Overview

overview

10

Static

static

10

cd94462486...32.exe

windows7-x64

10

cd94462486...32.exe

windows10-2004-x64

10

cdb97c07f0...ca.exe

windows7-x64

1

cdb97c07f0...ca.exe

windows10-2004-x64

1

cdfbee96df...25.exe

windows7-x64

10

cdfbee96df...25.exe

windows10-2004-x64

10

ce01fc8942...b5.exe

windows7-x64

10

ce01fc8942...b5.exe

windows10-2004-x64

10

ce5340f773...6e.exe

windows7-x64

10

ce5340f773...6e.exe

windows10-2004-x64

10

ce6d4255fc...f1.exe

windows7-x64

10

ce6d4255fc...f1.exe

windows10-2004-x64

10

ce8f0a3c5b...fc.exe

windows7-x64

8

ce8f0a3c5b...fc.exe

windows10-2004-x64

8

cef4f0409d...db.exe

windows7-x64

10

cef4f0409d...db.exe

windows10-2004-x64

10

cf15609eab...81.exe

windows7-x64

9

cf15609eab...81.exe

windows10-2004-x64

9

cf3f6f6285...6e.exe

windows7-x64

10

cf3f6f6285...6e.exe

windows10-2004-x64

10

cf450b1869...e9.exe

windows7-x64

10

cf450b1869...e9.exe

windows10-2004-x64

10

cf56059ae5...a1.exe

windows7-x64

10

cf56059ae5...a1.exe

windows10-2004-x64

10

cf79ab31cc...04.exe

windows7-x64

10

cf79ab31cc...04.exe

windows10-2004-x64

10

cf8d6b1a05...68.exe

windows7-x64

10

cf8d6b1a05...68.exe

windows10-2004-x64

10

cf96c893c9...10.exe

windows7-x64

1

cf96c893c9...10.exe

windows10-2004-x64

1

cfd31bf82d...9b.exe

windows7-x64

7

cfd31bf82d...9b.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cef4f0409df2a015e20411fdf8317582dc6ed5f56993dd0122b8006cd695c1db.exe

  • Size

    707KB

  • MD5

    96c50f871ceb7ee1a0b41dcca8da5c01

  • SHA1

    d8946f0af6156c6f69895a2808734d2696660ada

  • SHA256

    cef4f0409df2a015e20411fdf8317582dc6ed5f56993dd0122b8006cd695c1db

  • SHA512

    0ac872561e55a4c2cea0cd6aab965637b4ee6945552aee0a9b1e28ba338d065f98e782e433f7e3ccd464f18bc2ba14307b453ab2b3de8172a7f186018008802e

  • SSDEEP

    12288:9Yxg7plFfjTt/iCiUjM2CiRxNvRJdo/G20F2ilcVeaeW52VJ9GkwPhc:9YKp/jR6Cix2PnNRY+20F2jVEwkw5c

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7000

Attributes
  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Executes dropped EXE 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cef4f0409df2a015e20411fdf8317582dc6ed5f56993dd0122b8006cd695c1db.exe
    "C:\Users\Admin\AppData\Local\Temp\cef4f0409df2a015e20411fdf8317582dc6ed5f56993dd0122b8006cd695c1db.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2620
    • C:\Users\Admin\AppData\Roaming\Output.exe
      "C:\Users\Admin\AppData\Roaming\Output.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Users\Admin\AppData\Roaming\XClient.exe
        "C:\Users\Admin\AppData\Roaming\XClient.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2096
      • C:\Users\Admin\AppData\Roaming\Output.exe
        "C:\Users\Admin\AppData\Roaming\Output.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2908
        • C:\Users\Admin\AppData\Roaming\XClient.exe
          "C:\Users\Admin\AppData\Roaming\XClient.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2804
        • C:\Users\Admin\AppData\Roaming\Output.exe
          "C:\Users\Admin\AppData\Roaming\Output.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2948
          • C:\Users\Admin\AppData\Roaming\XClient.exe
            "C:\Users\Admin\AppData\Roaming\XClient.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2708
          • C:\Users\Admin\AppData\Roaming\Output.exe
            "C:\Users\Admin\AppData\Roaming\Output.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1780
            • C:\Users\Admin\AppData\Roaming\XClient.exe
              "C:\Users\Admin\AppData\Roaming\XClient.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2692
            • C:\Users\Admin\AppData\Roaming\Output.exe
              "C:\Users\Admin\AppData\Roaming\Output.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2744
              • C:\Users\Admin\AppData\Roaming\XClient.exe
                "C:\Users\Admin\AppData\Roaming\XClient.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:2196
              • C:\Users\Admin\AppData\Roaming\Output.exe
                "C:\Users\Admin\AppData\Roaming\Output.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:1792
                • C:\Users\Admin\AppData\Roaming\XClient.exe
                  "C:\Users\Admin\AppData\Roaming\XClient.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2112
                • C:\Users\Admin\AppData\Roaming\Output.exe
                  "C:\Users\Admin\AppData\Roaming\Output.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:3036
                  • C:\Users\Admin\AppData\Roaming\XClient.exe
                    "C:\Users\Admin\AppData\Roaming\XClient.exe"
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2668
                  • C:\Users\Admin\AppData\Roaming\Output.exe
                    "C:\Users\Admin\AppData\Roaming\Output.exe"
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:2900
                    • C:\Users\Admin\AppData\Roaming\XClient.exe
                      "C:\Users\Admin\AppData\Roaming\XClient.exe"
                      10⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2008
                    • C:\Users\Admin\AppData\Roaming\Output.exe
                      "C:\Users\Admin\AppData\Roaming\Output.exe"
                      10⤵
                      • Executes dropped EXE
                      • Suspicious use of WriteProcessMemory
                      PID:2884
                      • C:\Users\Admin\AppData\Roaming\XClient.exe
                        "C:\Users\Admin\AppData\Roaming\XClient.exe"
                        11⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1564
                      • C:\Users\Admin\AppData\Roaming\Output.exe
                        "C:\Users\Admin\AppData\Roaming\Output.exe"
                        11⤵
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:1532
                        • C:\Users\Admin\AppData\Roaming\XClient.exe
                          "C:\Users\Admin\AppData\Roaming\XClient.exe"
                          12⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:772
                        • C:\Users\Admin\AppData\Roaming\Output.exe
                          "C:\Users\Admin\AppData\Roaming\Output.exe"
                          12⤵
                          • Executes dropped EXE
                          PID:264
                          • C:\Users\Admin\AppData\Roaming\XClient.exe
                            "C:\Users\Admin\AppData\Roaming\XClient.exe"
                            13⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1080
                          • C:\Users\Admin\AppData\Roaming\Output.exe
                            "C:\Users\Admin\AppData\Roaming\Output.exe"
                            13⤵
                            • Executes dropped EXE
                            PID:2300
                            • C:\Users\Admin\AppData\Roaming\XClient.exe
                              "C:\Users\Admin\AppData\Roaming\XClient.exe"
                              14⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:112
                            • C:\Users\Admin\AppData\Roaming\Output.exe
                              "C:\Users\Admin\AppData\Roaming\Output.exe"
                              14⤵
                              • Executes dropped EXE
                              PID:692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Output.exe
    Filesize

    641KB

    MD5

    be28798fb13ebd61d94d6712436dc399

    SHA1

    186c13dd590594a63e81b24205d1520a2e03b2cc

    SHA256

    45be306e0f454b946091c3c0742655878a7eb69a1c7675c9a677438f4e684c34

    SHA512

    473273021ba324077ae022c8bb10e457d78ce1bfeef95045287915fd15bf1e23cf5a2db42d67c4bb93aba4babb9a8cc71e906ed305f6ad223cf5d1e4534b86a1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\XClient.exe
    Filesize

    50KB

    MD5

    e0918682feb10b28a39a9cfbf4d2d90c

    SHA1

    c33f8518747e96955387bac3c8299eea24357fe0

    SHA256

    8f7a69675281f0e5f2fd0b43c64434fdb132fdca1eb82cf23aa947f83c833d01

    SHA512

    dcb3961832197bf33b4e554a69b95a17c847fccde7211ca96ee0a9ad975a051f93e6f29a3a9525279b2aaf9d6b7208a8ddeb8c1d430e79ddf4155f5629038fa7

    Download Submit

  • memory/2500-13-0x0000000001280000-0x0000000001326000-memory.dmp

    Filesize

    664KB

    Download

  • memory/2620-8-0x0000000000360000-0x0000000000372000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2620-34-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2620-39-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2620-40-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2628-0-0x000007FEF53B3000-0x000007FEF53B4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2628-1-0x0000000000A60000-0x0000000000B18000-memory.dmp

    Filesize

    736KB

    Download