xworm | 271a54ee189e307b6df94afb91151aed1bfc4dff8496b5b63ff2be69c3aedda2

Analysis

max time kernel
27s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-05-2023 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MeatSpin [Boost].exe
Size

2.3MB
MD5

b94d094193f9872a0738f5b36a2761e0
SHA1

0c3a87f8efd8b4c12e521f6b12b0942d62de786e
SHA256

271a54ee189e307b6df94afb91151aed1bfc4dff8496b5b63ff2be69c3aedda2
SHA512

1c321bb49060590cd5de5e86cafdafddd1d6efff51e23ffabba34a89944eee76db289217ef90f0a18a4d93fbacdefd16479e5151277151e630a4b39a2fa9833a
SSDEEP

49152:lSFRQJZgE5mvRR4m7oP+In/od5NVf42Pbf0J+H/4If2KzhRvsUT0QyF1KlpV15FR:lyRQJ75ORn7o2InurA2PocbfzhRkUQQD

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

classic-lovers.at.ply.gg:11647

Attributes

install_file
winlogon.exe

Signatures

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 4 IoCs

pid	Process
1128	108465982759.exe
884	IEPack.exe
1196	winlogon.exe
888	winlogon.exe

Loads dropped DLL 4 IoCs

pid	Process
1496	MeatSpin [Boost].exe
1496	MeatSpin [Boost].exe
1496	MeatSpin [Boost].exe
884	IEPack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
804	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1196	winlogon.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1196	winlogon.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1196	winlogon.exe
Token: 33	1540	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1540	AUDIODG.EXE
Token: 33	1540	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1540	AUDIODG.EXE
Token: SeDebugPrivilege	888	winlogon.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1196	winlogon.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1128	1496	MeatSpin [Boost].exe	28
PID 1496 wrote to memory of 1128	1496	MeatSpin [Boost].exe	28
PID 1496 wrote to memory of 1128	1496	MeatSpin [Boost].exe	28
PID 1496 wrote to memory of 1128	1496	MeatSpin [Boost].exe	28
PID 1496 wrote to memory of 884	1496	MeatSpin [Boost].exe	29
PID 1496 wrote to memory of 884	1496	MeatSpin [Boost].exe	29
PID 1496 wrote to memory of 884	1496	MeatSpin [Boost].exe	29
PID 1496 wrote to memory of 884	1496	MeatSpin [Boost].exe	29
PID 884 wrote to memory of 1196	884	IEPack.exe	30
PID 884 wrote to memory of 1196	884	IEPack.exe	30
PID 884 wrote to memory of 1196	884	IEPack.exe	30
PID 884 wrote to memory of 1196	884	IEPack.exe	30
PID 884 wrote to memory of 1140	884	IEPack.exe	31
PID 884 wrote to memory of 1140	884	IEPack.exe	31
PID 884 wrote to memory of 1140	884	IEPack.exe	31
PID 884 wrote to memory of 1140	884	IEPack.exe	31
PID 1196 wrote to memory of 804	1196	winlogon.exe	35
PID 1196 wrote to memory of 804	1196	winlogon.exe	35
PID 1196 wrote to memory of 804	1196	winlogon.exe	35
PID 1564 wrote to memory of 888	1564	taskeng.exe	38
PID 1564 wrote to memory of 888	1564	taskeng.exe	38
PID 1564 wrote to memory of 888	1564	taskeng.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\MeatSpin [Boost].exe
"C:\Users\Admin\AppData\Local\Temp\MeatSpin [Boost].exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Local\Temp\108465982759.exe
  "C:\Users\Admin\AppData\Local\Temp\108465982759.exe"
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Users\Admin\AppData\Local\Temp\IEPack.exe
  "C:\Users\Admin\AppData\Local\Temp\IEPack.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\ProgramData\winlogon.exe
    "C:\ProgramData\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winlogon" /tr "C:\ProgramData\winlogon.exe"
      4⤵
      Creates scheduled task(s)
      PID:804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\IEPack.exe" >> NUL
    3⤵
    PID:1140

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x554
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\system32\taskeng.exe
taskeng.exe {329E826E-B883-493F-8818-460DB914A8C7} S-1-5-21-2961826002-3968192592-354541192-1000:HVMHZIYD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1564
- C:\ProgramData\winlogon.exe
  C:\ProgramData\winlogon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\winlogon.exe

Filesize
114KB

MD5
845e61adb6305ebee56e1aac931beadf

SHA1
7988650ac8d6fbd3aa2510be9d456b6c20cf17e5

SHA256
10250385f7f792a53c0bc98f8a1f052bd48b5b824d022e8e750460d5cdc8f7b2

SHA512
26e3c6f498627fad6e085721cca085c03ff9e5c64f2ec07e109a074875485714158115f5bce5d0a3fa11603892e1e19400905bb6d8c590d09726636751e20891

Download Submit
C:\ProgramData\winlogon.exe

Filesize
114KB

MD5
845e61adb6305ebee56e1aac931beadf

SHA1
7988650ac8d6fbd3aa2510be9d456b6c20cf17e5

SHA256
10250385f7f792a53c0bc98f8a1f052bd48b5b824d022e8e750460d5cdc8f7b2

SHA512
26e3c6f498627fad6e085721cca085c03ff9e5c64f2ec07e109a074875485714158115f5bce5d0a3fa11603892e1e19400905bb6d8c590d09726636751e20891

Download Submit
C:\ProgramData\winlogon.exe

Filesize
114KB

MD5
845e61adb6305ebee56e1aac931beadf

SHA1
7988650ac8d6fbd3aa2510be9d456b6c20cf17e5

SHA256
10250385f7f792a53c0bc98f8a1f052bd48b5b824d022e8e750460d5cdc8f7b2

SHA512
26e3c6f498627fad6e085721cca085c03ff9e5c64f2ec07e109a074875485714158115f5bce5d0a3fa11603892e1e19400905bb6d8c590d09726636751e20891

Download Submit
C:\Users\Admin\AppData\Local\Temp\108465982759.exe

Filesize
2.4MB

MD5
7fd1b8fbfd95d2781656d41294547529

SHA1
efa594f75e2d653499df2d9266f28a6de2ed85be

SHA256
8f33534fd04867c7607d980d50e9f8abfed2d70f3fdff3e5514e7cf4539a9a91

SHA512
3acab9b8e6b105538a84479fe8542a192b6dbc8f19fc89107a81dd0e2cc6b87f5ae8f49750f7eeee8dd80313ebfbeb9b9f5a7091e0c76ef91e55522ecc72d3f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\108465982759.exe

Filesize
2.4MB

MD5
7fd1b8fbfd95d2781656d41294547529

SHA1
efa594f75e2d653499df2d9266f28a6de2ed85be

SHA256
8f33534fd04867c7607d980d50e9f8abfed2d70f3fdff3e5514e7cf4539a9a91

SHA512
3acab9b8e6b105538a84479fe8542a192b6dbc8f19fc89107a81dd0e2cc6b87f5ae8f49750f7eeee8dd80313ebfbeb9b9f5a7091e0c76ef91e55522ecc72d3f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEPack.exe

Filesize
1.8MB

MD5
f8b797d22e11d8f34313e1bb5b019b9b

SHA1
297d38c2a92365e8aba0cea86a6abd019b06e9a6

SHA256
6570d6b0537c5f2a088d791d8edbb05982617fad8686d03f372438b3f3c132f8

SHA512
2b62252a0a940e4768abd21a3102878b69651c81482251361f4cdae02bd0718b7dafeda2a7ca4ab80f062f378560a12a76aee816c48797c0658a1d2b14dc000b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEPack.exe

Filesize
1.8MB

MD5
f8b797d22e11d8f34313e1bb5b019b9b

SHA1
297d38c2a92365e8aba0cea86a6abd019b06e9a6

SHA256
6570d6b0537c5f2a088d791d8edbb05982617fad8686d03f372438b3f3c132f8

SHA512
2b62252a0a940e4768abd21a3102878b69651c81482251361f4cdae02bd0718b7dafeda2a7ca4ab80f062f378560a12a76aee816c48797c0658a1d2b14dc000b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEPack.exe

Filesize
1.8MB

MD5
f8b797d22e11d8f34313e1bb5b019b9b

SHA1
297d38c2a92365e8aba0cea86a6abd019b06e9a6

SHA256
6570d6b0537c5f2a088d791d8edbb05982617fad8686d03f372438b3f3c132f8

SHA512
2b62252a0a940e4768abd21a3102878b69651c81482251361f4cdae02bd0718b7dafeda2a7ca4ab80f062f378560a12a76aee816c48797c0658a1d2b14dc000b

Download Submit
\ProgramData\winlogon.exe

Filesize
114KB

MD5
845e61adb6305ebee56e1aac931beadf

SHA1
7988650ac8d6fbd3aa2510be9d456b6c20cf17e5

SHA256
10250385f7f792a53c0bc98f8a1f052bd48b5b824d022e8e750460d5cdc8f7b2

SHA512
26e3c6f498627fad6e085721cca085c03ff9e5c64f2ec07e109a074875485714158115f5bce5d0a3fa11603892e1e19400905bb6d8c590d09726636751e20891

Download Submit
\Users\Admin\AppData\Local\Temp\108465982759.exe

Filesize
2.4MB

MD5
7fd1b8fbfd95d2781656d41294547529

SHA1
efa594f75e2d653499df2d9266f28a6de2ed85be

SHA256
8f33534fd04867c7607d980d50e9f8abfed2d70f3fdff3e5514e7cf4539a9a91

SHA512
3acab9b8e6b105538a84479fe8542a192b6dbc8f19fc89107a81dd0e2cc6b87f5ae8f49750f7eeee8dd80313ebfbeb9b9f5a7091e0c76ef91e55522ecc72d3f8

Download Submit
\Users\Admin\AppData\Local\Temp\IEPack.exe

Filesize
1.8MB

MD5
f8b797d22e11d8f34313e1bb5b019b9b

SHA1
297d38c2a92365e8aba0cea86a6abd019b06e9a6

SHA256
6570d6b0537c5f2a088d791d8edbb05982617fad8686d03f372438b3f3c132f8

SHA512
2b62252a0a940e4768abd21a3102878b69651c81482251361f4cdae02bd0718b7dafeda2a7ca4ab80f062f378560a12a76aee816c48797c0658a1d2b14dc000b

Download Submit
\Users\Admin\AppData\Local\Temp\IEPack.exe

Filesize
1.8MB

MD5
f8b797d22e11d8f34313e1bb5b019b9b

SHA1
297d38c2a92365e8aba0cea86a6abd019b06e9a6

SHA256
6570d6b0537c5f2a088d791d8edbb05982617fad8686d03f372438b3f3c132f8

SHA512
2b62252a0a940e4768abd21a3102878b69651c81482251361f4cdae02bd0718b7dafeda2a7ca4ab80f062f378560a12a76aee816c48797c0658a1d2b14dc000b

Download Submit
memory/1128-73-0x000000013FAD0000-0x000000013FD2E000-memory.dmp

Filesize
2.4MB

Download
memory/1128-81-0x000000001BE50000-0x000000001BED0000-memory.dmp

Filesize
512KB

Download
memory/1128-84-0x000000001BE50000-0x000000001BED0000-memory.dmp

Filesize
512KB

Download
memory/1196-79-0x00000000003D0000-0x00000000003F2000-memory.dmp

Filesize
136KB

Download
memory/1196-82-0x000000001A600000-0x000000001A680000-memory.dmp

Filesize
512KB

Download
memory/1196-85-0x000000001A6B0000-0x000000001A6BA000-memory.dmp

Filesize
40KB

Download