Overview

overview

10

Static

static

10

XWorm.exe

windows7-x64

10

XWorm.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    79s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/03/2023, 22:28

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    XWorm.exe

  • Size

    42KB

  • MD5

    d5ce1eaefcb5a261a924a376ad1e91ae

  • SHA1

    3b1eea344009649c1ffe46d0fa8e0fc63aa38d67

  • SHA256

    5a8f9cca13b5eea8f7780c52ab794184586bd89820652da8af425fa6b2bafb83

  • SHA512

    f332e616d821a6f47ff89c235a8bd75b7d49072cca162a71ae0808f533dc9e6be11650689197308cde8cf8c2c5cd7bb65674cb2be5812cca686fb97ee7b873ed

  • SSDEEP

    768:qHbArjN0WFd8owTxxuCIF9G3RcWZ1ryB:ZnZgd0F9Oc+S

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

even-lat.at.ply.gg:21969

Mutex

cUPbD1pIGdKtWtmq

Attributes
  • install_file

    hacked.exe

aes.plain

Signatures

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 25 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWorm.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3204
  • C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\WriteRestore.asf"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:4808
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4512
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4248
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4248.0.856924376\1878002985" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dda14e6e-9204-40cd-98e0-9129d4ea981d} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 1916 1ec56780a58 gpu
        3⤵
          PID:4824
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4248.1.801887694\588942876" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a34700a-966b-4f25-9e94-4b3f9d1304ca} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 2316 1ec48872858 socket
          3⤵
            PID:3060
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4248.2.1119482789\1183355410" -childID 1 -isForBrowser -prefsHandle 3340 -prefMapHandle 3432 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b507851a-f28c-4ff5-bc20-4ec6bd93aed7} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 3224 1ec59526b58 tab
            3⤵
              PID:1888
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4248.3.121257174\1926439232" -childID 2 -isForBrowser -prefsHandle 3644 -prefMapHandle 3716 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f21f8f1-8f21-43bf-90d6-cc3d334a6782} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 3648 1ec48871c58 tab
              3⤵
                PID:3604
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4248.4.1137080186\1421145989" -childID 3 -isForBrowser -prefsHandle 4264 -prefMapHandle 4260 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3a8864e-6b2b-4bdd-b9df-71d3abedbce2} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 4276 1ec5a557c58 tab
                3⤵
                  PID:5072
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4248.5.1236631051\90357629" -childID 4 -isForBrowser -prefsHandle 4640 -prefMapHandle 4604 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c14b9d8-55a8-41c0-8894-aaddfa380372} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 4648 1ec5b1e4858 tab
                  3⤵
                    PID:1776
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4248.6.492449543\174409877" -childID 5 -isForBrowser -prefsHandle 2936 -prefMapHandle 2984 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c697b64-fc8a-48d6-be2f-753dcaece143} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 2988 1ec4882fc58 tab
                    3⤵
                      PID:904
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4248.7.235237845\215295754" -childID 6 -isForBrowser -prefsHandle 3692 -prefMapHandle 3796 -prefsLen 27003 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6aa3adf6-e868-48a5-bcc9-ff1a374c297a} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 3752 1ec59430b58 tab
                      3⤵
                        PID:4876
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4248.8.1972627626\2036232078" -childID 7 -isForBrowser -prefsHandle 3160 -prefMapHandle 1460 -prefsLen 27003 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40affdfd-435b-461f-bb76-3b53a118aa23} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 3816 1ec5bafde58 tab
                        3⤵
                          PID:2976
                    • C:\Windows\system32\werfault.exe
                      werfault.exe /h /shared Global\b467bc0a79544425a45e9c2210516311 /t 3344 /p 4248
                      1⤵
                        PID:1140

                      Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\activity-stream.discovery_stream.json.tmp
                              Filesize

                              153KB

                              MD5

                              2f3b54c793a79fc1c5b10cfe5e384676

                              SHA1

                              be81cb8e128592968ac982d579bf973decd03725

                              SHA256

                              b2f777cf21f4ed8ce2873b501fadafb46a5e3062bb6ce7e2543ab2bc2d8e8bdb

                              SHA512

                              ed79869b8b4d30a447e9daae4c4b613640f48873b7ea2b657f3660eff3fd2e184e87ba0a0d2d63be797db0fa8f55a468a5864288b320de8e7bd5357fc9858616

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
                              Filesize

                              6KB

                              MD5

                              9099ccadb0103b5895d58644d6477c1a

                              SHA1

                              a88ff30f34fe42f1d5f9b31b50ab7f4d35674fdc

                              SHA256

                              cfbdb3605bc71f5218289c394d515ad526ef85da2076b3d49ac6ecc9627a7187

                              SHA512

                              52b51a175b089baf9a5b2632255f2dba12dfa1efb4b0814cc4d14283f20c32e61011301f0bda4e0c545b8022252f382335bea0f1447311a114f6a0ab543bef1a

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
                              Filesize

                              6KB

                              MD5

                              52f315341aac1b35afeef30c79da3165

                              SHA1

                              7d803cfba9cdbd72e140e3213d44c04fa32ebdc0

                              SHA256

                              fd1e9ffe0e1ad58f32c8f632076459976253ae4f0b92254f47b0844ffe10e2ba

                              SHA512

                              b01c3e7879b773c6a089b7be0e08ffb595e566cdbaef568f75121628961d7ffaa7233b205e0503424d343ea055aa36e258137fba6740f41bf993f472e38d4da9

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
                              Filesize

                              6KB

                              MD5

                              764618f161d8dede4957dc142d3f2671

                              SHA1

                              8b2198cc5815dbbb3fd66b02078fdb0b4e63ea9e

                              SHA256

                              f8e30d0380f11543b899f240996168f06e66a0e30c8cc3501923341f5366ef1c

                              SHA512

                              734924d0b934d5c8944ffc8c44ca38ef1ae04ab5891ae3ef850446c5f934fd70d2834ac06420b5672db07ddc4559af116866613cf6897e9b2810ce327a98f5df

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs.js
                              Filesize

                              6KB

                              MD5

                              1984b45f201f1fd79d2154406648433b

                              SHA1

                              42f082dc6d4d43333688690bf4dfa7c7f8b618ab

                              SHA256

                              000a408519010d12b94281710f9a987f822093a1efb5293bbb50ca2e4a6a9df9

                              SHA512

                              e73a00cc8994d4023168e93ff5f5b6e6b13ffeb740872b64f565787cbb57e49e64eb03e4de1d8068a6f303f0615749fb27cb47bdbc4cef3fef1290bd3a3a17cc

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              1KB

                              MD5

                              98cbdf8f3623b9e490267dc5e84afcdb

                              SHA1

                              9bc42cee34d36fcd1e96376b1cb665ae063d5746

                              SHA256

                              0fee3a7618e80c62383ac4fdb4686baf8c2a5045240297470f1b4b11782b4b47

                              SHA512

                              eadf4cb8b60b27dd3dd98d1bd50525fbac6199d16394f315bcc38dec4590eee1cf6b6642097ad59acdb9c8bfa35069442e797051ec01de2156df2f5de65f4cc9

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
                              Filesize

                              78B

                              MD5

                              a2a711e965237c7e1befad2cc612cf5c

                              SHA1

                              b5c750c01f2fb405d769d970c8756533b677f303

                              SHA256

                              862cd51da4e75aad3843c0661135f93dcebfc6613eb7967411a8621bd572341b

                              SHA512

                              d1e9480cc6aa21761e5886509806b564d4787b0d85b33a28d85fec6a541ef1c12f9d53de3e41cae7c6403b07c5626abef7b04ba82710ba39cac458f7d47fc04e

                              Download Submit

                            • memory/3204-133-0x0000000000530000-0x0000000000540000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/4808-166-0x00007FFC3DB20000-0x00007FFC3DB54000-memory.dmp

                              Filesize

                              208KB

                              Download

                            • memory/4808-169-0x00007FFC3B140000-0x00007FFC3B252000-memory.dmp

                              Filesize

                              1.1MB

                              Download

                            • memory/4808-168-0x000001F05F930000-0x000001F0609DB000-memory.dmp

                              Filesize

                              16.7MB

                              Download

                            • memory/4808-167-0x00007FFC3D860000-0x00007FFC3DB14000-memory.dmp

                              Filesize

                              2.7MB

                              Download

                            • memory/4808-165-0x00007FF7FC660000-0x00007FF7FC758000-memory.dmp

                              Filesize

                              992KB

                              Download