Overview

overview

10

Static

static

10

Client1.exe

windows10-2004-x64

10

Client1.exe

windows10-ltsc_2021-x64

10

Client1.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    176s
  • max time network
    283s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-de
  • resource tags

    arch:x64arch:x86image:win11-20250313-delocale:de-deos:windows11-21h2-x64systemwindows
  • submitted
    26/03/2025, 13:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client1.exe

  • Size

    57KB

  • MD5

    1e0aa64bead9e0338618646b79e4a77b

  • SHA1

    8c3985be98bbfbbc02a0ec6d2d5801483251cf84

  • SHA256

    fabc467aee7674695a0e55e90f4d7136835d9876fddeac5a9af3e4a071772af5

  • SHA512

    eef3fc34edf692ef633080f3fc8ae84c3c60ade77774d994186337a25b9bc26c0a7b0b011d9b03fffbe26c5c3516b3befe4d4fb843d3350d97abdd33b8dcdf83

  • SSDEEP

    768:HBywQrCTMMHowDEBB1MlaXe18di8Zkbkjyh16HUdWVgOLIh6mpN:HE5MIBlQaX68HkbkjyhiUsVgOLID

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

park-meetup.gl.at.ply.gg:62592

Attributes
  • Install_directory

    %AppData%

  • install_file

    test.exe

  • telegram

    https://api.telegram.org/bot7562309856:AAFIj99L-jF0g413E29-ASuHw7g8dapP63M/sendMessage?chat_id=7880028202

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client1.exe
    "C:\Users\Admin\AppData\Local\Temp\Client1.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "test" /tr "C:\Users\Admin\AppData\Roaming\test.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:5756
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "test"
      2⤵
        PID:5644
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1D9B.tmp.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4348
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:1636
    • C:\Users\Admin\AppData\Roaming\test.exe
      C:\Users\Admin\AppData\Roaming\test.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2064
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:6048
    • C:\Users\Admin\AppData\Roaming\test.exe
      C:\Users\Admin\AppData\Roaming\test.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4452

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\test.exe.log
      Filesize

      654B

      MD5

      2cbbb74b7da1f720b48ed31085cbd5b8

      SHA1

      79caa9a3ea8abe1b9c4326c3633da64a5f724964

      SHA256

      e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

      SHA512

      ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
      Filesize

      24KB

      MD5

      aa5f023c947a39567aa77454805172c5

      SHA1

      2eeb0726882d0f09dc2d63f69ed40aa60ed205bd

      SHA256

      e8164ec588c417d10454e45cfd179ff2db21b9327c6bf75112e245dc5be4fd4b

      SHA512

      249439d8114d1f29b570ee9c5e742b922ac525af26a0ba5054892faaff80ac3af04cb55283e74373bd6b2ff8226584ea3e8c66d7e5ea1da0ff93fcf365cb2155

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
      Filesize

      24KB

      MD5

      2ff5abf5c4b9149a19245eb28c0c6613

      SHA1

      7a9fd1ea4ff86b8476d054623d3fba36322c34cc

      SHA256

      6c8602dc88149327a96d492ded042038b3a743ef517abb653945f2f1945bb372

      SHA512

      c51182916c0f09b989a0b068845a355a108e2ff7ee0254e1690f32902e40e2c9c7be44876f5954c20e48317fef4d9cd93000e9b54678599ca045c1096a547b51

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp1D9B.tmp.bat
      Filesize

      159B

      MD5

      dddb96e35043307594dafb09f44efb7a

      SHA1

      bff323c893c42dec5f612f4e0fe63719e86353b6

      SHA256

      19b2bdbfccf79a27aa7e5e17b99f34656b9d97cb4a15d5dca659e868e971855e

      SHA512

      cd1c3f25f4e906ec7483159e7254e1cc7b9d28c902bfceb080b582f5e28d74ff4dbb0133b4d564a267ced8df0eecf1c7bea9fb75c7555d6c537d91586fdc7a74

      Download Submit

    • C:\Users\Admin\AppData\Roaming\test.exe
      Filesize

      57KB

      MD5

      1e0aa64bead9e0338618646b79e4a77b

      SHA1

      8c3985be98bbfbbc02a0ec6d2d5801483251cf84

      SHA256

      fabc467aee7674695a0e55e90f4d7136835d9876fddeac5a9af3e4a071772af5

      SHA512

      eef3fc34edf692ef633080f3fc8ae84c3c60ade77774d994186337a25b9bc26c0a7b0b011d9b03fffbe26c5c3516b3befe4d4fb843d3350d97abdd33b8dcdf83

      Download Submit

    • memory/2064-16-0x00007FFB70D00000-0x00007FFB717C2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2064-14-0x00007FFB70D00000-0x00007FFB717C2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5036-8-0x00007FFB70D03000-0x00007FFB70D05000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5036-11-0x00000000010E0000-0x00000000010EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5036-9-0x00007FFB70D00000-0x00007FFB717C2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5036-0-0x00007FFB70D03000-0x00007FFB70D05000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5036-7-0x000000001C340000-0x000000001C444000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/5036-36-0x000000001C330000-0x000000001C33C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/5036-6-0x00007FFB70D00000-0x00007FFB717C2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5036-1-0x0000000000880000-0x0000000000894000-memory.dmp

      Filesize

      80KB

      Download

    • memory/5036-45-0x00007FFB70D00000-0x00007FFB717C2000-memory.dmp

      Filesize

      10.8MB

      Download