xworm | 805e0ca3893a53aa5086b2f0ea2ab4f49a6d60efc575836e93c8f70035740d1b

Analysis

max time kernel
148s
max time network
145s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-04-2023 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG_2031.exe
Size

816KB
MD5

1817e46e5a422e9132a04db8fec73a0c
SHA1

31c2f9de7b5b05cc322512fd9beadd7c7e525f6d
SHA256

60969a9175951613f2c83eab67e31887eaed9429e5d03cf8ab135131a2b47054
SHA512

b23c76bbf3ea1733cc4196d001a5034bf0b262bd683a26723076ce7ef653534461f9593bb0d70a037c0144695f12c4b371ffc26cde3bf69e1dcf2cc0f71eb712
SSDEEP

12288:oWmaQfFJeDYFPQC1nOw6/iZyubeDmFiFVVfHVpNtrjb+Vf7SJo7lfELkNCCtPzMI:NTCfJnGbDwKNd8H

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

severdops.ddns.net:7021

Mutex

eQLeuanC5v31k1hC

Attributes

install_file
USB.exe

aes.plain

Signatures

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 1 IoCs

pid	Process
1420	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1292	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	IMG_2031.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1420 set thread context of 1512	1420	svchost.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
672	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
572	timeout.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2040	IMG_2031.exe
1420	svchost.exe
1420	svchost.exe
1420	svchost.exe
1420	svchost.exe
1420	svchost.exe
1420	svchost.exe
1420	svchost.exe
1420	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	IMG_2031.exe
Token: SeDebugPrivilege	1420	svchost.exe
Token: SeDebugPrivilege	1512	AddInProcess32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 856	2040	IMG_2031.exe	28
PID 2040 wrote to memory of 856	2040	IMG_2031.exe	28
PID 2040 wrote to memory of 856	2040	IMG_2031.exe	28
PID 2040 wrote to memory of 1292	2040	IMG_2031.exe	30
PID 2040 wrote to memory of 1292	2040	IMG_2031.exe	30
PID 2040 wrote to memory of 1292	2040	IMG_2031.exe	30
PID 856 wrote to memory of 672	856	cmd.exe	32
PID 856 wrote to memory of 672	856	cmd.exe	32
PID 856 wrote to memory of 672	856	cmd.exe	32
PID 1292 wrote to memory of 572	1292	cmd.exe	33
PID 1292 wrote to memory of 572	1292	cmd.exe	33
PID 1292 wrote to memory of 572	1292	cmd.exe	33
PID 1292 wrote to memory of 1420	1292	cmd.exe	34
PID 1292 wrote to memory of 1420	1292	cmd.exe	34
PID 1292 wrote to memory of 1420	1292	cmd.exe	34
PID 1420 wrote to memory of 1716	1420	svchost.exe	35
PID 1420 wrote to memory of 1716	1420	svchost.exe	35
PID 1420 wrote to memory of 1716	1420	svchost.exe	35
PID 1420 wrote to memory of 1720	1420	svchost.exe	36
PID 1420 wrote to memory of 1720	1420	svchost.exe	36
PID 1420 wrote to memory of 1720	1420	svchost.exe	36
PID 1420 wrote to memory of 880	1420	svchost.exe	37
PID 1420 wrote to memory of 880	1420	svchost.exe	37
PID 1420 wrote to memory of 880	1420	svchost.exe	37
PID 1420 wrote to memory of 1572	1420	svchost.exe	38
PID 1420 wrote to memory of 1572	1420	svchost.exe	38
PID 1420 wrote to memory of 1572	1420	svchost.exe	38
PID 1420 wrote to memory of 1512	1420	svchost.exe	39
PID 1420 wrote to memory of 1512	1420	svchost.exe	39
PID 1420 wrote to memory of 1512	1420	svchost.exe	39
PID 1420 wrote to memory of 1512	1420	svchost.exe	39
PID 1420 wrote to memory of 1512	1420	svchost.exe	39
PID 1420 wrote to memory of 1512	1420	svchost.exe	39
PID 1420 wrote to memory of 1512	1420	svchost.exe	39
PID 1420 wrote to memory of 1512	1420	svchost.exe	39
PID 1420 wrote to memory of 1512	1420	svchost.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\IMG_2031.exe
"C:\Users\Admin\AppData\Local\Temp\IMG_2031.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:672
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDF6.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:572
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
      4⤵
      PID:1716
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
      4⤵
      PID:1720
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
      4⤵
      PID:880
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
      4⤵
      PID:1572
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDF6.tmp.bat

Filesize
150B

MD5
f15b5bebb27cef0bb80a8c6832273047

SHA1
5bab1cf4783b45a93d58d8bb7f4eb1ff13a93741

SHA256
c6768de3f6e9c79285e754168b34931ff1e20a43a3e683868fa66864cf0d23d5

SHA512
076ac43b4a2e91b0cf7c12b7391cb0c2ba1455a65111e613be724661beba623e24eff8411255b599b8229bdfecb23f19b837b2842a567be068fa38a01ff11b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDF6.tmp.bat

Filesize
150B

MD5
f15b5bebb27cef0bb80a8c6832273047

SHA1
5bab1cf4783b45a93d58d8bb7f4eb1ff13a93741

SHA256
c6768de3f6e9c79285e754168b34931ff1e20a43a3e683868fa66864cf0d23d5

SHA512
076ac43b4a2e91b0cf7c12b7391cb0c2ba1455a65111e613be724661beba623e24eff8411255b599b8229bdfecb23f19b837b2842a567be068fa38a01ff11b98

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
816KB

MD5
1817e46e5a422e9132a04db8fec73a0c

SHA1
31c2f9de7b5b05cc322512fd9beadd7c7e525f6d

SHA256
60969a9175951613f2c83eab67e31887eaed9429e5d03cf8ab135131a2b47054

SHA512
b23c76bbf3ea1733cc4196d001a5034bf0b262bd683a26723076ce7ef653534461f9593bb0d70a037c0144695f12c4b371ffc26cde3bf69e1dcf2cc0f71eb712

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
816KB

MD5
1817e46e5a422e9132a04db8fec73a0c

SHA1
31c2f9de7b5b05cc322512fd9beadd7c7e525f6d

SHA256
60969a9175951613f2c83eab67e31887eaed9429e5d03cf8ab135131a2b47054

SHA512
b23c76bbf3ea1733cc4196d001a5034bf0b262bd683a26723076ce7ef653534461f9593bb0d70a037c0144695f12c4b371ffc26cde3bf69e1dcf2cc0f71eb712

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
816KB

MD5
1817e46e5a422e9132a04db8fec73a0c

SHA1
31c2f9de7b5b05cc322512fd9beadd7c7e525f6d

SHA256
60969a9175951613f2c83eab67e31887eaed9429e5d03cf8ab135131a2b47054

SHA512
b23c76bbf3ea1733cc4196d001a5034bf0b262bd683a26723076ce7ef653534461f9593bb0d70a037c0144695f12c4b371ffc26cde3bf69e1dcf2cc0f71eb712

Download Submit
memory/1420-70-0x0000000000BD0000-0x0000000000CA0000-memory.dmp

Filesize
832KB

Download
memory/1420-71-0x00000000020E0000-0x0000000002160000-memory.dmp

Filesize
512KB

Download
memory/1512-72-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1512-74-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1512-76-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1512-77-0x0000000000420000-0x0000000000460000-memory.dmp

Filesize
256KB

Download
memory/1512-78-0x0000000000420000-0x0000000000460000-memory.dmp

Filesize
256KB

Download
memory/2040-56-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/2040-55-0x0000000000AB0000-0x0000000000AFE000-memory.dmp

Filesize
312KB

Download
memory/2040-54-0x0000000000D00000-0x0000000000DD0000-memory.dmp

Filesize
832KB

Download