Overview

overview

10

Static

static

10

XWorm-RAT-...at.zip

windows7-x64

8

XWorm-RAT-...at.zip

windows10-2004-x64

8

Resubmissions

11-10-2022 21:24

221011-z85arafbal 10

11-10-2022 20:52

221011-znv7caeacq 10

Analysis

  • max time kernel
    369s
  • max time network
    348s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2022 21:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XWorm-RAT-xworm-rat.zip

  • Size

    33.7MB

  • MD5

    57a2bc809b05e1912ae749c9db34071b

  • SHA1

    501c7d841e2662aa3f9c2b7e28b7a844b899a300

  • SHA256

    491e6d13ca77846445824b492df95e7294f908c568819d839eecb82ea986d608

  • SHA512

    49edc2b21433e1c132d96fa59f7dd6588d05de7ab1206bc210aa319817fb5ada49647e9f68f5dc682cac0f89d825bc4cbe97c31476bb63feeeb5e8da13e20769

  • SSDEEP

    786432:mjDPlNpEQ4AXvvAQAIHHCspkclWQe5LDQXzTnHB35TAu93biIKJ:GxDEuXHAInCsdAtfWh35TT3W/

Score
8/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-xworm-rat.zip
    1⤵
      PID:932
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3620
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\XWorm-RAT-xworm-rat\" -spe -an -ai#7zMap16795:96:7zEvent28545
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:3280
      • C:\Users\Admin\Desktop\XWorm-RAT-xworm-rat\XWorm RAT V2.1\Win-XwormRat-V2.1-builder.exe
        "C:\Users\Admin\Desktop\XWorm-RAT-xworm-rat\XWorm RAT V2.1\Win-XwormRat-V2.1-builder.exe"
        1⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3220
        • C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe
          "C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe"
          2⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:784
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Static\Update.exe"
            3⤵
            • Creates scheduled task(s)
            PID:1852
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpF1CF.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpF1CF.tmp.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4444
            • C:\Windows\system32\tasklist.exe
              Tasklist /fi "PID eq 784"
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2800
            • C:\Windows\system32\find.exe
              find ":"
              4⤵
                PID:4244
              • C:\Windows\system32\timeout.exe
                Timeout /T 1 /Nobreak
                4⤵
                • Delays execution with timeout.exe
                PID:3240
              • C:\Users\Static\Update.exe
                "Update.exe"
                4⤵
                • Executes dropped EXE
                • Checks computer location settings
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4688
                • C:\Windows\System32\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Static\Update.exe"
                  5⤵
                  • Creates scheduled task(s)
                  PID:4984
                • C:\Windows\system32\WerFault.exe
                  C:\Windows\system32\WerFault.exe -u -p 4688 -s 2400
                  5⤵
                  • Program crash
                  PID:2144
          • C:\Users\Admin\Desktop\XWorm-RAT-xworm-rat\XWorm RAT V2.1\resource\xwarm-rat-builder.exe
            "C:\Users\Admin\Desktop\XWorm-RAT-xworm-rat\XWorm RAT V2.1\resource\xwarm-rat-builder.exe"
            2⤵
            • Executes dropped EXE
            PID:4512
          • C:\Users\Admin\AppData\Local\Temp\GQ8H18VE-6NVI-CHX0-KK3H-TA4W246O\Win-XwormRat-V2.1-builder.exe
            "C:\Users\Admin\AppData\Local\Temp\GQ8H18VE-6NVI-CHX0-KK3H-TA4W246O\Win-XwormRat-V2.1-builder.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4856
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 4856 -s 1396
              3⤵
              • Program crash
              PID:2968
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -pss -s 456 -p 4688 -ip 4688
          1⤵
            PID:3660
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -pss -s 200 -p 4856 -ip 4856
            1⤵
              PID:3656

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Credentials in Files

            1
            T1081

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Process Discovery

            1
            T1057

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Win-XwormRat-V2.1-builder.exe.log
              Filesize

              1KB

              MD5

              ef001c9a7396b37a66898e7664dd413c

              SHA1

              d21053a6563bcc49e88f8f16c0fa07f8a9b901e0

              SHA256

              e5fc32e12bcbaf588b8c4265a8679331ff1d4f0f454452c24afb34e0b19eff59

              SHA512

              348346791b277c66fc72f5f5045b662fbedb08bf4a19b685c38b5dc3b30797994840dcca643f3961122dc97f76ca0fbab8e6fad60f52c7eb11b6a0e9e5ffe886

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\GQ8H18VE-6NVI-CHX0-KK3H-TA4W246O\Win-XwormRat-V2.1-builder.exe
              Filesize

              928KB

              MD5

              3f0912415a057271df74d28140102c2b

              SHA1

              9bc6ee308cb00e4898f3730e933ccb6fa1531366

              SHA256

              6b51cfb8710886fbff64eb1482c0de89bf9075f97dd01b8474f7e60fb362d1b2

              SHA512

              9847c7a2bf6d773e8d2855c14c9266040cf9b8c05b667418eb36f9fb4c76740cbe1cd7a16d85fe04206af85e062bb7d75dd6c0fc23193f86123e24e759b6ed49

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\GQ8H18VE-6NVI-CHX0-KK3H-TA4W246O\Win-XwormRat-V2.1-builder.exe
              Filesize

              928KB

              MD5

              3f0912415a057271df74d28140102c2b

              SHA1

              9bc6ee308cb00e4898f3730e933ccb6fa1531366

              SHA256

              6b51cfb8710886fbff64eb1482c0de89bf9075f97dd01b8474f7e60fb362d1b2

              SHA512

              9847c7a2bf6d773e8d2855c14c9266040cf9b8c05b667418eb36f9fb4c76740cbe1cd7a16d85fe04206af85e062bb7d75dd6c0fc23193f86123e24e759b6ed49

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\tmpF1CF.tmp.bat
              Filesize

              194B

              MD5

              84aa3ce5179d96674809bdac13019396

              SHA1

              1fe5a8f7d0d91048d5e48778ee304534d0da3dac

              SHA256

              a1268f1d14c5025419ead8a8bf28f56a746fa6282b11fd56940ce7e671abd371

              SHA512

              508c94c199a8d70f148c0235c63120e5afbd7e1c74375f8707289031c883af09d2131ddd81750fd52c99d122737fd03ede32202c77fdbfc9bfdec3726bd9d9b7

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe
              Filesize

              127KB

              MD5

              f6f686df785d0abdc66d1f90fa508c4b

              SHA1

              75f348132001df30cbad9c7cae2e2072fcaca38e

              SHA256

              61b52af14fc66126a4e7f09b3cff7d3c09e5ad35acf23fb9ba43293fac0c995f

              SHA512

              7daa425723caade3ec747fbe6e425e26bc419e1a7dccd6253770fe1a118a8b90e0f40f6cf4bdac259e68a0198a384ed1b5de7515958f5e17e4e35219b9077d77

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe
              Filesize

              127KB

              MD5

              f6f686df785d0abdc66d1f90fa508c4b

              SHA1

              75f348132001df30cbad9c7cae2e2072fcaca38e

              SHA256

              61b52af14fc66126a4e7f09b3cff7d3c09e5ad35acf23fb9ba43293fac0c995f

              SHA512

              7daa425723caade3ec747fbe6e425e26bc419e1a7dccd6253770fe1a118a8b90e0f40f6cf4bdac259e68a0198a384ed1b5de7515958f5e17e4e35219b9077d77

              Download Submit
            • C:\Users\Admin\Desktop\XWorm-RAT-xworm-rat\XWorm RAT V2.1\Win-XwormRat-V2.1-builder.exe
              Filesize

              928KB

              MD5

              3f0912415a057271df74d28140102c2b

              SHA1

              9bc6ee308cb00e4898f3730e933ccb6fa1531366

              SHA256

              6b51cfb8710886fbff64eb1482c0de89bf9075f97dd01b8474f7e60fb362d1b2

              SHA512

              9847c7a2bf6d773e8d2855c14c9266040cf9b8c05b667418eb36f9fb4c76740cbe1cd7a16d85fe04206af85e062bb7d75dd6c0fc23193f86123e24e759b6ed49

              Download Submit
            • C:\Users\Admin\Desktop\XWorm-RAT-xworm-rat\XWorm RAT V2.1\Win-XwormRat-V2.1-builder.exe
              Filesize

              928KB

              MD5

              3f0912415a057271df74d28140102c2b

              SHA1

              9bc6ee308cb00e4898f3730e933ccb6fa1531366

              SHA256

              6b51cfb8710886fbff64eb1482c0de89bf9075f97dd01b8474f7e60fb362d1b2

              SHA512

              9847c7a2bf6d773e8d2855c14c9266040cf9b8c05b667418eb36f9fb4c76740cbe1cd7a16d85fe04206af85e062bb7d75dd6c0fc23193f86123e24e759b6ed49

              Download Submit
            • C:\Users\Admin\Desktop\XWorm-RAT-xworm-rat\XWorm RAT V2.1\resource\data.dat
              Filesize

              6.5MB

              MD5

              a21db5b6e09c3ec82f048fd7f1c4bb3a

              SHA1

              e7ffb13176d60b79d0b3f60eaea641827f30df64

              SHA256

              67d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5

              SHA512

              7caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c

              Download Submit
            • C:\Users\Admin\Desktop\XWorm-RAT-xworm-rat\XWorm RAT V2.1\resource\xwarm-rat-builder.exe
              Filesize

              6.5MB

              MD5

              a21db5b6e09c3ec82f048fd7f1c4bb3a

              SHA1

              e7ffb13176d60b79d0b3f60eaea641827f30df64

              SHA256

              67d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5

              SHA512

              7caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c

              Download Submit
            • C:\Users\Admin\Desktop\XWorm-RAT-xworm-rat\XWorm RAT V2.1\resource\xwarm-rat-builder.exe
              Filesize

              6.5MB

              MD5

              a21db5b6e09c3ec82f048fd7f1c4bb3a

              SHA1

              e7ffb13176d60b79d0b3f60eaea641827f30df64

              SHA256

              67d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5

              SHA512

              7caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c

              Download Submit
            • C:\Users\Static\Update.exe
              Filesize

              127KB

              MD5

              f6f686df785d0abdc66d1f90fa508c4b

              SHA1

              75f348132001df30cbad9c7cae2e2072fcaca38e

              SHA256

              61b52af14fc66126a4e7f09b3cff7d3c09e5ad35acf23fb9ba43293fac0c995f

              SHA512

              7daa425723caade3ec747fbe6e425e26bc419e1a7dccd6253770fe1a118a8b90e0f40f6cf4bdac259e68a0198a384ed1b5de7515958f5e17e4e35219b9077d77

              Download Submit
            • C:\Users\Static\Update.exe
              Filesize

              127KB

              MD5

              f6f686df785d0abdc66d1f90fa508c4b

              SHA1

              75f348132001df30cbad9c7cae2e2072fcaca38e

              SHA256

              61b52af14fc66126a4e7f09b3cff7d3c09e5ad35acf23fb9ba43293fac0c995f

              SHA512

              7daa425723caade3ec747fbe6e425e26bc419e1a7dccd6253770fe1a118a8b90e0f40f6cf4bdac259e68a0198a384ed1b5de7515958f5e17e4e35219b9077d77

              Download Submit
            • memory/784-135-0x0000000000000000-mapping.dmp
              Download
            • memory/784-143-0x00007FFFED140000-0x00007FFFEDC01000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/784-156-0x00007FFFED140000-0x00007FFFEDC01000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/784-140-0x000002508E470000-0x000002508E496000-memory.dmp
              Filesize

              152KB

              Download
            • memory/1852-146-0x0000000000000000-mapping.dmp
              Download
            • memory/2800-149-0x0000000000000000-mapping.dmp
              Download
            • memory/3220-134-0x000002C367290000-0x000002C36737E000-memory.dmp
              Filesize

              952KB

              Download
            • memory/3220-151-0x00007FFFED140000-0x00007FFFEDC01000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/3220-165-0x00007FFFED140000-0x00007FFFEDC01000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/3220-158-0x000002C369960000-0x000002C369972000-memory.dmp
              Filesize

              72KB

              Download
            • memory/3220-145-0x000002C3699D0000-0x000002C3699DA000-memory.dmp
              Filesize

              40KB

              Download
            • memory/3220-139-0x00007FFFED140000-0x00007FFFEDC01000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/3240-152-0x0000000000000000-mapping.dmp
              Download
            • memory/4244-150-0x0000000000000000-mapping.dmp
              Download
            • memory/4444-147-0x0000000000000000-mapping.dmp
              Download
            • memory/4512-174-0x00000000060D0000-0x0000000006126000-memory.dmp
              Filesize

              344KB

              Download
            • memory/4512-141-0x0000000000000000-mapping.dmp
              Download
            • memory/4512-172-0x0000000005C70000-0x0000000005C7A000-memory.dmp
              Filesize

              40KB

              Download
            • memory/4512-166-0x0000000005AD0000-0x0000000005B6C000-memory.dmp
              Filesize

              624KB

              Download
            • memory/4512-159-0x0000000000B10000-0x00000000011A2000-memory.dmp
              Filesize

              6.6MB

              Download
            • memory/4512-168-0x0000000006190000-0x0000000006734000-memory.dmp
              Filesize

              5.6MB

              Download
            • memory/4512-169-0x0000000005C80000-0x0000000005D12000-memory.dmp
              Filesize

              584KB

              Download
            • memory/4688-170-0x00007FFFED140000-0x00007FFFEDC01000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/4688-157-0x00007FFFED140000-0x00007FFFEDC01000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/4688-153-0x0000000000000000-mapping.dmp
              Download
            • memory/4856-171-0x00007FFFED140000-0x00007FFFEDC01000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/4856-164-0x00007FFFED140000-0x00007FFFEDC01000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/4856-173-0x00007FFFED140000-0x00007FFFEDC01000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/4856-160-0x0000000000000000-mapping.dmp
              Download
            • memory/4984-167-0x0000000000000000-mapping.dmp
              Download