Overview

overview

10

Static

static

10

ccc270754c...41.ps1

windows7-x64

8

ccc270754c...41.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/03/2025, 03:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ccc270754c9759f623d9ec2f08ca17d960290e60f6c332f0682c9dc6c02d1141.ps1

  • Size

    779B

  • MD5

    209a0dcfb7e176365dc8f9a00dec716a

  • SHA1

    aac44bda989e764f25277e7ed2b6680c781d704e

  • SHA256

    ccc270754c9759f623d9ec2f08ca17d960290e60f6c332f0682c9dc6c02d1141

  • SHA512

    354491ae39042832f2b419a85ffbb45e1159a35aa124cfb61c3ec47ba70da176f4bffe1a089f4dfa55ee3f76525cc6f1a204a84b153d44eb143ea6a6780f687b

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

92.255.57.221:4414

aes.plain

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ccc270754c9759f623d9ec2f08ca17d960290e60f6c332f0682c9dc6c02d1141.ps1
    1⤵
    • Blocklisted process makes network request
    • Downloads MZ/PE file
    • Suspicious use of SetThreadContext
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:388
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fpg5nbrc\fpg5nbrc.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4100
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB48B.tmp" "c:\Users\Admin\AppData\Local\Temp\fpg5nbrc\CSC3A7931E21D48426EA41A58292BA31434.TMP"
        3⤵
          PID:4744
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:60

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RESB48B.tmp
      Filesize

      1KB

      MD5

      ae218dcee73917e1bdc8b76b877a2568

      SHA1

      bf49f48b062b7822b53728fdf83926a35e7613fb

      SHA256

      62b77c089385b935e3498335b7e315db82f19fabbfc637a3228b6930200e0dee

      SHA512

      820874967c49505c0e50f6bbfa555a7874dcacd0976187b7a99ddc7f155ab95ea085f47dc2ae9c776b495c4464418e55fd16e4670adb348e7ff5c6b2103d96b0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zzi2rt5s.y3y.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\fpg5nbrc\fpg5nbrc.dll
      Filesize

      42KB

      MD5

      2b903f91b99a19edcc714cab34e98aa2

      SHA1

      38b275a0b2e61f6a5216d1a7f772b11b02e1a6c2

      SHA256

      062e773f8f682aeab5b1fc78aacae8bead72346c9b797331293cec5d06a22b90

      SHA512

      6bd25fa4cc8ef01c7d94d4ef8a7af7aefd9c9f151395afb09a07fad962e8dfcc971a8ebb9983bc9df6377208a7f184ea50e577acc65676098781d94ad955e20b

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\fpg5nbrc\CSC3A7931E21D48426EA41A58292BA31434.TMP
      Filesize

      652B

      MD5

      86ba0e8379ecd8d49f5a2f1349159917

      SHA1

      3c470fde3e98ac66252b7638837848a884051967

      SHA256

      86b387cd7df86082d4a95a7db5138c98e25cf690d03d44992afe20365ba320bd

      SHA512

      3b705a8dcd41ccc7622da0ba9a626d17f4bb269d39e717e45fed4e777dd7f1711421d60d7aff67f77ff9b290289126bee44471eb67a977fa4e3fcf9196c165cd

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\fpg5nbrc\fpg5nbrc.0.cs
      Filesize

      103KB

      MD5

      992ab26a03ded91714491d267da55fb2

      SHA1

      25fe04d5493f7e904bd4e64078aa464226e8f393

      SHA256

      3b18772dbf088171f78cccd3da6fb05f46918b2bafa17ab43ea03ec0507935c1

      SHA512

      a1dbfd27e02d10e978475bf9c1279c489e1c9febd8456492e2b0d7df33563c4e81cc28e39f6a90aa82cadc06927bce2f831f2089b5e57da4ea89862a6d82ad0f

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\fpg5nbrc\fpg5nbrc.cmdline
      Filesize

      204B

      MD5

      d1262304a440b08f01bc611a6fe942a7

      SHA1

      64a899c914d3b2625efeae99c758016df2ef7d9f

      SHA256

      a34f89614ee9ce37842b328562c1fcc7dea0e14ee134b1e15cee68bb82f0d72a

      SHA512

      1caead947cdb65d3f186787a4d2e60a2640106f89dd0790f90e1f57d331dca73a1b3a673cb9e444107e559f2ad7ad0302dffceabff79b982719df03ac1c23ed5

      Download Submit

    • memory/60-33-0x0000000005040000-0x00000000050DC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/60-34-0x0000000074BB0000-0x0000000075360000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/60-39-0x0000000006720000-0x0000000006CC4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/60-38-0x00000000060D0000-0x0000000006162000-memory.dmp

      Filesize

      584KB

      Download

    • memory/60-37-0x0000000074BB0000-0x0000000075360000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/60-36-0x00000000056D0000-0x0000000005736000-memory.dmp

      Filesize

      408KB

      Download

    • memory/60-28-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/60-35-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/60-32-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/388-2-0x0000019240A30000-0x0000019240A52000-memory.dmp

      Filesize

      136KB

      Download

    • memory/388-0-0x00007FFF9CE33000-0x00007FFF9CE35000-memory.dmp

      Filesize

      8KB

      Download

    • memory/388-31-0x00007FFF9CE30000-0x00007FFF9D8F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/388-26-0x0000019240A60000-0x0000019240A70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/388-13-0x000001925B240000-0x000001925B2A8000-memory.dmp

      Filesize

      416KB

      Download

    • memory/388-11-0x00007FFF9CE30000-0x00007FFF9D8F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/388-12-0x00007FFF9CE30000-0x00007FFF9D8F1000-memory.dmp

      Filesize

      10.8MB

      Download