Overview

overview

10

Static

static

10

Binaries.rar

windows7-x64

1

Binaries.rar

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2025, 14:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Binaries.rar

  • Size

    1019KB

  • MD5

    9f0a1e5448e276fd9a1868b08261b258

  • SHA1

    bd0e596a0dacba429edc5d06ca23df7a6136682e

  • SHA256

    5d112a86cfba7fc6a1a176b08fb203eb98d103ba95f9edf6adb72c70558f0c96

  • SHA512

    3a81021e2bff42b1e861d791c9f9089853b5d8e44a8b12aa3f2018a6eba55ee3de3f744c75e2021f6570f7712b1dc1589ff1aa52a4804f02f2111dc3de0a2d52

  • SSDEEP

    24576:uc7mwB4VdnJuGYlLS1GmezoXZUnfG4vLjcl7FpOR5wG24q+h:cU4TeVqaoXO+4vv+fORR24q2

Score
10/10
metasploitxwormbackdoorrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

multi-referral.gl.at.ply.gg:43504

Mutex

L9qlmFNDu8drSdGe

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    SecurityHealthSystray.exe

  • telegram

    https://api.telegram.org/bot7999164804:AAFnlMmOEm_tg1MgP0Rjs4-EAp9cjIouFj4/sendMessage?chat_id=5462166893

aes.plain

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

147.185.221.26:43504

Signatures

  • Detect Xworm Payload 1 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 60 IoCs
  • Suspicious use of SendNotifyMessage 56 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Binaries.rar"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1928
  • C:\Users\Admin\Desktop\PROLoader.exe
    "C:\Users\Admin\Desktop\PROLoader.exe"
    1⤵
    • Executes dropped EXE
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5456
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rordxo0g\rordxo0g.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:AMD64 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E9A.tmp" "c:\Users\Admin\Desktop\CSC5E843DA9DD7F46698592564C34FF59C.TMP"
        3⤵
          PID:6104
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xwcclnu2\xwcclnu2.cmdline"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5808
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:AMD64 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4159.tmp" "c:\Users\Admin\Desktop\CSC27E1C2C73C33418AA6821B2AF571C85.TMP"
          3⤵
            PID:5752
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:956
        • C:\Users\Admin\Desktop\RuntimeBroker.exe
          "C:\Users\Admin\Desktop\RuntimeBroker.exe"
          1⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1760
          • C:\windows\system32\notepad.exe
            "C:\windows\system32\notepad.exe"
            2⤵
              PID:1588
          • C:\Windows\system32\taskmgr.exe
            "C:\Windows\system32\taskmgr.exe" /4
            1⤵
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:956
          • C:\Users\Admin\Desktop\RuntimeBroker.exe
            "C:\Users\Admin\Desktop\RuntimeBroker.exe"
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1048
            • C:\windows\system32\notepad.exe
              "C:\windows\system32\notepad.exe"
              2⤵
                PID:1420
            • C:\Users\Admin\Desktop\RuntimeBroker.exe
              "C:\Users\Admin\Desktop\RuntimeBroker.exe"
              1⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3220
              • C:\windows\system32\notepad.exe
                "C:\windows\system32\notepad.exe"
                2⤵
                  PID:5512
              • C:\Users\Admin\Desktop\RuntimeBroker.exe
                "C:\Users\Admin\Desktop\RuntimeBroker.exe"
                1⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:748
                • C:\windows\system32\notepad.exe
                  "C:\windows\system32\notepad.exe"
                  2⤵
                    PID:2532
                • C:\Windows\system32\NOTEPAD.EXE
                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ResumeTrace.txt
                  1⤵
                  • Opens file in notepad (likely ransom note)
                  • Suspicious use of FindShellTrayWindow
                  PID:1676
                • C:\Windows\system32\NOTEPAD.EXE
                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ResumeTrace.txt
                  1⤵
                  • Opens file in notepad (likely ransom note)
                  PID:5308
                • C:\Users\Admin\Desktop\RuntimeBroker.exe
                  "C:\Users\Admin\Desktop\RuntimeBroker.exe"
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1684
                • C:\Users\Admin\Desktop\RuntimeBroker.exe
                  "C:\Users\Admin\Desktop\RuntimeBroker.exe"
                  1⤵
                  • Executes dropped EXE
                  PID:1764
                • C:\Users\Admin\Desktop\RuntimeBroker.exe
                  "C:\Users\Admin\Desktop\RuntimeBroker.exe"
                  1⤵
                  • Executes dropped EXE
                  PID:3132

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log
                  Filesize

                  226B

                  MD5

                  28d7fcc2b910da5e67ebb99451a5f598

                  SHA1

                  a5bf77a53eda1208f4f37d09d82da0b9915a6747

                  SHA256

                  2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

                  SHA512

                  2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7zE8873D417\Icons\icon (15).ico
                  Filesize

                  361KB

                  MD5

                  e3143e8c70427a56dac73a808cba0c79

                  SHA1

                  63556c7ad9e778d5bd9092f834b5cc751e419d16

                  SHA256

                  b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

                  SHA512

                  74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\RES3E9A.tmp
                  Filesize

                  1KB

                  MD5

                  7d45272e7784829b37f98513c144da31

                  SHA1

                  c253786b93a9e210d40465b56100fd61aa5b8688

                  SHA256

                  6b70220dc3b6c85d0f686e0cb7beeabfb92fd70f31a445f676b04c6e2495cb66

                  SHA512

                  a076e7d149386996955d3d3fbaca3369764ab7ac2c5eae08e7e5034cab0f5082ceb9ea9131bfce0dff725db6c103544e1f341d11f570ee9b67dad1f05aa5a817

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\RES4159.tmp
                  Filesize

                  1KB

                  MD5

                  eede7bf224f86c3c63404f5efa122136

                  SHA1

                  764628589838c849a85a2a279f449dd9ab826a6c

                  SHA256

                  f46d29cefb17429fc3842f3902083c0007ba64b1ac7b2483551f3d552ab5f28d

                  SHA512

                  1ac37f8c1b2436e43ea9b5211424cd976066b54784c78661aabdffc0052e61ac2845be6e1c6db466a1af22bc68346fe1f5c9447d4a082e3feef66dedda0d5b56

                  Download Submit

                • C:\Users\Admin\Desktop\PROLoader.exe
                  Filesize

                  492KB

                  MD5

                  7166b548771cc27b22229d7172aeb1b0

                  SHA1

                  1a213576eddddb0e96598261b8e6d09b8068fa0d

                  SHA256

                  5ae1ec9752d0d1135903a33479a429c016e1b0d9de42a17ae92f89249c90337f

                  SHA512

                  74662005e86a120ce731b749a1cb886018690d1c2919b47f213926d72bffff9b2c63588aeb7abe036017f2b1d229367b901cb08761bfab511a4b63e73c3145b5

                  Download Submit

                • C:\Users\Admin\Desktop\RuntimeBroker.exe
                  Filesize

                  221KB

                  MD5

                  c6980ba499b45f3935b7bf04de03cf4f

                  SHA1

                  8916564f43715b15688ab9344c97843361ead99b

                  SHA256

                  e41940e10aa03835cb0ae6854f2cd93cca928a57a9ff51e46954a3eb309a4dc7

                  SHA512

                  a3578b1b835f8dd0ce9a934b46da4f8df473ad7b9a969eb0ea691a699301a7c31b81befdf7251bbabfe0aa7a8467f42d2528dfd1724459a3122640ae2a09f7f2

                  Download Submit

                • C:\Users\Admin\Desktop\RuntimeBroker.exe
                  Filesize

                  9KB

                  MD5

                  fc3fe046b6eeb6ac4f413cc6e2f3a3bb

                  SHA1

                  71dcef92cede78dea1b0971f2737d803f94c47f1

                  SHA256

                  7bbbe93b84a3d08ee0ef31fbf86ceedafed2f3da0a8c1e35e1a39822c2a331d6

                  SHA512

                  7aff795bd1ade8f1a44154fb9a49bf471a129314275629ae18c8d906030700ef0fa77bb1e3ce3ccb769f72acb08b27b4b7b21af172353abb690e87d4475ecafd

                  Download Submit

                • C:\Users\Admin\Desktop\RuntimeBroker.exe
                  Filesize

                  34KB

                  MD5

                  4179d0a6822260bf3e84a8d90ecda8c9

                  SHA1

                  eacfc5792d7ed9db3a732918b56d97d69cfd0a48

                  SHA256

                  00e7ec07ed1eb17159029388ef81dad7fc2b0b45598d8ccbfaea8e85b8abd63a

                  SHA512

                  0462726b62535aa7099e561330a8f4cec3e446a48453ec40feac9132487b9db05e02ee8c848e3a9c47096d27ba39b58ce5c42dbfc5d5c92941ac98007f381beb

                  Download Submit

                • C:\Users\Admin\Desktop\RuntimeBroker.exe
                  Filesize

                  41KB

                  MD5

                  c0fc461085a61fd1bb0c5bbfc3153b9e

                  SHA1

                  96c79d857a6a431693b4755f201da3bfc3b7865e

                  SHA256

                  b41d6eb32aa5e13aa17a088b2ee96bdf12046efca5aa1f3c90277485a3bd1894

                  SHA512

                  bfc3992cdd85f01d9c6409cba8b049aa362ee3db7ad88a56abf0e1d713339f18d6843924589c3991b5273b9ae1893eebcc1a3068f941c34219f464e6bc1507aa

                  Download Submit

                • C:\Users\Admin\Desktop\dnlib.dll
                  Filesize

                  1.1MB

                  MD5

                  20e4287af743cd81d39079eac2b890fb

                  SHA1

                  74547ae2277a769b60fa1b9f508791a7dd205137

                  SHA256

                  1e47cd53cde93403b8ba9fea45f7da35a7dc97fa166a39b220eaeeb9cb4212f5

                  SHA512

                  7932d8a8fd437d85e9e4fdb820327df1e0e065d287626b681cb1b4ccc10bebc35037fc21113c54430ed908d10e5785e5e3c34d590bba6701ae39e19490c2c499

                  Download Submit

                • C:\shell.txt
                  Filesize

                  1KB

                  MD5

                  867da14ba1fdd3ecb78eeec3c6715e53

                  SHA1

                  cfa1c8f760d1a0064ab2bbe585a42e1c6a2a9856

                  SHA256

                  1d7addea68b9b3689c5686f619f63fbd7bdb62fc6577f3cc8f5e2d9191ab326f

                  SHA512

                  3932739c2f58e4730d62f98c1fa7596bcfa4124edf3b43d0e3fd3cffb378d5d733ff38e00f0a6269b3011d7967138cc8c14610c258b966b8e318e22a04484461

                  Download Submit

                • \??\c:\Users\Admin\AppData\Local\Temp\rordxo0g\rordxo0g.0.cs
                  Filesize

                  12KB

                  MD5

                  7e553885b25f681ecd110c094d5c4a5f

                  SHA1

                  fa14274a2a75eac3f2c2fddc6a7ab36cf33ea395

                  SHA256

                  0badcfbf9acf6112fbf465a67553fe9fe08217d449eac970ee5618b41a1294e6

                  SHA512

                  2719d23d924704846e8be6ad8375b123c61cd49b21236e08f8fc212b4f25c6fb7abe63088a8a49a5c55cfcd5a3e920a466c99c8169e6638afb627d4ae9d2f919

                  Download Submit

                • \??\c:\Users\Admin\AppData\Local\Temp\rordxo0g\rordxo0g.cmdline
                  Filesize

                  330B

                  MD5

                  b65cd072cfec1f49af485ccf3b6fb7e3

                  SHA1

                  399cc80a6756f4f3e492982ed8df740afd507acb

                  SHA256

                  353a05e7f4b1df440e2fd2bb0007042d5808883c198e2d4108ae812e8e5047da

                  SHA512

                  12fee24c15698da1c6752b3fa1db66324887a871c390ed84179872ec0c7753c9dbc825d688784cd99aea1a5c7e426a15dec195921737d474a3cc4655478b3542

                  Download Submit

                • \??\c:\Users\Admin\AppData\Local\Temp\xwcclnu2\xwcclnu2.0.cs
                  Filesize

                  183KB

                  MD5

                  f67ef2078a71f1e68b8e2e59635f0de1

                  SHA1

                  d32621621421e7d17cbb2012ed004bba8ca2790f

                  SHA256

                  e72f929d5c7a6b5f77c9bbfcb12b1ba5841a7b615bd60bdadbfbd1e5a173289f

                  SHA512

                  4aef1ded771b0ebf447e9246b2326a27216398e9561a643c52be5d40244b35c082c67bb4db2067865e48190cba0f20cf4166272e854f9b8bb73dd57c47ce342a

                  Download Submit

                • \??\c:\Users\Admin\AppData\Local\Temp\xwcclnu2\xwcclnu2.cmdline
                  Filesize

                  235B

                  MD5

                  7e9b16dc78a2352e0f571515cd7df328

                  SHA1

                  80df374c1cbef28537843e0a54e30c283550e4ae

                  SHA256

                  04c85955881ba3a1ee1c649ca6eec980ba5169c5055f57e3b46fd23fe4713173

                  SHA512

                  a3114bfae018ba88c793b8651e2c1e6ef57564199082f56d6730b098140eceac9d2892c9902777e9403b9655914f09e9ec529cabb82be2fbe6e7cf314c17dcba

                  Download Submit

                • \??\c:\Users\Admin\Desktop\CSC5E843DA9DD7F46698592564C34FF59C.TMP
                  Filesize

                  1KB

                  MD5

                  8cb2d1f69e2730b5de634f6b6c12005f

                  SHA1

                  1f9496195f09f58a4e382994717a5da34086d770

                  SHA256

                  f5d616663ac61dc843c8663f2ceaaf6939b974ffd74e6e1be232b3fe8c6667ea

                  SHA512

                  d035c16a8d8f09abedc94e10d46983e371d2862b277128fe00184d3a1cbb8a69367c08e150c63b07729938bea6644af4e3913e629969d38978b0d934e9e61eda

                  Download Submit

                • memory/956-107-0x0000013058290000-0x0000013058291000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/956-105-0x0000013058290000-0x0000013058291000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/956-116-0x0000013058290000-0x0000013058291000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/956-115-0x0000013058290000-0x0000013058291000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/956-117-0x0000013058290000-0x0000013058291000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/956-111-0x0000013058290000-0x0000013058291000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/956-112-0x0000013058290000-0x0000013058291000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/956-113-0x0000013058290000-0x0000013058291000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/956-114-0x0000013058290000-0x0000013058291000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/956-106-0x0000013058290000-0x0000013058291000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1588-102-0x000002179F2B0000-0x000002179F2B1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1760-98-0x0000000000220000-0x000000000022E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/1760-99-0x000000001BEC0000-0x000000001BED8000-memory.dmp

                  Filesize

                  96KB

                  Download

                • memory/5456-49-0x00007FFE07130000-0x00007FFE07BF1000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/5456-47-0x00000000006A0000-0x0000000000722000-memory.dmp

                  Filesize

                  520KB

                  Download

                • memory/5456-48-0x00007FFE07130000-0x00007FFE07BF1000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/5456-69-0x0000000020D10000-0x0000000020E36000-memory.dmp

                  Filesize

                  1.1MB

                  Download

                • memory/5456-50-0x00007FFE07130000-0x00007FFE07BF1000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/5456-51-0x00007FFE07133000-0x00007FFE07135000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/5456-52-0x00007FFE07130000-0x00007FFE07BF1000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/5456-53-0x00007FFE07130000-0x00007FFE07BF1000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/5456-46-0x00007FFE07133000-0x00007FFE07135000-memory.dmp

                  Filesize

                  8KB

                  Download