Analysis
-
max time kernel
148s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
22/03/2025, 06:18
General
-
Target
fe99ddfdfc78f8223ddd4511fafbccd50e22d089c428f9c6cea01d89b2142c6c.exe
-
Size
144KB
-
MD5
2c55bdee9b3ac74ea1c16c0c86deb93c
-
SHA1
f74a12160819d97888e93e5b56067d4b24413791
-
SHA256
fe99ddfdfc78f8223ddd4511fafbccd50e22d089c428f9c6cea01d89b2142c6c
-
SHA512
aebb19b54103f9aa2efda1da908fd08bd9e426610e7c6bccda92ceb0dd8116795b5ed54e6d05c2eb8588eb63fb2916970e443fc6639451e330e093d39f7ce3ae
-
SSDEEP
3072:3IJrjowkba1TOi1M+lmsolAIrRuw+mqv9j1MWLQI:3IdAbT+lDAA
Malware Config
Extracted
xworm
xkpog9yml.localto.net:5392
:5392
-
Install_directory
%Temp%
-
install_file
windowsservice.exe
Signatures
-
Detect Xworm Payload 5 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Drops startup file 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe99ddfdfc78f8223ddd4511fafbccd50e22d089c428f9c6cea01d89b2142c6c.exe"C:\Users\Admin\AppData\Local\Temp\fe99ddfdfc78f8223ddd4511fafbccd50e22d089c428f9c6cea01d89b2142c6c.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "windowsservice" /tr "C:\Users\Admin\AppData\Local\Temp\windowsservice.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {CF396FC3-3573-46A9-A2C4-D60EA1A611A1} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\windowsservice.exeC:\Users\Admin\AppData\Local\Temp\windowsservice.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\windowsservice.exeC:\Users\Admin\AppData\Local\Temp\windowsservice.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\windowsservice.exeC:\Users\Admin\AppData\Local\Temp\windowsservice.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144KB
MD52c55bdee9b3ac74ea1c16c0c86deb93c
SHA1f74a12160819d97888e93e5b56067d4b24413791
SHA256fe99ddfdfc78f8223ddd4511fafbccd50e22d089c428f9c6cea01d89b2142c6c
SHA512aebb19b54103f9aa2efda1da908fd08bd9e426610e7c6bccda92ceb0dd8116795b5ed54e6d05c2eb8588eb63fb2916970e443fc6639451e330e093d39f7ce3ae
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
4KB
-
Filesize
168KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
9.9MB