Overview

overview

10

Static

static

3

CRACK DELTA.rar

windows11-21h2-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    114s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08/03/2025, 13:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CRACK DELTA.rar

  • Size

    25.1MB

  • MD5

    4be7689267ec1601a777d7a8c2432cb2

  • SHA1

    9daba79d622aa40a3ab0112144bf9ee11c15c6a4

  • SHA256

    c342812f3b7676faa3b7c3eec7f50a6c9f0d03344b46ea3f8a9dd24aa4dd81d0

  • SHA512

    23333738d46ce9dcaad9f06363d8b26ec7c2433c4e9bd4f0e4400afb8e0ccca21645da9b6fc10832310e44a7c41348ce6a00c6d9821853e5ff9bfb151fa502ba

  • SSDEEP

    786432:QSOhbvU6WHlCjsNhdsnGiJv89lCnMWQj1iZpvC:zOhbvUpFNoGiJv8mnvC

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

step-yr.gl.at.ply.gg:30565

Attributes
  • Install_directory

    %Public%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\CRACK DELTA.rar"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4584
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1852
    • C:\Users\Admin\Desktop\CRACK DELTA\Craked delta.exe
      "C:\Users\Admin\Desktop\CRACK DELTA\Craked delta.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4568
      • C:\Users\Admin\AppData\Local\Temp\для утуба2.exe
        "C:\Users\Admin\AppData\Local\Temp\для утуба2.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3692
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\для утуба2.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2180
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'для утуба2.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1660
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\для утуба2.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2128
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "для утуба2" /tr "C:\Users\Public\для утуба2.exe"
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:3312
      • C:\Users\Admin\AppData\Local\Temp\для утуба.exe
        "C:\Users\Admin\AppData\Local\Temp\для утуба.exe"
        2⤵
        • Executes dropped EXE
        PID:3120
    • C:\Users\Public\для утуба2.exe
      "C:\Users\Public\для утуба2.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3428
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /0
      1⤵
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1696
    • C:\Users\Public\для утуба2.exe
      "C:\Users\Public\для утуба2.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2680

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      627073ee3ca9676911bee35548eff2b8

      SHA1

      4c4b68c65e2cab9864b51167d710aa29ebdcff2e

      SHA256

      85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

      SHA512

      3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\для утуба2.exe.log
      Filesize

      654B

      MD5

      2cbbb74b7da1f720b48ed31085cbd5b8

      SHA1

      79caa9a3ea8abe1b9c4326c3633da64a5f724964

      SHA256

      e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

      SHA512

      ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      d0a4a3b9a52b8fe3b019f6cd0ef3dad6

      SHA1

      fed70ce7834c3b97edbd078eccda1e5effa527cd

      SHA256

      21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

      SHA512

      1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      8cb7f4b4ab204cacd1af6b29c2a2042c

      SHA1

      244540c38e33eac05826d54282a0bfa60340d6a1

      SHA256

      4994013dabe4f131d401879278eee147add6349124ea6452358dca7e2344c7a6

      SHA512

      7651cb6863a425840db610253151e271d3e8da26a8c633ce484247266fa226792ecb84b9578df3ab17fef84a5dfcad417b63a7df59c9650a907e08d59b91dd6e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jbvzqmqn.fe5.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\для утуба.exe
      Filesize

      490KB

      MD5

      fb5df2776bcd8a5dd0d78eb330c165cf

      SHA1

      dd7e2f06a00d873edb1871b001d56b91b4d7dfe5

      SHA256

      17791a8e46af9bcadf7166b912fb9fe8ec062e136bea429e7f629be95fb596b2

      SHA512

      355af81ca568a424bd63af06fc17bc49f80d82cfb071e58f4f813a279f6f8ab72c0c0f8fc66a2d6b87d408c30bec9546c9a347a453184e4bd3b6928298410cdb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\для утуба2.exe
      Filesize

      57KB

      MD5

      c30e202bbc190bb2133babbc65ffc9f5

      SHA1

      6eae3bb4f9869722cd53ee2cfffc1ac5d9a8ea8c

      SHA256

      a75edf5116976e7cb6fc0a99d8ca2c76500bf2d954932f783bc246e800fa35bb

      SHA512

      b23cfa6eace07606a19d46ecc3c9e65f9d2b5d89265c7d069303d1edaacd5df2ef1305c1ed33a68819d2c0dced950c20c068a2ce0370daa4c504283df2bf1981

      Download Submit

    • C:\Users\Admin\Desktop\CRACK DELTA\Craked delta.exe
      Filesize

      344KB

      MD5

      c629f975bb9857c0e5dd8e5efcbc1204

      SHA1

      a559cae111621235d94c018dfb3c743e00e7a023

      SHA256

      91449f200d1ca7a7e83dc79e4aab0e1ba19bf8b5b790997820fcbc8d75d0939d

      SHA512

      d6514c287c54152d69e275526185336d9d93ba49aaccc43fb416510af6ced85e62378b3f8c369623769d12e2b53001a8b15a3da396852e7327f50c3d709d98cd

      Download Submit

    • memory/1660-63-0x000001664AC20000-0x000001664AD6F000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1696-95-0x000001FE6CBF0000-0x000001FE6CBF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1696-94-0x000001FE6CBF0000-0x000001FE6CBF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1696-90-0x000001FE6CBF0000-0x000001FE6CBF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1696-91-0x000001FE6CBF0000-0x000001FE6CBF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1696-92-0x000001FE6CBF0000-0x000001FE6CBF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1696-93-0x000001FE6CBF0000-0x000001FE6CBF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1696-89-0x000001FE6CBF0000-0x000001FE6CBF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1696-83-0x000001FE6CBF0000-0x000001FE6CBF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1696-85-0x000001FE6CBF0000-0x000001FE6CBF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1696-84-0x000001FE6CBF0000-0x000001FE6CBF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2128-74-0x000001D964C10000-0x000001D964D5F000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2180-40-0x000001A7B70C0000-0x000001A7B70E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2180-51-0x000001A7CF6A0000-0x000001A7CF7EF000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3120-37-0x00000000006D0000-0x0000000000750000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3692-38-0x00000000001F0000-0x0000000000204000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4568-24-0x00007FFD8E020000-0x00007FFD8EAE2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4568-11-0x00000000002E0000-0x000000000033C000-memory.dmp

      Filesize

      368KB

      Download

    • memory/4568-35-0x00007FFD8E020000-0x00007FFD8EAE2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4568-10-0x00007FFD8E023000-0x00007FFD8E025000-memory.dmp

      Filesize

      8KB

      Download