xworm | 495c535f89ad9319b97b59b52eb5d690315c202f9add743061dc53b4b583b610

Analysis

max time kernel
152s
max time network
154s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 22:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

build.exe
Size

51KB
MD5

79cd45fb4ce03b7262bfca18f71f76df
SHA1

1cb7866b67768b8f15415cd33a4cbc1d284cb77e
SHA256

495c535f89ad9319b97b59b52eb5d690315c202f9add743061dc53b4b583b610
SHA512

370ff53c5f3648667c761c9d60f4f3ace99e2745b0253780c8dd0d87bca3c03e65c60f756bf8ea17a2f0790dbefa6ede6c0bcb7014f921cd51c945d53e4c8950
SSDEEP

1536:fwFIJ7n5Yptm6YCLgJwu4NFD0T5YKAYjZHgbyJ:pJ9Yptm6YCLgau4NGTJAYjZHWg

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

links-recovered.at.ply.gg:32508

Mutex

XSLvYVsJZs3bsiZr

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016cd6-6.dat	family_xworm
behavioral1/files/0x0009000000016cd6-7.dat	family_xworm
behavioral1/memory/2540-8-0x0000000001230000-0x0000000001240000-memory.dmp	family_xworm
behavioral1/files/0x003f00000000f609-15.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\build.exe	build.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\build.exe	build.exe

Executes dropped EXE 1 IoCs

pid	Process
2540	build.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\build = "C:\\Users\\Admin\\AppData\\Roaming\\build.exe"	build.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	build.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2540	2200	build.exe	30
PID 2200 wrote to memory of 2540	2200	build.exe	30
PID 2200 wrote to memory of 2540	2200	build.exe	30

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Roaming\build.exe
  "C:\Users\Admin\AppData\Roaming\build.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\build.exe

Filesize
42KB

MD5
522dcda6332f8fccbf277125a6b42b4a

SHA1
de959fb7d34ec6c3849c330f41dd1a4bc593ce2b

SHA256
de0330f6d59aa4d90c77af385145e5566c2d6dfec6e66a86d0c1d1f68e415d9d

SHA512
c3d02dfd6d1ec759b989b2f0e96b79c263bbf97264378b8da4103b3166490cdf23969729060bda23a7f41b9e43a758f56435416dbd396ec7c2f579bd285d537c

Download Submit
C:\Users\Admin\AppData\Roaming\build.exe

Filesize
42KB

MD5
522dcda6332f8fccbf277125a6b42b4a

SHA1
de959fb7d34ec6c3849c330f41dd1a4bc593ce2b

SHA256
de0330f6d59aa4d90c77af385145e5566c2d6dfec6e66a86d0c1d1f68e415d9d

SHA512
c3d02dfd6d1ec759b989b2f0e96b79c263bbf97264378b8da4103b3166490cdf23969729060bda23a7f41b9e43a758f56435416dbd396ec7c2f579bd285d537c

Download Submit
C:\Users\Admin\AppData\Roaming\build.exe

Filesize
42KB

MD5
522dcda6332f8fccbf277125a6b42b4a

SHA1
de959fb7d34ec6c3849c330f41dd1a4bc593ce2b

SHA256
de0330f6d59aa4d90c77af385145e5566c2d6dfec6e66a86d0c1d1f68e415d9d

SHA512
c3d02dfd6d1ec759b989b2f0e96b79c263bbf97264378b8da4103b3166490cdf23969729060bda23a7f41b9e43a758f56435416dbd396ec7c2f579bd285d537c

Download Submit
memory/2200-0-0x000007FEF6100000-0x000007FEF6AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2200-1-0x0000000000FD0000-0x0000000000FE4000-memory.dmp

Filesize
80KB

Download
memory/2200-2-0x000007FEF6100000-0x000007FEF6AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2200-10-0x000007FEF6100000-0x000007FEF6AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2540-8-0x0000000001230000-0x0000000001240000-memory.dmp

Filesize
64KB

Download
memory/2540-9-0x000007FEF6100000-0x000007FEF6AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2540-11-0x000007FEF6100000-0x000007FEF6AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2540-12-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download
memory/2540-13-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads