xworm | 1c90851dce5ace39a0926588f0034e99d3bae32dea2578b68bdb1add7c9508e1

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nanocore.exe
Size

1.5MB
MD5

18cc0a0c22f147a3e4bf9c55777b4f22
SHA1

f0b3b4fd6287b463055ddd9fe75b528559feaef7
SHA256

1c90851dce5ace39a0926588f0034e99d3bae32dea2578b68bdb1add7c9508e1
SHA512

efc01522d816d7a770c4e7a379caf00b81a43f24db313dcc3cd1ec5c32117dce4b4ebba2f1db210abb6dc659e18b3a74045f584f413dd620e0e83a6dea45b47e
SSDEEP

24576:yKWAN/6zZxEhXMV6ISdu+0TVc4SEltlYKwIPapqBwKYp9cHD2iYUdhwB/QqWJXpF:yhAN/6z3E9MV6ISdulTVcQ0IlYLcHD9v

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

considered-arrest.at.ply.gg:19159

Attributes

install_file
USB.exe

Signatures

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Nanocore.exeWindows Defender.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Nanocore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Windows Defender.exe

Drops startup file 2 IoCs

Processes:

Windows Defender.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk	Windows Defender.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk	Windows Defender.exe

Executes dropped EXE 4 IoCs

Processes:

NanoCore.exeWindows Defender.exeWindows Defender.exeWindows Defender.exe

pid process

5112 NanoCore.exe
1248 Windows Defender.exe
3812 Windows Defender.exe
3312 Windows Defender.exe

pid	process
5112	NanoCore.exe
1248	Windows Defender.exe
3812	Windows Defender.exe
3312	Windows Defender.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Windows Defender.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender.exe"	Windows Defender.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 ip-api.com
Drops file in Windows directory 1 IoCs

Processes:

dw20.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
29	ip-api.com

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3472 schtasks.exe

pid	process
3472	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Windows Defender.exe

pid process

1248 Windows Defender.exe

pid	process
1248	Windows Defender.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

Windows Defender.exeNanoCore.exedw20.exeWindows Defender.exeWindows Defender.exe

description	pid	process
Token: SeDebugPrivilege	1248	Windows Defender.exe
Token: SeDebugPrivilege	5112	NanoCore.exe
Token: SeRestorePrivilege	4588	dw20.exe
Token: SeBackupPrivilege	4588	dw20.exe
Token: SeBackupPrivilege	4588	dw20.exe
Token: SeBackupPrivilege	4588	dw20.exe
Token: SeBackupPrivilege	4588	dw20.exe
Token: SeDebugPrivilege	1248	Windows Defender.exe
Token: SeDebugPrivilege	3812	Windows Defender.exe
Token: SeDebugPrivilege	3312	Windows Defender.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Defender.exe

pid process

1248 Windows Defender.exe

pid	process
1248	Windows Defender.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Nanocore.exeNanoCore.exeWindows Defender.exe

description	pid	process	target process
PID 1424 wrote to memory of 5112	1424	Nanocore.exe	NanoCore.exe
PID 1424 wrote to memory of 5112	1424	Nanocore.exe	NanoCore.exe
PID 1424 wrote to memory of 5112	1424	Nanocore.exe	NanoCore.exe
PID 1424 wrote to memory of 1248	1424	Nanocore.exe	Windows Defender.exe
PID 1424 wrote to memory of 1248	1424	Nanocore.exe	Windows Defender.exe
PID 5112 wrote to memory of 4588	5112	NanoCore.exe	dw20.exe
PID 5112 wrote to memory of 4588	5112	NanoCore.exe	dw20.exe
PID 5112 wrote to memory of 4588	5112	NanoCore.exe	dw20.exe
PID 1248 wrote to memory of 3472	1248	Windows Defender.exe	schtasks.exe
PID 1248 wrote to memory of 3472	1248	Windows Defender.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Nanocore.exe
"C:\Users\Admin\AppData\Local\Temp\Nanocore.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Roaming\NanoCore.exe
"C:\Users\Admin\AppData\Roaming\NanoCore.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1168
3⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Users\Admin\AppData\Roaming\Windows Defender.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender.exe"
3⤵
- Creates scheduled task(s)
PID:3472

C:\Users\Admin\AppData\Roaming\Windows Defender.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Users\Admin\AppData\Roaming\Windows Defender.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows Defender.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Roaming\NanoCore.exe
Filesize
1.4MB

MD5
1728acc244115cbafd3b810277d2e321

SHA1
be64732f46c8a26a5bbf9d7f69c7f031b2c5180b

SHA256
ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b

SHA512
8c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034

Download Submit
C:\Users\Admin\AppData\Roaming\NanoCore.exe
Filesize
1.4MB

MD5
1728acc244115cbafd3b810277d2e321

SHA1
be64732f46c8a26a5bbf9d7f69c7f031b2c5180b

SHA256
ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b

SHA512
8c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034

Download Submit
C:\Users\Admin\AppData\Roaming\NanoCore.exe
Filesize
1.4MB

MD5
1728acc244115cbafd3b810277d2e321

SHA1
be64732f46c8a26a5bbf9d7f69c7f031b2c5180b

SHA256
ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b

SHA512
8c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender.exe
Filesize
67KB

MD5
404dee8c8fe0b8c25ac39f60960dcbf0

SHA1
078b5427a3c29a2f410f0e09f667389ad630ed60

SHA256
90d2777179534bb5746559397a767aeee141f30a57b53c5d9c2122278b4bc4b7

SHA512
9d7c6c2cceff330acea030002c4c7fde0a9ebe4f6a94a035e6fd6f08d7f5fea407680e5acd5baef687a19f40e116c47e8615dd4f728bdac7636529665e83956e

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender.exe
Filesize
67KB

MD5
404dee8c8fe0b8c25ac39f60960dcbf0

SHA1
078b5427a3c29a2f410f0e09f667389ad630ed60

SHA256
90d2777179534bb5746559397a767aeee141f30a57b53c5d9c2122278b4bc4b7

SHA512
9d7c6c2cceff330acea030002c4c7fde0a9ebe4f6a94a035e6fd6f08d7f5fea407680e5acd5baef687a19f40e116c47e8615dd4f728bdac7636529665e83956e

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender.exe
Filesize
67KB

MD5
404dee8c8fe0b8c25ac39f60960dcbf0

SHA1
078b5427a3c29a2f410f0e09f667389ad630ed60

SHA256
90d2777179534bb5746559397a767aeee141f30a57b53c5d9c2122278b4bc4b7

SHA512
9d7c6c2cceff330acea030002c4c7fde0a9ebe4f6a94a035e6fd6f08d7f5fea407680e5acd5baef687a19f40e116c47e8615dd4f728bdac7636529665e83956e

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender.exe
Filesize
67KB

MD5
404dee8c8fe0b8c25ac39f60960dcbf0

SHA1
078b5427a3c29a2f410f0e09f667389ad630ed60

SHA256
90d2777179534bb5746559397a767aeee141f30a57b53c5d9c2122278b4bc4b7

SHA512
9d7c6c2cceff330acea030002c4c7fde0a9ebe4f6a94a035e6fd6f08d7f5fea407680e5acd5baef687a19f40e116c47e8615dd4f728bdac7636529665e83956e

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender.exe
Filesize
67KB

MD5
404dee8c8fe0b8c25ac39f60960dcbf0

SHA1
078b5427a3c29a2f410f0e09f667389ad630ed60

SHA256
90d2777179534bb5746559397a767aeee141f30a57b53c5d9c2122278b4bc4b7

SHA512
9d7c6c2cceff330acea030002c4c7fde0a9ebe4f6a94a035e6fd6f08d7f5fea407680e5acd5baef687a19f40e116c47e8615dd4f728bdac7636529665e83956e

Download Submit
memory/1248-169-0x000000001C9D0000-0x000000001C9E0000-memory.dmp

Filesize
64KB

Download
memory/1248-167-0x000000001C9D0000-0x000000001C9E0000-memory.dmp

Filesize
64KB

Download
memory/1248-156-0x0000000000690000-0x00000000006A8000-memory.dmp

Filesize
96KB

Download
memory/1424-133-0x00000000009B0000-0x0000000000B2E000-memory.dmp

Filesize
1.5MB

Download
memory/5112-166-0x00000000013E0000-0x00000000013F0000-memory.dmp

Filesize
64KB

Download
memory/5112-159-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/5112-158-0x00000000013E0000-0x00000000013F0000-memory.dmp

Filesize
64KB

Download