Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
30/06/2025, 17:41
Static task
static1
Behavioral task
behavioral1
Sample
SDGSD.exe
Resource
win10v2004-20250619-en
General
-
Target
SDGSD.exe
-
Size
149KB
-
MD5
ee4a28f13637b0f90a1865366fae40ae
-
SHA1
ab5cd40ef781545f856c17e99a56f75eb313ac72
-
SHA256
8e36d4f98a882487bedbedf73cbb010f793c7bb529d133a58673a14850198f9f
-
SHA512
21956de80b478993ec01bdbe9094246c071ada646bf7a79363aa9be248f5b9e6b59b5e945f09d8f3747ce1afefdfc9b38f54f8edad2d20ddd8138eec2eb19c8d
-
SSDEEP
3072:aQSkxWigJ7HcGU+6py9QzsMUKM8/TvzcI8ZuX1Kc:aKWigFHcX+ay6zsej/TvY
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
XWormClient.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/1324-7-0x0000000000400000-0x0000000000418000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5056 powershell.exe 3040 powershell.exe 5148 powershell.exe 4628 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWormClient.lnk SDGSD.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWormClient.lnk SDGSD.exe -
Loads dropped DLL 1 IoCs
pid Process 1324 SDGSD.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SDGSD.exe Key opened \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SDGSD.exe Key opened \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SDGSD.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5708 set thread context of 1324 5708 SDGSD.exe 78 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SDGSD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SDGSD.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 4628 powershell.exe 4628 powershell.exe 5056 powershell.exe 5056 powershell.exe 3040 powershell.exe 3040 powershell.exe 5148 powershell.exe 5148 powershell.exe 1324 SDGSD.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1324 SDGSD.exe Token: SeDebugPrivilege 4628 powershell.exe Token: SeDebugPrivilege 5056 powershell.exe Token: SeDebugPrivilege 3040 powershell.exe Token: SeDebugPrivilege 5148 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 5708 wrote to memory of 1324 5708 SDGSD.exe 78 PID 5708 wrote to memory of 1324 5708 SDGSD.exe 78 PID 5708 wrote to memory of 1324 5708 SDGSD.exe 78 PID 5708 wrote to memory of 1324 5708 SDGSD.exe 78 PID 5708 wrote to memory of 1324 5708 SDGSD.exe 78 PID 5708 wrote to memory of 1324 5708 SDGSD.exe 78 PID 5708 wrote to memory of 1324 5708 SDGSD.exe 78 PID 5708 wrote to memory of 1324 5708 SDGSD.exe 78 PID 1324 wrote to memory of 4628 1324 SDGSD.exe 79 PID 1324 wrote to memory of 4628 1324 SDGSD.exe 79 PID 1324 wrote to memory of 4628 1324 SDGSD.exe 79 PID 1324 wrote to memory of 5056 1324 SDGSD.exe 81 PID 1324 wrote to memory of 5056 1324 SDGSD.exe 81 PID 1324 wrote to memory of 5056 1324 SDGSD.exe 81 PID 1324 wrote to memory of 3040 1324 SDGSD.exe 83 PID 1324 wrote to memory of 3040 1324 SDGSD.exe 83 PID 1324 wrote to memory of 3040 1324 SDGSD.exe 83 PID 1324 wrote to memory of 5148 1324 SDGSD.exe 85 PID 1324 wrote to memory of 5148 1324 SDGSD.exe 85 PID 1324 wrote to memory of 5148 1324 SDGSD.exe 85 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SDGSD.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SDGSD.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SDGSD.exe"C:\Users\Admin\AppData\Local\Temp\SDGSD.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5708 -
C:\Users\Admin\AppData\Local\Temp\SDGSD.exe"C:\Users\Admin\AppData\Local\Temp\SDGSD.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1324 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SDGSD.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4628
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SDGSD.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XWormClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWormClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5148
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
617B
MD5d55240f8b99e496184f63e4267526e2f
SHA15794350bb66640a7c9edbd9f7781d22db9002ea9
SHA256c33677fa3ce521ce98ef3339484ce21a4fbab1138c6faf3f1821be56e8d3dfe2
SHA51223ddf984d6ab71239e4caa3205c9b9ed507c10affb412b5c80fd927007e5cfdaedb65a0d5e13681a7df9b84f8578ff2fd8268b50311da1d4b213876479309ea6
-
Filesize
2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
Filesize
18KB
MD55d9edb62d8edcb00fd671075d7d3c11a
SHA11b2d4ad7dace6e66f96311653a730b18e03f24ce
SHA256b71023856d5e150256a6a1666af018627da8eaf37c73287c4ac2f0bd1da1db21
SHA512121015ddea3929dd1c8c5d1db1a30092fb0c72338760517249476b2f93374e7c602b5d2593a2a8e3513da848d128cd859ab3c66583a37aaf18a388ab676f3dff
-
Filesize
18KB
MD52fc96a08b829028edaa7371b0906a6f7
SHA12938111ad3f632fe6bc0ae8fb07cb8463c2410eb
SHA2567ec9c31081c4d19a6f91886ec271266aeb87b4c1fb3b8313457497256773c2ed
SHA51226880eea19f4c797c55a7522c6836fd5cc602c7707401833ffed1cbb3d010d0af431d94fb4ce2d11cd1d49082a4e10ebb97ef0d676c70e4d97189bcbe6c1e5d3
-
Filesize
18KB
MD5bedfe30e72e12c83326438d87975753c
SHA1c12e987395c5d3f6520f937e8d43885e00140674
SHA256dc6e301311e6b78d7abed15bd0de457e1852c7d7c54346a16b86d229b399c5e5
SHA512c1c3c32682ed36dfdceb60af364e481da3947438c55736028577b87a6472c2e854a43bca79ab5ceedf58fbfe95ff170fded908045cc77004dfe06ebb9c11eda7
-
Filesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82