Overview

overview

10

Static

static

10

RedWare Temp V3.exe

windows7-x64

10

RedWare Temp V3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    54s
  • max time network
    43s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/03/2025, 02:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RedWare Temp V3.exe

  • Size

    86KB

  • MD5

    dd14ce42c869309959374b8497b8b8c6

  • SHA1

    3d6fbe7bdccb4d779e84ac058f8c7ec8fc3e623f

  • SHA256

    78286063f2e7de6b9d38075affdbfd0f24456eceefb4e86321298e71409a6a02

  • SHA512

    95975b34eac64834cffeba1322d3718afead0163cf11fb4362c12cb1d34beabc38cc4407619de98726cd977a212fed7002a2664b37ce105d07e8265776f47124

  • SSDEEP

    1536:gp+KuU1oVHPsbMJuguun/Gmf6WpFOfNAL78C4Mnh:g4TQotPsbsugR/GOzOfq/t1h

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • pastebin_url

    https://pastebin.com/raw/KESYt2Qf

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RedWare Temp V3.exe
    "C:\Users\Admin\AppData\Local\Temp\RedWare Temp V3.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2040
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2088
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2960

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2040-0-0x00007FFA665B3000-0x00007FFA665B5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2040-1-0x00000000004D0000-0x00000000004EC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2040-2-0x00007FFA665B0000-0x00007FFA67071000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2040-3-0x00007FFA665B0000-0x00007FFA67071000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2088-6-0x000001EC8CCC0000-0x000001EC8CCC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2088-5-0x000001EC8CCC0000-0x000001EC8CCC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2088-16-0x000001EC8CCC0000-0x000001EC8CCC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2088-15-0x000001EC8CCC0000-0x000001EC8CCC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2088-14-0x000001EC8CCC0000-0x000001EC8CCC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2088-13-0x000001EC8CCC0000-0x000001EC8CCC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2088-12-0x000001EC8CCC0000-0x000001EC8CCC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2088-11-0x000001EC8CCC0000-0x000001EC8CCC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2088-10-0x000001EC8CCC0000-0x000001EC8CCC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2088-4-0x000001EC8CCC0000-0x000001EC8CCC1000-memory.dmp

      Filesize

      4KB

      Download