Overview

overview

10

Static

static

10

Startup.exe

windows7-x64

10

Startup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    9s
  • max time network
    5s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2025, 19:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Startup.exe

  • Size

    41KB

  • MD5

    5e70c383a38d3ecc7d779bc76e61753f

  • SHA1

    4d94fe4fc00e52703fbe15d18e85998f6a92e053

  • SHA256

    bb3d1286bb2b5bc25e0818fca4a7d4f18e0a818cf543dd7819ca99937f7966df

  • SHA512

    17436a0501449867f1f0482357ac5a7c8cc706b69ddb11ed26ba68153aabb027bd7fc78ba6731378c72777acca0ef4199c5f3049b06472dd49a930909729771c

  • SSDEEP

    768:TcAz60wqEL3OixHL1s7LZy69wF19j5Q6EO9h0LV:TcAz60K/xHLG7LZaF19j5Q6EO9EV

Score
10/10
xwormcredential_accessexecutionratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

DkTNOCQ3zN28Lubg

Attributes
  • Install_directory

    %AppData%

  • install_file

    Startup.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Startup.exe
    "C:\Users\Admin\AppData\Local\Temp\Startup.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Startup.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2492
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Startup.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Startup.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    e53229b6f0d50a4e5bb831617f93cdab

    SHA1

    6b772defb26f9cbe2be71ddf79c2af069889fcab

    SHA256

    d3117e32e40919fdbbad2384f7019b46700c3c4ef8eebdc04734a98c5d85b04a

    SHA512

    1457c68ef8e2c3309923ba60d0991fa6d816242ad06a81186352b38f493245a0f1f771b399cc63246ab4878f52c0c0454dc710dcfd17c2af3ce0feb6249fb928

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Startup.exe
    Filesize

    41KB

    MD5

    5e70c383a38d3ecc7d779bc76e61753f

    SHA1

    4d94fe4fc00e52703fbe15d18e85998f6a92e053

    SHA256

    bb3d1286bb2b5bc25e0818fca4a7d4f18e0a818cf543dd7819ca99937f7966df

    SHA512

    17436a0501449867f1f0482357ac5a7c8cc706b69ddb11ed26ba68153aabb027bd7fc78ba6731378c72777acca0ef4199c5f3049b06472dd49a930909729771c

    Download Submit

  • memory/2492-6-0x00000000026F0000-0x0000000002770000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2492-7-0x000000001B2B0000-0x000000001B592000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2492-8-0x0000000002420000-0x0000000002428000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2796-0-0x000007FEF6383000-0x000007FEF6384000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2796-1-0x0000000000370000-0x0000000000380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2796-39-0x000007FEF6383000-0x000007FEF6384000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2896-14-0x000000001B360000-0x000000001B642000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2896-15-0x0000000002270000-0x0000000002278000-memory.dmp

    Filesize

    32KB

    Download