Analysis

  • max time kernel
    143s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:33

General

  • Target

    5c4c8e3473b0c8f8a1d81b941495d80c1d07fc22d02cd10dc467f4309645d2e2.exe

  • Size

    770KB

  • MD5

    512de90549a0ffd01db566d4e69afa97

  • SHA1

    193cce38892758314db86d16fbc1e6a07008729c

  • SHA256

    5c4c8e3473b0c8f8a1d81b941495d80c1d07fc22d02cd10dc467f4309645d2e2

  • SHA512

    fdbe1b71231057d8b1c25c9a152a846d0860f5f9a3e1942a877f691d5f39e702fafe14b0e9a2e7e21dfa427fed6d20b6fe33109dd82a53fda7b2271ed9c7b177

  • SSDEEP

    12288:2Cg/vC4AAY6NkAI9gNoDUCvUMMyRx0E6eKJQ0qnkf29Bq:2C4vCNAEAwgNIUUz0E1KJQBnkMq

Score
10/10

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7000

Attributes
  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Executes dropped EXE 18 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c4c8e3473b0c8f8a1d81b941495d80c1d07fc22d02cd10dc467f4309645d2e2.exe
    "C:\Users\Admin\AppData\Local\Temp\5c4c8e3473b0c8f8a1d81b941495d80c1d07fc22d02cd10dc467f4309645d2e2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2876
    • C:\Users\Admin\AppData\Roaming\Output.exe
      "C:\Users\Admin\AppData\Roaming\Output.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Users\Admin\AppData\Roaming\XClient.exe
        "C:\Users\Admin\AppData\Roaming\XClient.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2652
      • C:\Users\Admin\AppData\Roaming\Output.exe
        "C:\Users\Admin\AppData\Roaming\Output.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2968
        • C:\Users\Admin\AppData\Roaming\XClient.exe
          "C:\Users\Admin\AppData\Roaming\XClient.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2672
        • C:\Users\Admin\AppData\Roaming\Output.exe
          "C:\Users\Admin\AppData\Roaming\Output.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2620
          • C:\Users\Admin\AppData\Roaming\XClient.exe
            "C:\Users\Admin\AppData\Roaming\XClient.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2480
          • C:\Users\Admin\AppData\Roaming\Output.exe
            "C:\Users\Admin\AppData\Roaming\Output.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2240
            • C:\Users\Admin\AppData\Roaming\XClient.exe
              "C:\Users\Admin\AppData\Roaming\XClient.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1148
            • C:\Users\Admin\AppData\Roaming\Output.exe
              "C:\Users\Admin\AppData\Roaming\Output.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:996
              • C:\Users\Admin\AppData\Roaming\XClient.exe
                "C:\Users\Admin\AppData\Roaming\XClient.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:2164
              • C:\Users\Admin\AppData\Roaming\Output.exe
                "C:\Users\Admin\AppData\Roaming\Output.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:2980
                • C:\Users\Admin\AppData\Roaming\XClient.exe
                  "C:\Users\Admin\AppData\Roaming\XClient.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2844
                • C:\Users\Admin\AppData\Roaming\Output.exe
                  "C:\Users\Admin\AppData\Roaming\Output.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:2940
                  • C:\Users\Admin\AppData\Roaming\XClient.exe
                    "C:\Users\Admin\AppData\Roaming\XClient.exe"
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3048
                  • C:\Users\Admin\AppData\Roaming\Output.exe
                    "C:\Users\Admin\AppData\Roaming\Output.exe"
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:1812
                    • C:\Users\Admin\AppData\Roaming\XClient.exe
                      "C:\Users\Admin\AppData\Roaming\XClient.exe"
                      10⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2792
                    • C:\Users\Admin\AppData\Roaming\Output.exe
                      "C:\Users\Admin\AppData\Roaming\Output.exe"
                      10⤵
                      • Executes dropped EXE
                      PID:308

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Output.exe

    Filesize

    707KB

    MD5

    96c50f871ceb7ee1a0b41dcca8da5c01

    SHA1

    d8946f0af6156c6f69895a2808734d2696660ada

    SHA256

    cef4f0409df2a015e20411fdf8317582dc6ed5f56993dd0122b8006cd695c1db

    SHA512

    0ac872561e55a4c2cea0cd6aab965637b4ee6945552aee0a9b1e28ba338d065f98e782e433f7e3ccd464f18bc2ba14307b453ab2b3de8172a7f186018008802e

  • C:\Users\Admin\AppData\Roaming\XClient.exe

    Filesize

    50KB

    MD5

    e0918682feb10b28a39a9cfbf4d2d90c

    SHA1

    c33f8518747e96955387bac3c8299eea24357fe0

    SHA256

    8f7a69675281f0e5f2fd0b43c64434fdb132fdca1eb82cf23aa947f83c833d01

    SHA512

    dcb3961832197bf33b4e554a69b95a17c847fccde7211ca96ee0a9ad975a051f93e6f29a3a9525279b2aaf9d6b7208a8ddeb8c1d430e79ddf4155f5629038fa7

  • memory/1820-0-0x000007FEF5073000-0x000007FEF5074000-memory.dmp

    Filesize

    4KB

  • memory/1820-1-0x00000000013A0000-0x0000000001466000-memory.dmp

    Filesize

    792KB

  • memory/2224-13-0x0000000001220000-0x00000000012D8000-memory.dmp

    Filesize

    736KB

  • memory/2876-7-0x0000000001290000-0x00000000012A2000-memory.dmp

    Filesize

    72KB

  • memory/2876-30-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

    Filesize

    9.9MB

  • memory/2876-31-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

    Filesize

    9.9MB

  • memory/2876-32-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

    Filesize

    9.9MB

  • memory/2876-33-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

    Filesize

    9.9MB