16-0x000007FEF1D90000-0x000007FEF272D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2380-15-0x000007FEF1D90000-0x000007FEF272D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2380-20-0x000007FEF1D90000-0x000007FEF272D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2380-13-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2380-12-0x000007FEF204E000-0x000007FEF204F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2380-17-0x000007FEF1D90000-0x000007FEF272D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2412-55-0x00000000037C0000-0x00000000037D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2784-27-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2784-26-0x000000001B700000-0x000000001B9E2000-memory.dmp

    Filesize

    2.9MB

    Download