Overview

overview

10

Static

static

3

XWormV1.exe

windows7-x64

10

XWormV1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    0s
  • max time network
    3s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2025, 20:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XWormV1.exe

  • Size

    24.2MB

  • MD5

    bc5fc4fd462fe1ec684c0c3c3a3de207

  • SHA1

    313f3016ac5a1d33119982840720686e1fc15f8d

  • SHA256

    31953c0ae524543f4b060884679afd72809f2aaa11eeee8f65784da34743a752

  • SHA512

    31c282d8921ebf2f0934bc3d3197b9e335cb4589dcf617d75611dcd9d5b83bee6a9ed85a3a8e3407066500acc2a63d34ccbd2488a4dd1977dc8ce1d297a3fb55

  • SSDEEP

    393216:vA/nTrrqc1NTlXs515TosgE9AASto57QBLuRzEqtn9dbmM6Z1u3I2ZL4:v+nTLvXsf5TxRzWolTtn99z6ZsI254

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:5444

away-operates.gl.at.ply.gg:5444

middle-regards.gl.at.ply.gg:5444

127.0.0.1:38506

away-operates.gl.at.ply.gg:38506
Attributes
  • Install_directory

    %Temp%

  • install_file

    windows.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWormV1.exe
    "C:\Users\Admin\AppData\Local\Temp\XWormV1.exe"
    1⤵
      PID:2480
      • C:\Users\Admin\AppData\Local\Temp\windows.exe
        "C:\Users\Admin\AppData\Local\Temp\windows.exe"
        2⤵
          PID:2196
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\windows.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            PID:2832
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'windows.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            PID:2968
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\windows.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            PID:2684
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'windows.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            PID:544
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "windows" /tr "C:\Users\Admin\AppData\Local\Temp\windows.exe"
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2024
        • C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
          "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
          2⤵
            PID:2204
            • C:\Users\Admin\AppData\Local\Temp\3tb.exe
              "C:\Users\Admin\AppData\Local\Temp\3tb.exe"
              3⤵
                PID:2468
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3tb.exe'
                  4⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:2004
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '3tb.exe'
                  4⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:2016
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c.exe'
                  4⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:644
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'c.exe'
                  4⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:2112
                • C:\Windows\System32\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "c" /tr "C:\Users\Admin\AppData\Local\Temp\c.exe"
                  4⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:2320

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\3tb.exe
            Filesize

            71KB

            MD5

            d339041a29a574dda9caca8ec4579a2b

            SHA1

            449d902891497caa2b7e74b0041af78f19b92849

            SHA256

            5389fb6c78fa44247f1e8d44705823eeffd672ef90bbdbb20046bb35457bc8f9

            SHA512

            feeacb60e92d7a63ee2183676c7a94f3f4a45cd21963245a2bf81b204f7525381a3a08b1ef9bc13f9863e5f5345a0d4f90f0f28ba7cd427643fe967898315af3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
            Filesize

            8.2MB

            MD5

            a50ff719eb272e69d1aa657468a1f345

            SHA1

            9915b8b395a422956a8b0a9a345395c4543d0390

            SHA256

            b4e880b2866a39494c32e5d6f1522b02aaa12b8c3a2c2f49bf907218cf66a220

            SHA512

            44bb83c9931ae675cf0eb01b9e9902c6b0d9b500e87cd7629bfcf7db9558d31d9ddc276a2d84a27a23b442ea916324cd3a8922bc27195573f04f2a6a379e0ecf

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
            Filesize

            8.4MB

            MD5

            4b45b47fe7c71a5b179b0ead848241b4

            SHA1

            657bd3f126d42a5b3531fa8f3f91b8b5b67f6b3b

            SHA256

            8637ff3a5816087086a5209d19ccc21edc12b88e5c4ed4fa6459355bcac39d0b

            SHA512

            939d0927f1bf156170807b9d624faf4a62d97d0bfcc41343bd59a569b34cedff438d3268674a37f03f9b4228cd39b79646d74a90fdce04fc932c8cfd836a8397

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\windows.exe
            Filesize

            80KB

            MD5

            037291fab927f4d5bb6e9e981209736c

            SHA1

            966de581ea43b6d4a5cebd8c5eab45d48ced3403

            SHA256

            cca9480890c3c867a76a23d730d2340360a5a0541a3a77fea1c216c5a779a434

            SHA512

            37353cb80de0426b0f5c6689f962cf06b679bbbed1aae443f5168aab489e4da4e983ba5f473e8d0151863981bce61f957ebc3df4294437624d0b26377a9683b5

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            681343ec59fef2d2034098554b888cb1

            SHA1

            dba16c902662bcc783f1ef796a59cc87f560134f

            SHA256

            4b65e0f04d1886890f59363471a8cb87d3b70c6da93800bd67943b3801d01a19

            SHA512

            c3f556c9b0fc5b2235fb69032e1eec46e4444ed2382ff53d917678f16545f9a0303ff6200d22a61ca169804813fb0b9f54fcf5354c558921a5485c4884d956f7

            Download Submit

          • memory/2196-8-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2196-7-0x00000000013A0000-0x00000000013BA000-memory.dmp

            Filesize

            104KB

            Download

          • memory/2196-56-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2204-14-0x0000000000010000-0x0000000001814000-memory.dmp

            Filesize

            24.0MB

            Download

          • memory/2468-20-0x0000000000C70000-0x0000000000C88000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2480-1-0x0000000000AF0000-0x0000000002326000-memory.dmp

            Filesize

            24.2MB

            Download

          • memory/2480-0-0x000007FEF5263000-0x000007FEF5264000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2832-25-0x000000001B6A0000-0x000000001B982000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/2832-26-0x0000000002340000-0x0000000002348000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2968-33-0x00000000022A0000-0x00000000022A8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2968-32-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

            Filesize

            2.9MB

            Download