xworm | ae045f8e36db8f38af35258127ff43a71d522ae6ad15b7aad527bf75dd7a7666

Resubmissions

24-03-2023 10:46

230324-mvcmcsdg49 10

24-03-2023 10:45

230324-mte14adg46 10

Analysis

max time kernel
1061s
max time network
1584s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
24-03-2023 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bot.exe
Size

63KB
MD5

762f2fc17465058d27010124bb425202
SHA1

1b6b701c9c09128886e4676c4f1e534c7db39ad9
SHA256

ae045f8e36db8f38af35258127ff43a71d522ae6ad15b7aad527bf75dd7a7666
SHA512

329eacc85396f176fb30989f8d85fbeea097388ab37edecf22c3f4f368c1b0b0106cc7ec5c5ad06abbe488868ce4a5731ab04e4e7852a3d37bb1bdc42bb4e932
SSDEEP

768:8FfQVS7rGOe01ZDKMFiw7qyignMEOoCenkHubK23vuEBXKZ7ifudOPJhsAjDOep:Yfo/mKM1qrgnqebKivpaV0udOR3us

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

ways-examining.at.ply.gg:18120

Attributes

install_file
USB.exe

Signatures

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

Processes:

Bot.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bot.lnk	Bot.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bot.lnk	Bot.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Bot.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bot = "C:\\Users\\Admin\\AppData\\Roaming\\Bot.exe"	Bot.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1820 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Bot.exe

pid process

2756 Bot.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Bot.exe

description pid process

Token: SeDebugPrivilege 2756 Bot.exe
Token: SeDebugPrivilege 2756 Bot.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Bot.exe

pid process

2756 Bot.exe

flow	ioc
1	ip-api.com

pid	process
1820	timeout.exe

pid	process
2756	Bot.exe

description	pid	process
Token: SeDebugPrivilege	2756	Bot.exe
Token: SeDebugPrivilege	2756	Bot.exe

pid	process
2756	Bot.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Bot.execmd.exe

description	pid	process	target process
PID 2756 wrote to memory of 2436	2756	Bot.exe	cmd.exe
PID 2756 wrote to memory of 2436	2756	Bot.exe	cmd.exe
PID 2436 wrote to memory of 1820	2436	cmd.exe	timeout.exe
PID 2436 wrote to memory of 1820	2436	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\Bot.exe
"C:\Users\Admin\AppData\Local\Temp\Bot.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7585.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7585.tmp.bat
Filesize
155B

MD5
9197ba64c6cf5b5027a45e2c060f0b52

SHA1
97898de3d5e26cd7abd7df8b3ebec571a7154a43

SHA256
38228b1175172da1815c0152ba44ef2c8891e8fa3fa97f15db994ce9033ec062

SHA512
ca4312a8fcfeb7d7da14ed054dfb336695e8b11ac949992033cf79a677916772e109d5309fef69b4ebe4d27d1c0daf94fe74146892edca7ffc6b116babbac18f

Download Submit
memory/2756-119-0x0000000000110000-0x0000000000126000-memory.dmp

Filesize
88KB

Download
memory/2756-120-0x000000001AEA0000-0x000000001AEB0000-memory.dmp

Filesize
64KB

Download
memory/2756-124-0x000000001AEA0000-0x000000001AEB0000-memory.dmp

Filesize
64KB

Download
memory/2756-126-0x0000000000790000-0x000000000079A000-memory.dmp

Filesize
40KB

Download