Overview

overview

10

Static

static

3

Output.exe

windows7-x64

10

Output.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/03/2025, 19:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Output.exe

  • Size

    2.0MB

  • MD5

    cb426d21428bc8468cf85d260f0b35b3

  • SHA1

    1c719bb607925916fc2446002f2c1f8ced2adf3f

  • SHA256

    b485b0b51b8307c750b3452a7965e538d9576f76ccab3b6e4a086201e854ef7f

  • SHA512

    23c2691731665a5d1ebc908a8b52f684c68fe7e9253dbedd59deae683d3ffe0b24db1d2f74a692e957e2b931558a662af38821d9412eb7428dab623fa2e30ac6

  • SSDEEP

    49152:K2ooOms+N4tFHLO9LCiGxyLp9UaqNU3skJVPA78Cj:K0K7LOwifLp9K1sVE8

Score
10/10
xwormpyinstallerrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

qxXFT7Xfzgf1uMiL

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/MNJM1De2

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Output.exe
    "C:\Users\Admin\AppData\Local\Temp\Output.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Users\Admin\AppData\Roaming\FixVelocity.exe
      "C:\Users\Admin\AppData\Roaming\FixVelocity.exe"
      2⤵
      • Executes dropped EXE
      PID:2644
    • C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
      "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2524
        • C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
          "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2148
          • C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
            "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:588
            • C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
              "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
              6⤵
              • Executes dropped EXE
              PID:2492
            • C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
              "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2424
          • C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
            "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2616
        • C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
          "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:532
      • C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\FixVelocity.exe
    Filesize

    1.6MB

    MD5

    94438728ecda8452ce32d2e972d62a3d

    SHA1

    732827a71f08f19a891a72095333424b064b1144

    SHA256

    4b59460b0da9c218627e33d35175bc8ce1e6f08b71bd99f92ee0310a970458a5

    SHA512

    b6bb05fc8effbc9eeebb03a1167177f4ff65f4f341bc80911e4cbcd6c3f716329ed1ab6df72fe8a39a6c7b621ede6066e3f490d0c081f38ccb5ea52771437a0c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
    Filesize

    138KB

    MD5

    a705df8248ae95c4c123793b6235821a

    SHA1

    4eab0a8288be174489b3858ecb7ef1cb673c2799

    SHA256

    4ee52b38617c54e3445e3bfadbca1776d577ff50f88169c3613852d16eb39ba2

    SHA512

    5b41d3ef942c0e5ae137d7dcac59aaa782697e9de35f9a7a8a096f27e3a9c88ba16307ec24caf1d26c7db7f50f3f4568b48f01b9542ea0551db416e43d94bef0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
    Filesize

    409KB

    MD5

    89c1e3a7ec9d20a6a19d33733ddfb45d

    SHA1

    92e295c1a64cb1a7cff25da640d427d494913ea6

    SHA256

    de4e0c559892f2e6532a81f41f2dc7881abcb21f10cef2f0b8e1c08f028ed274

    SHA512

    8a0db537fb949c274db4bc0ddf1b8e1075fe9a944c72e0f2790846288844a81870afdd549dfe2850deabf34aebfeca38faddf49128f3a25ce99660421858998d

    Download Submit

  • memory/2648-20-0x00000000012B0000-0x00000000012D8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2824-0-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-1-0x0000000001050000-0x0000000001260000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2872-13-0x0000000001110000-0x000000000117C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2872-24-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

    Filesize

    9.9MB

    Download