Overview

overview

10

Static

static

10

SandeLLoVIP.exe

windows7-x64

10

SandeLLoVIP.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    52s
  • max time network
    55s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2025, 13:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SandeLLoVIP.exe

  • Size

    69KB

  • MD5

    9535d16d8d5a60a4f2547f816e38be83

  • SHA1

    1dba310785accfa2299e4d79b8b9b912e6624c01

  • SHA256

    a84017166ae53f06b406f68bf77bcc23538db2239f5cd64913c5b36726303d88

  • SHA512

    040ce54e43003ad84bdc2ebb36d89b31318f26d0058129be3e11a7cbc5e8757667ae866e0ba0ffa67e45384cc49ef4e5f6da474d75c2afeef22beee4749c984a

  • SSDEEP

    1536:aodhbfdfAwXeY+aG1YmpO7PaBcgFElfbokQ5/K6P3nOOgfsaH:1cDNpMyBtifborXOjJ

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

C2

buying-pro.gl.at.ply.gg:1273

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SandeLLoVIP.exe
    "C:\Users\Admin\AppData\Local\Temp\SandeLLoVIP.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2716
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\vcredist2010_x64.log.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:340
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:340 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    71KB

    MD5

    83142242e97b8953c386f988aa694e4a

    SHA1

    833ed12fc15b356136dcdd27c61a50f59c5c7d50

    SHA256

    d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

    SHA512

    bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    406aef4faf3f8410cf2d82e6838b699b

    SHA1

    2386b73a1722a98f59c3154968da4ce8fb82e526

    SHA256

    59421d8f22b892aa40c687aade55349669c95ff9df61e0992fa4b825e581371c

    SHA512

    7581522ba014b59eb506dd5ec601123e4c3ee27cbc96d05d8686d3b2aa0386bae3e63f3014f2eaa856df236d200f60c2331398f3b7f802a495ac5403ceb34588

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    47daea36d1ad341dc7e3aea4491d120a

    SHA1

    dcb804a0896d715975a318a824d389b49b19380e

    SHA256

    f6a74b5372d85f87d5efc11d300cb3c8fbe8b7b8886978a50fe7a10d31d6a33d

    SHA512

    095118fcde9c0024bd98c8fb5ebe3b0ab5a9520be37c606f576d1e982601f8d8c93fd81bca267b9b74b9bed9caa2d7885ffaeec3cf0cb99a4c9943ec6ca2614c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    922b87558b6de512a08f3e0db96615bb

    SHA1

    017b159c56f7bfb2171c3e7f2eef58a5c7d24e46

    SHA256

    3a98853f1e405c91de81c807b581f914d57b4ed1f39fb7ca4e4e7deb94ef7350

    SHA512

    5a8d26773c8d41bc49d573a441ab0f4a06209eabdc7c620bb3b7a5b85f6b58515f86faa0b950b4227d58441bd017185b021ee85296f638b6e35209df6a435ebc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    bd95bde2dc5f21e3f75db6f85e15cbf0

    SHA1

    fcf57ae30c895bd36c0af9461d3220f0ca72c7ad

    SHA256

    16add628807cee8641566f3032627f8df11939f14860d528e3ea133401863254

    SHA512

    163326e12949d2b640db12fba6e897524b5460f8aff4269711f401f39f80efa904c78213f7926e0d32bb01ec6b4c31d7a00fd80aee641e92a9cb01c452b52e97

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    eff68c06e021f708902feadfa8f494ba

    SHA1

    08bf2374c4bc8640b38317e0529245a1420c7504

    SHA256

    95c91320393521adc6c94af29531a4b865fc1005d98d6b7ec6b7ea97d49cdc79

    SHA512

    bc8989249f10520a9a7e428685f9a0a0f862abc7aae3618e156f282bced20ac102bdb45d303690d393b2729cf6e1fe7f52bdec784abb69bc9a75f174e5da03a6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    b29fb65aef9e6ae79b46b476923213b9

    SHA1

    43d1abfb0c0c252dfe6f43e9ca00a7f2254b62f2

    SHA256

    79cc8278b70f76a2c58b7f8ff4af9c38690d6d24460963bada565211c8b1b18a

    SHA512

    eef53bc2dc6db45b4dadd37a58e2085bdb642a5dd6b4f40f08f1df5e3372cc8cf868887c897fec8595ec0ab5b4ee335ea625111fd02669090142b9e3589ddb9c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    8f23f7668781d840afba8190da2a9bd0

    SHA1

    f14b8b37cac4a8b5b13eddf5e0d26e5dee538242

    SHA256

    b8c995f6afbb52ea7c84740aeb1a5de920e3a4d06adaa396110e5ac31c48b9aa

    SHA512

    23b43da3f7f5d2530dfecf3aae9918fec317ffd7f9262e75bd6efef9cd48ccdea5ac73159f55cca1b4caf7d0b7699fadd39773305d1e4c00b08b339c57840f04

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    829b62dd1d1446b0eaae343e140396b5

    SHA1

    56261e8e5aedfa1e344e6843f6d2c5a7c409f6ff

    SHA256

    2d561ec3b74315ba0870204780def305b254cba7825cda27e5d523cd12f797f6

    SHA512

    9df9667d0fd1faab92cac52d66e2acb9091e595b5144507b615e9c2ae77a0f810438096d7f9e363daa55db302202dfe6de9337c7d1e46dfd21f37a2dc02c12d7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    fdd5619794085094e66654f443676423

    SHA1

    97b3d4d837b3aa25fd0f39c859404452728892f3

    SHA256

    77c93658c5308422302c19da92e61f73483dac211921342c137f7c90bbfe157b

    SHA512

    fdbef29924907fa348a15982b7dae2519d2481be3ca73bc5b759da589efc1779504ab0419b31ddaa44cd3e72cac813fa46aee132d702d72ae165a57c14657c64

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabA882.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarA983.tmp
    Filesize

    183KB

    MD5

    109cab5505f5e065b63d01361467a83b

    SHA1

    4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

    SHA256

    ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

    SHA512

    753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

    Download Submit

  • memory/2716-0-0x000007FEF6783000-0x000007FEF6784000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2716-3-0x000007FEF6780000-0x000007FEF716C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2716-2-0x000007FEF6780000-0x000007FEF716C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2716-1-0x0000000000200000-0x0000000000218000-memory.dmp

    Filesize

    96KB

    Download