Overview

overview

10

Static

static

10

shooting the oops.exe

windows7-x64

10

shooting the oops.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/03/2025, 20:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    shooting the oops.exe

  • Size

    39KB

  • MD5

    c9bd74622a8a1531b93a03ac9c3ba67d

  • SHA1

    b0354cf79ae41e2320d888a38d1c62915bb79445

  • SHA256

    c750a86768228dbb5143efaf9bf1fc980129ed2b51be5bb40ef1db2dd41e9c05

  • SHA512

    6bacb2e43ac5c3d8d2922091f1e263ccfaae3317b0eaae80f973e1344fcb3ce07091712edaa5ab0f9518d08b963c39b13ef085592dc6410509a21fefcab52263

  • SSDEEP

    768:vifC8qTvhE58LEIDPiKuukR7LH3tTfFWPt9eE56cOMh+alE:viTqTvhOeEIbiKuumnNFe9eE56cOME3

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

M6KBt08Rxl7gnMQb

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\shooting the oops.exe
    "C:\Users\Admin\AppData\Local\Temp\shooting the oops.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\shooting the oops.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1100
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'shooting the oops.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2716
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\THE BLACKS'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2744
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'THE BLACKS'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    15d41dfea6e99f4018fb2d720b2cd7b1

    SHA1

    b43b6ecc1fa1b5a452e6c96dca71a24b91ba58f7

    SHA256

    5cea0defd6b8025572486475ed9a59094d5a41912216d5988764203baf959ece

    SHA512

    c68f060e1ad8e05bb7dbdbd486c2d482fd16f3c557603deeaa059affc84e73c8dd27595f57b2eca9d7ffcbd9cc3e488a37578575c6cd6aeb4f0e51014b923033

    Download Submit

  • memory/1100-6-0x00000000028D0000-0x0000000002950000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1100-7-0x000000001B780000-0x000000001BA62000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1100-8-0x0000000001D90000-0x0000000001D98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2516-0-0x000007FEF50D3000-0x000007FEF50D4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2516-1-0x0000000000C60000-0x0000000000C70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2516-30-0x000000001AFD0000-0x000000001B050000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2516-31-0x000007FEF50D3000-0x000007FEF50D4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2516-32-0x000000001AFD0000-0x000000001B050000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2716-14-0x000000001B610000-0x000000001B8F2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2716-15-0x0000000001D90000-0x0000000001D98000-memory.dmp

    Filesize

    32KB

    Download