xworm | e6234adc4009f934481d9138b131bf9567514c8384851a5d6e7f0c1fc96cb07b

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SteamSetup.exe
Size

7.6MB
MD5

e9e90acb743b53007dc1b7908cadec37
SHA1

c396df39ae540bd589802d17bbc5382740f4d861
SHA256

e6234adc4009f934481d9138b131bf9567514c8384851a5d6e7f0c1fc96cb07b
SHA512

dfc447434af9f7051587a20cc523236ffd2bcbea638173912f3bf898f90007315c446390ef7ac83b3b1dcfdb4b6cca76a8c7ba4c2ef15b1b60f06bfd77492123
SSDEEP

196608:1l7x31wnc72nlUrZADXfphNBbXtVWrLXQr9lba:R31wnc6mAbfpVfWgDa

Score

10^/10

xworm persistence pyinstaller rat trojan upx

Malware Config

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0015000000011fff-5.dat	family_xworm
behavioral1/files/0x0015000000011fff-6.dat	family_xworm
behavioral1/memory/2348-7-0x0000000000C60000-0x0000000000C7A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Component Package Support Server.lnk	Component Package Support Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Component Package Support Server.lnk	Component Package Support Server.exe

Executes dropped EXE 4 IoCs

pid	Process
2348	Component Package Support Server.exe
2868	Device Association Framework Provider Host.exe
1420	Device Association Framework Provider Host.exe
1224	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
2840	SteamSetup.exe
1420	Device Association Framework Provider Host.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000015dde-43.dat	upx
behavioral1/files/0x0006000000015dde-44.dat	upx
behavioral1/memory/1420-45-0x000007FEF2060000-0x000007FEF24C6000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Component Package Support Server = "C:\\Users\\Admin\\AppData\\Roaming\\Component Package Support Server.exe"	Component Package Support Server.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Detects Pyinstaller 5 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000800000001210a-13.dat	pyinstaller
behavioral1/files/0x000800000001210a-11.dat	pyinstaller
behavioral1/files/0x000800000001210a-14.dat	pyinstaller
behavioral1/files/0x000800000001210a-42.dat	pyinstaller
behavioral1/files/0x000800000001210a-46.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3016	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2348	Component Package Support Server.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2508	powershell.exe
324	powershell.exe
1732	powershell.exe
2348	Component Package Support Server.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	Component Package Support Server.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2348	Component Package Support Server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2348	Component Package Support Server.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2348	2840	SteamSetup.exe	28
PID 2840 wrote to memory of 2348	2840	SteamSetup.exe	28
PID 2840 wrote to memory of 2348	2840	SteamSetup.exe	28
PID 2840 wrote to memory of 2868	2840	SteamSetup.exe	29
PID 2840 wrote to memory of 2868	2840	SteamSetup.exe	29
PID 2840 wrote to memory of 2868	2840	SteamSetup.exe	29
PID 2868 wrote to memory of 1420	2868	Device Association Framework Provider Host.exe	30
PID 2868 wrote to memory of 1420	2868	Device Association Framework Provider Host.exe	30
PID 2868 wrote to memory of 1420	2868	Device Association Framework Provider Host.exe	30
PID 2348 wrote to memory of 2508	2348	Component Package Support Server.exe	34
PID 2348 wrote to memory of 2508	2348	Component Package Support Server.exe	34
PID 2348 wrote to memory of 2508	2348	Component Package Support Server.exe	34
PID 2348 wrote to memory of 324	2348	Component Package Support Server.exe	36
PID 2348 wrote to memory of 324	2348	Component Package Support Server.exe	36
PID 2348 wrote to memory of 324	2348	Component Package Support Server.exe	36
PID 2348 wrote to memory of 1732	2348	Component Package Support Server.exe	38
PID 2348 wrote to memory of 1732	2348	Component Package Support Server.exe	38
PID 2348 wrote to memory of 1732	2348	Component Package Support Server.exe	38
PID 2348 wrote to memory of 3016	2348	Component Package Support Server.exe	40
PID 2348 wrote to memory of 3016	2348	Component Package Support Server.exe	40
PID 2348 wrote to memory of 3016	2348	Component Package Support Server.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe
  "C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Component Package Support Server.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1732
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Component Package Support Server" /tr "C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3016
- C:\Users\Admin\AppData\Roaming\Device Association Framework Provider Host.exe
  "C:\Users\Admin\AppData\Roaming\Device Association Framework Provider Host.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Roaming\Device Association Framework Provider Host.exe
    "C:\Users\Admin\AppData\Roaming\Device Association Framework Provider Host.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1420

C:\Windows\system32\taskeng.exe
taskeng.exe {4838B56C-9238-4107-A5B4-A771B823B8C7} S-1-5-21-3513876443-2771975297-1923446376-1000:GPFFWLPI\Admin:Interactive:[1]
1⤵
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI28682\python310.dll

Filesize
1.4MB

MD5
72c65de0cc88d6a26d5a7040aaf1fb60

SHA1
68dae332ade43106c72e68a497b6b7df6b314425

SHA256
769f20bcec63eb6567cca095ea59ffcda2c87e2b8600503f0e4f976dfb8da2bb

SHA512
5f658e0bee185613a37f946069ac6723fff93e542a4eb6e3435766c58d09d82894b85502f1686ffc9318bdf4b3a858490866ca56b90238c8c903e794c3a4e3fb

Download Submit
C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe

Filesize
87KB

MD5
a1e0941d04238798f48f5b56fd1ae667

SHA1
02c173d45fbd19e801fc7a42aa8b5f90f5bb79be

SHA256
c617d9a1190ef85e9d6c99f94d8f8a861c632d41ebdad7512b182122e493a8c2

SHA512
1907d2bf17aa321ef20f1b1651125849499fdd885cb0f9f226f2a3897e56bb626af18d5dd3d1ec6856cdbff234336a3be8c9f16450feb2dabe6172f312e322a4

Download Submit
C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe

Filesize
87KB

MD5
a1e0941d04238798f48f5b56fd1ae667

SHA1
02c173d45fbd19e801fc7a42aa8b5f90f5bb79be

SHA256
c617d9a1190ef85e9d6c99f94d8f8a861c632d41ebdad7512b182122e493a8c2

SHA512
1907d2bf17aa321ef20f1b1651125849499fdd885cb0f9f226f2a3897e56bb626af18d5dd3d1ec6856cdbff234336a3be8c9f16450feb2dabe6172f312e322a4

Download Submit
C:\Users\Admin\AppData\Roaming\Device Association Framework Provider Host.exe

Filesize
7.3MB

MD5
3f1493a321ca8e05eeb53aa2f6a4e7b4

SHA1
a2dfa5f0b1cc6284c84ad1c5ce0f7cc76bf8baad

SHA256
73a141d8728b542b763302ed9df9cbdf0c95da47eca71d93b2a013daa1b2317c

SHA512
252179058d49a7141f5ed7896aee928659f89447847dad5307b750b5ee62ddd4cca3c5cb9df39015f19bc5b64dfd78eff7881dc4ad4516dca2c16bf982bdf6cd

Download Submit
C:\Users\Admin\AppData\Roaming\Device Association Framework Provider Host.exe

Filesize
7.3MB

MD5
3f1493a321ca8e05eeb53aa2f6a4e7b4

SHA1
a2dfa5f0b1cc6284c84ad1c5ce0f7cc76bf8baad

SHA256
73a141d8728b542b763302ed9df9cbdf0c95da47eca71d93b2a013daa1b2317c

SHA512
252179058d49a7141f5ed7896aee928659f89447847dad5307b750b5ee62ddd4cca3c5cb9df39015f19bc5b64dfd78eff7881dc4ad4516dca2c16bf982bdf6cd

Download Submit
C:\Users\Admin\AppData\Roaming\Device Association Framework Provider Host.exe

Filesize
7.3MB

MD5
3f1493a321ca8e05eeb53aa2f6a4e7b4

SHA1
a2dfa5f0b1cc6284c84ad1c5ce0f7cc76bf8baad

SHA256
73a141d8728b542b763302ed9df9cbdf0c95da47eca71d93b2a013daa1b2317c

SHA512
252179058d49a7141f5ed7896aee928659f89447847dad5307b750b5ee62ddd4cca3c5cb9df39015f19bc5b64dfd78eff7881dc4ad4516dca2c16bf982bdf6cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
76f0adb094ad268c39216355fff28cf2

SHA1
8de0743a253b1ecdb7134637f7f308fde0d5bef8

SHA256
6efa353da6fe8cc47afc87742c6908d955f0f4d258c3922022720986c0b12690

SHA512
076220d47a1c79b9a8d436499f15d1ae0be645f5561fe1e696d158e50f396da08c40482c2e460af7773118f13cc1dfe70ee2ce14cc3c7a8cd1265c78391a4521

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
76f0adb094ad268c39216355fff28cf2

SHA1
8de0743a253b1ecdb7134637f7f308fde0d5bef8

SHA256
6efa353da6fe8cc47afc87742c6908d955f0f4d258c3922022720986c0b12690

SHA512
076220d47a1c79b9a8d436499f15d1ae0be645f5561fe1e696d158e50f396da08c40482c2e460af7773118f13cc1dfe70ee2ce14cc3c7a8cd1265c78391a4521

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U7HDC6C912KMIW9FM79N.temp

Filesize
7KB

MD5
76f0adb094ad268c39216355fff28cf2

SHA1
8de0743a253b1ecdb7134637f7f308fde0d5bef8

SHA256
6efa353da6fe8cc47afc87742c6908d955f0f4d258c3922022720986c0b12690

SHA512
076220d47a1c79b9a8d436499f15d1ae0be645f5561fe1e696d158e50f396da08c40482c2e460af7773118f13cc1dfe70ee2ce14cc3c7a8cd1265c78391a4521

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28682\python310.dll

Filesize
1.4MB

MD5
72c65de0cc88d6a26d5a7040aaf1fb60

SHA1
68dae332ade43106c72e68a497b6b7df6b314425

SHA256
769f20bcec63eb6567cca095ea59ffcda2c87e2b8600503f0e4f976dfb8da2bb

SHA512
5f658e0bee185613a37f946069ac6723fff93e542a4eb6e3435766c58d09d82894b85502f1686ffc9318bdf4b3a858490866ca56b90238c8c903e794c3a4e3fb

Download Submit
\Users\Admin\AppData\Roaming\Device Association Framework Provider Host.exe

Filesize
7.3MB

MD5
3f1493a321ca8e05eeb53aa2f6a4e7b4

SHA1
a2dfa5f0b1cc6284c84ad1c5ce0f7cc76bf8baad

SHA256
73a141d8728b542b763302ed9df9cbdf0c95da47eca71d93b2a013daa1b2317c

SHA512
252179058d49a7141f5ed7896aee928659f89447847dad5307b750b5ee62ddd4cca3c5cb9df39015f19bc5b64dfd78eff7881dc4ad4516dca2c16bf982bdf6cd

Download Submit
\Users\Admin\AppData\Roaming\Device Association Framework Provider Host.exe

Filesize
7.3MB

MD5
3f1493a321ca8e05eeb53aa2f6a4e7b4

SHA1
a2dfa5f0b1cc6284c84ad1c5ce0f7cc76bf8baad

SHA256
73a141d8728b542b763302ed9df9cbdf0c95da47eca71d93b2a013daa1b2317c

SHA512
252179058d49a7141f5ed7896aee928659f89447847dad5307b750b5ee62ddd4cca3c5cb9df39015f19bc5b64dfd78eff7881dc4ad4516dca2c16bf982bdf6cd

Download Submit
memory/324-96-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/324-99-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/324-100-0x000007FEED480000-0x000007FEEDE1D000-memory.dmp

Filesize
9.6MB

Download
memory/324-98-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/324-97-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/324-95-0x000007FEED480000-0x000007FEEDE1D000-memory.dmp

Filesize
9.6MB

Download
memory/324-93-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/324-94-0x000007FEED480000-0x000007FEEDE1D000-memory.dmp

Filesize
9.6MB

Download
memory/324-92-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/1420-45-0x000007FEF2060000-0x000007FEF24C6000-memory.dmp

Filesize
4.4MB

Download
memory/1732-111-0x000007FEEDE20000-0x000007FEEE7BD000-memory.dmp

Filesize
9.6MB

Download
memory/1732-110-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/1732-109-0x000007FEEDE20000-0x000007FEEE7BD000-memory.dmp

Filesize
9.6MB

Download
memory/1732-107-0x000007FEEDE20000-0x000007FEEE7BD000-memory.dmp

Filesize
9.6MB

Download
memory/1732-108-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/2348-58-0x000000001AC10000-0x000000001AC90000-memory.dmp

Filesize
512KB

Download
memory/2348-48-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-8-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-7-0x0000000000C60000-0x0000000000C7A000-memory.dmp

Filesize
104KB

Download
memory/2348-47-0x000000001AC10000-0x000000001AC90000-memory.dmp

Filesize
512KB

Download
memory/2508-82-0x000000001B380000-0x000000001B662000-memory.dmp

Filesize
2.9MB

Download
memory/2508-81-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2508-84-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2508-79-0x000007FEEDE20000-0x000007FEEE7BD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-80-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2508-86-0x000007FEEDE20000-0x000007FEEE7BD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-85-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2508-83-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2840-1-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-0-0x0000000000250000-0x00000000009F4000-memory.dmp

Filesize
7.6MB

Download
memory/2840-15-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download