xworm | 0a08222072d332e6154e0715f5f121dce5acd4537a453803d7e4f3780e20a47b

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
09/07/2023, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loaderexeexeexeexe.exe
Size

44KB
MD5

56a306deb7a5d6cb9d55a07dfdf5a6a5
SHA1

7690ea2d5ec1662263f0518e5de3d52aabd683ce
SHA256

0a08222072d332e6154e0715f5f121dce5acd4537a453803d7e4f3780e20a47b
SHA512

f4fd54505100d4cce35d17c9bb17bd8b7c660457b2385022a93e1e87c79e7873fd6b32a472cf50ec6ee8b07ee78d3bdf865543918b2342d0c488a6133e7b1488
SSDEEP

768:EjNVEJP+cGeI1dERNOWDRuuqMVj6h91GZB5YRmaAruAuxn:EjIJP+cGeIqRuuPM+ZB5qmB

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

okaa0-51499.portmap.host:51499

Mutex

2w3YRp5dsVzOtH2l

Attributes

install_file
explorer.exe

aes.plain

Signatures

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.lnk	Google.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.lnk	Google.exe

Executes dropped EXE 1 IoCs

pid	Process
472	Google.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Google.exe	Loaderexeexeexeexe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2920	powershell.exe
472	Google.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	472	Google.exe
Token: SeDebugPrivilege	2920	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
472	Google.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2920	2800	Loaderexeexeexeexe.exe	27
PID 2800 wrote to memory of 2920	2800	Loaderexeexeexeexe.exe	27
PID 2800 wrote to memory of 2920	2800	Loaderexeexeexeexe.exe	27
PID 2800 wrote to memory of 2920	2800	Loaderexeexeexeexe.exe	27
PID 2800 wrote to memory of 472	2800	Loaderexeexeexeexe.exe	29
PID 2800 wrote to memory of 472	2800	Loaderexeexeexeexe.exe	29
PID 2800 wrote to memory of 472	2800	Loaderexeexeexeexe.exe	29
PID 2800 wrote to memory of 472	2800	Loaderexeexeexeexe.exe	29

C:\Users\Admin\AppData\Local\Temp\Loaderexeexeexeexe.exe
"C:\Users\Admin\AppData\Local\Temp\Loaderexeexeexeexe.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAcgBkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAcwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAagBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAdABtACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\Google.exe
  "C:\Windows\Google.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Google.exe

Filesize
39KB

MD5
9d0df08c867d7c0be1a911e2a1964f71

SHA1
da5a7f2486c9bd55dc197b2cb756f04a0c646efb

SHA256
0e6d6eb25b6358c1235272ef3bee30fe4d4d0a7c8b34b7dde4b836ba201b98f4

SHA512
5ad22429fd91162cecb7df83aa966de61162197f0705164aa1ee98c0d75c5f3ac6e8a34a97b8e544dd70020874035340cdb88c3d49e25d1aaf99881010d23fa6

Download Submit
C:\Windows\Google.exe

Filesize
39KB

MD5
9d0df08c867d7c0be1a911e2a1964f71

SHA1
da5a7f2486c9bd55dc197b2cb756f04a0c646efb

SHA256
0e6d6eb25b6358c1235272ef3bee30fe4d4d0a7c8b34b7dde4b836ba201b98f4

SHA512
5ad22429fd91162cecb7df83aa966de61162197f0705164aa1ee98c0d75c5f3ac6e8a34a97b8e544dd70020874035340cdb88c3d49e25d1aaf99881010d23fa6

Download Submit
C:\Windows\Google.exe

Filesize
39KB

MD5
9d0df08c867d7c0be1a911e2a1964f71

SHA1
da5a7f2486c9bd55dc197b2cb756f04a0c646efb

SHA256
0e6d6eb25b6358c1235272ef3bee30fe4d4d0a7c8b34b7dde4b836ba201b98f4

SHA512
5ad22429fd91162cecb7df83aa966de61162197f0705164aa1ee98c0d75c5f3ac6e8a34a97b8e544dd70020874035340cdb88c3d49e25d1aaf99881010d23fa6

Download Submit
memory/472-59-0x0000000000AF0000-0x0000000000B00000-memory.dmp

Filesize
64KB

Download
memory/472-69-0x000000001B480000-0x000000001B500000-memory.dmp

Filesize
512KB

Download
memory/472-70-0x000000001B480000-0x000000001B500000-memory.dmp

Filesize
512KB

Download
memory/2920-62-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download
memory/2920-63-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download
memory/2920-64-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download