Overview

overview

10

Static

static

10

15415145.exe

windows7-x64

10

15415145.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2025, 18:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15415145.exe

  • Size

    59KB

  • MD5

    6c091ad6fae0fa76f44870d1a1b05cb4

  • SHA1

    040f60c0ee3f4902f919025057e34ab4d11b1abd

  • SHA256

    c352c942b6df33510094c7100fb9d48e36b8e1e2af40a60ccc360b58721c2390

  • SHA512

    3a414f40f99e5847d9631c4ac1143c76e77db7ae42dd8c7aed2ebf1742ec73bb802d54d6cbde3b04f6b894a4cf731aa4e9dbad95166bade13f787b489d8e8d86

  • SSDEEP

    1536:skyZtyUQ8sBkROLW+UzbTH3gfm2qt0OgSko7:skItfQ8sBkROUzbTQf+6OgK7

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

known-savage.gl.at.ply.gg:45116

association-lectures.gl.at.ply.gg:32463
Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 12 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 6 IoCs
  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\15415145.exe
    "C:\Users\Admin\AppData\Local\Temp\15415145.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "15415145" /tr "C:\Users\Admin\AppData\Roaming\15415145.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2340
    • C:\Users\Admin\AppData\Local\Temp\jzsbvm.exe
      "C:\Users\Admin\AppData\Local\Temp\jzsbvm.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\jzsbvm.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1640
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'jzsbvm.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2984
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\jzsbvm.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3004
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "jzsbvm" /tr "C:\Users\Admin\AppData\Roaming\jzsbvm.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2292
    • C:\Users\Admin\AppData\Local\Temp\nktanb.exe
      "C:\Users\Admin\AppData\Local\Temp\nktanb.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2000
    • C:\Users\Admin\AppData\Local\Temp\vsmlir.exe
      "C:\Users\Admin\AppData\Local\Temp\vsmlir.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1136
    • C:\Users\Admin\AppData\Local\Temp\gbldib.exe
      "C:\Users\Admin\AppData\Local\Temp\gbldib.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "gbldib" /tr "C:\Users\Admin\AppData\Roaming\gbldib.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2756
    • C:\Users\Admin\AppData\Local\Temp\izubln.exe
      "C:\Users\Admin\AppData\Local\Temp\izubln.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2760
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {8E1CF512-920F-4339-ABBC-C9BAEC17DEF3} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Users\Admin\AppData\Roaming\15415145.exe
      C:\Users\Admin\AppData\Roaming\15415145.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2672
    • C:\Users\Admin\AppData\Roaming\jzsbvm.exe
      C:\Users\Admin\AppData\Roaming\jzsbvm.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1760
    • C:\Users\Admin\AppData\Roaming\15415145.exe
      C:\Users\Admin\AppData\Roaming\15415145.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2096

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\gbldib.exe
    Filesize

    159KB

    MD5

    49a6b6e8627762b929999b0b1fe6d604

    SHA1

    4a47bbb17c6cbda79794428df97d203b7261af79

    SHA256

    ca6aa52d419303376de2c37b4c8f6bdd41e31e55de6d178520ad5056303b6571

    SHA512

    c967dcb9be6b1fa73f1ef50a7785c17919365857be63923c6cad53362931d9a1c9fb41a43d68a050ad2a50239580fc8294e61e2ba10ee19d185f4f91c035b85b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\jzsbvm.exe
    Filesize

    34KB

    MD5

    950d739da650457fab6a225545794238

    SHA1

    e965286161ecda1b8c0072d8a2d80c191bb15705

    SHA256

    a571fcac5384158c4927e7c7cf07182b68eccf67845ba927beae44cd9835e3f8

    SHA512

    b7b91343176c5a7f6408b21fbc96c23d0b02c080b846e29f304ba91de1d0f37a772953e7ab65d1d627cb3490fbef3b85681564e878d8dcda57c0897dbad1d19b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\15415145.exe
    Filesize

    59KB

    MD5

    6c091ad6fae0fa76f44870d1a1b05cb4

    SHA1

    040f60c0ee3f4902f919025057e34ab4d11b1abd

    SHA256

    c352c942b6df33510094c7100fb9d48e36b8e1e2af40a60ccc360b58721c2390

    SHA512

    3a414f40f99e5847d9631c4ac1143c76e77db7ae42dd8c7aed2ebf1742ec73bb802d54d6cbde3b04f6b894a4cf731aa4e9dbad95166bade13f787b489d8e8d86

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XA51BQRFNY5MKHKG3I8J.temp
    Filesize

    7KB

    MD5

    2cecb776d0946f15b9b646bbd15a32d2

    SHA1

    e153572ea5734e77699a7d220f0583c3e8ed12d5

    SHA256

    d541bfb3a728021adbc8c516efaabbb7738bbf99b6d6a55e8a7e35e06d81b3f1

    SHA512

    7c883924c3d2d9f1fb4f743e537a6fc3246466dd875d6fa486eb5e2dce54ad708229fda0c5e6d779b233ff253bc9b9369e75bc0a15738f5e30a297d3fac41d0f

    Download Submit

  • memory/1136-55-0x0000000000F90000-0x0000000000F9E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1640-29-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1640-28-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1760-67-0x0000000001370000-0x000000000137E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2000-39-0x0000000000CB0000-0x0000000000CBE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2072-75-0x0000000000BF0000-0x0000000000C1E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2096-68-0x00000000011A0000-0x00000000011B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2344-10-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2344-11-0x000007FEF5AB3000-0x000007FEF5AB4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2344-12-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2344-0-0x000007FEF5AB3000-0x000007FEF5AB4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2344-1-0x0000000001070000-0x0000000001086000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2440-22-0x0000000000DD0000-0x0000000000DDE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2672-16-0x0000000001100000-0x0000000001116000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2760-89-0x0000000001050000-0x000000000107E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2984-40-0x000000001B590000-0x000000001B872000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2984-41-0x0000000002250000-0x0000000002258000-memory.dmp

    Filesize

    32KB

    Download