Overview

overview

10

Static

static

10

shooting the oops.exe

windows7-x64

10

shooting the oops.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    04/03/2025, 20:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    shooting the oops.exe

  • Size

    39KB

  • MD5

    c9bd74622a8a1531b93a03ac9c3ba67d

  • SHA1

    b0354cf79ae41e2320d888a38d1c62915bb79445

  • SHA256

    c750a86768228dbb5143efaf9bf1fc980129ed2b51be5bb40ef1db2dd41e9c05

  • SHA512

    6bacb2e43ac5c3d8d2922091f1e263ccfaae3317b0eaae80f973e1344fcb3ce07091712edaa5ab0f9518d08b963c39b13ef085592dc6410509a21fefcab52263

  • SSDEEP

    768:vifC8qTvhE58LEIDPiKuukR7LH3tTfFWPt9eE56cOMh+alE:viTqTvhOeEIbiKuumnNFe9eE56cOME3

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

M6KBt08Rxl7gnMQb

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\shooting the oops.exe
    "C:\Users\Admin\AppData\Local\Temp\shooting the oops.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\shooting the oops.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1752
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'shooting the oops.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2480
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\THE BLACKS'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2828
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'THE BLACKS'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    0541d7c5c986ba188d053c86b9c87791

    SHA1

    1dcf86dce14aa4c90773137e94f82e37ddb8cc18

    SHA256

    05e56bf16bfe1f5f09f53b143c43dd61d2f2fde224dad842df09daaa70a42c1c

    SHA512

    9cbe14063462f821b6d649c30689ca91d9b04496abb32338bf73338c76b05f1eae18aa3f860bde4796d00b8e045548682237698935c6923557aafadbf84b07d9

    Download Submit

  • memory/1752-6-0x0000000002970000-0x00000000029F0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1752-7-0x000000001B560000-0x000000001B842000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1752-8-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2480-14-0x000000001B6B0000-0x000000001B992000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2480-15-0x0000000002970000-0x0000000002978000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2492-0-0x000007FEF5F33000-0x000007FEF5F34000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2492-1-0x00000000000F0000-0x0000000000100000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2492-30-0x000000001B350000-0x000000001B3D0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2492-31-0x000007FEF5F33000-0x000007FEF5F34000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2492-40-0x000000001B350000-0x000000001B3D0000-memory.dmp

    Filesize

    512KB

    Download