xworm | 781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434

Analysis

max time kernel
147s
max time network
157s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434_JC.exe
Size

606KB
MD5

c7b28f5f9fb6780fc0976a8383696818
SHA1

af6654f093fe2af97b024dfe8067e0aa8dc93816
SHA256

781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434
SHA512

955e32a0171de8c527906559af067a4b5c25fc6a91ffcb9b1c57f934c82b7ab31885c6b82cf1610c8497b8350523a2316c12fcb8e6a68eb984a6684d4a15a841
SSDEEP

12288:NcrNS33L10QdrXjNfmDnDnCXgUcYfOfAFczhTjHsHLzuhV2Rj+TF:wNA3R5drXwDDuhcY7c9TSuhE4F

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

floptuytonroyem.sytes.net:7004

Mutex

cEHiEYwUFLZIOeZI

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2784-40-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/2784-44-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/2784-46-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\esdvsdf.lnk	esdvsdf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\esdvsdf.lnk	esdvsdf.exe

Executes dropped EXE 3 IoCs

pid	Process
2656	esdvsdf.sfx.exe
3056	esdvsdf.exe
2784	esdvsdf.exe

Loads dropped DLL 7 IoCs

pid	Process
2680	cmd.exe
2656	esdvsdf.sfx.exe
2656	esdvsdf.sfx.exe
2656	esdvsdf.sfx.exe
2656	esdvsdf.sfx.exe
3056	esdvsdf.exe
2784	esdvsdf.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3056 set thread context of 2784	3056	esdvsdf.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	esdvsdf.exe
Token: SeDebugPrivilege	2784	esdvsdf.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2680	2444	781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434_JC.exe	28
PID 2444 wrote to memory of 2680	2444	781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434_JC.exe	28
PID 2444 wrote to memory of 2680	2444	781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434_JC.exe	28
PID 2444 wrote to memory of 2680	2444	781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434_JC.exe	28
PID 2680 wrote to memory of 2656	2680	cmd.exe	30
PID 2680 wrote to memory of 2656	2680	cmd.exe	30
PID 2680 wrote to memory of 2656	2680	cmd.exe	30
PID 2680 wrote to memory of 2656	2680	cmd.exe	30
PID 2656 wrote to memory of 3056	2656	esdvsdf.sfx.exe	31
PID 2656 wrote to memory of 3056	2656	esdvsdf.sfx.exe	31
PID 2656 wrote to memory of 3056	2656	esdvsdf.sfx.exe	31
PID 2656 wrote to memory of 3056	2656	esdvsdf.sfx.exe	31
PID 3056 wrote to memory of 2784	3056	esdvsdf.exe	32
PID 3056 wrote to memory of 2784	3056	esdvsdf.exe	32
PID 3056 wrote to memory of 2784	3056	esdvsdf.exe	32
PID 3056 wrote to memory of 2784	3056	esdvsdf.exe	32
PID 3056 wrote to memory of 2784	3056	esdvsdf.exe	32
PID 3056 wrote to memory of 2784	3056	esdvsdf.exe	32
PID 3056 wrote to memory of 2784	3056	esdvsdf.exe	32
PID 3056 wrote to memory of 2784	3056	esdvsdf.exe	32
PID 3056 wrote to memory of 2784	3056	esdvsdf.exe	32

C:\Users\Admin\AppData\Local\Temp\781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434_JC.exe
"C:\Users\Admin\AppData\Local\Temp\781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ameukfhn.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\esdvsdf.sfx.exe
    esdvsdf.sfx.exe -pkymdkeopjszafugyRhvqxsHbcdhryujmsavmhjfjgBbsdirhndmkaloybdtyuiOlfgnme -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\esdvsdf.exe
      "C:\Users\Admin\AppData\Local\Temp\esdvsdf.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Users\Admin\AppData\Local\Temp\esdvsdf.exe
        
        C:\Users\Admin\AppData\Local\Temp\esdvsdf.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ameukfhn.bat

Filesize
14KB

MD5
55b5c05715d4a022d64327a9ca38e7a1

SHA1
373c77f1fb11bea6a1698eae4e6399443c4a978e

SHA256
9d4ba2292025de84e89af24810cc542e091d3fed43c07962d30a2ad35675ee49

SHA512
e2cc7bcb690275b1a00ac27ea813b1f5e8809376fd42bd5954d122a29e955c31afd89955f929e999a1924cc682ccff62c5f459cb0c96f51d2abb59184a36f9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ameukfhn.bat

Filesize
14KB

MD5
55b5c05715d4a022d64327a9ca38e7a1

SHA1
373c77f1fb11bea6a1698eae4e6399443c4a978e

SHA256
9d4ba2292025de84e89af24810cc542e091d3fed43c07962d30a2ad35675ee49

SHA512
e2cc7bcb690275b1a00ac27ea813b1f5e8809376fd42bd5954d122a29e955c31afd89955f929e999a1924cc682ccff62c5f459cb0c96f51d2abb59184a36f9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\esdvsdf.exe

Filesize
133KB

MD5
3f279039d26af3a7a18a2cdd9a35b5a2

SHA1
53bfffe732dc5f170f38b2731dd4aba0564f4f14

SHA256
3d3260683eaa752648a2e72bbbf572bfcb3229d889f6da46ba25c2d82567b792

SHA512
03bf43818e9755876c8f461321afbdebc74008f3ac50b0de9ce505997fbd3f25fcce3dfa85cf195965e976378e749ab4a7ecea47e50e7d349ba8d16f6e09a070

Download Submit
C:\Users\Admin\AppData\Local\Temp\esdvsdf.exe

Filesize
133KB

MD5
3f279039d26af3a7a18a2cdd9a35b5a2

SHA1
53bfffe732dc5f170f38b2731dd4aba0564f4f14

SHA256
3d3260683eaa752648a2e72bbbf572bfcb3229d889f6da46ba25c2d82567b792

SHA512
03bf43818e9755876c8f461321afbdebc74008f3ac50b0de9ce505997fbd3f25fcce3dfa85cf195965e976378e749ab4a7ecea47e50e7d349ba8d16f6e09a070

Download Submit
C:\Users\Admin\AppData\Local\Temp\esdvsdf.exe

Filesize
133KB

MD5
3f279039d26af3a7a18a2cdd9a35b5a2

SHA1
53bfffe732dc5f170f38b2731dd4aba0564f4f14

SHA256
3d3260683eaa752648a2e72bbbf572bfcb3229d889f6da46ba25c2d82567b792

SHA512
03bf43818e9755876c8f461321afbdebc74008f3ac50b0de9ce505997fbd3f25fcce3dfa85cf195965e976378e749ab4a7ecea47e50e7d349ba8d16f6e09a070

Download Submit
C:\Users\Admin\AppData\Local\Temp\esdvsdf.exe

Filesize
133KB

MD5
3f279039d26af3a7a18a2cdd9a35b5a2

SHA1
53bfffe732dc5f170f38b2731dd4aba0564f4f14

SHA256
3d3260683eaa752648a2e72bbbf572bfcb3229d889f6da46ba25c2d82567b792

SHA512
03bf43818e9755876c8f461321afbdebc74008f3ac50b0de9ce505997fbd3f25fcce3dfa85cf195965e976378e749ab4a7ecea47e50e7d349ba8d16f6e09a070

Download Submit
C:\Users\Admin\AppData\Local\Temp\esdvsdf.sfx.exe

Filesize
444KB

MD5
1354e84b20a806a0a19ee056dc50f54b

SHA1
0b2ba75f398946efacbdaeb24ea9f69dccd95cbd

SHA256
b9e2318ccb966f02f3758d0cc2f0726ce997bf9677545385c438cb547c60fd5b

SHA512
3dd4250d51393ac7f6b00e7b3c423351b87edef22a75ee474405737d27368f80d154e7ac96b589b771e7f90b4f601eed51eccc4db10b94a3f84f721d41117365

Download Submit
C:\Users\Admin\AppData\Local\Temp\esdvsdf.sfx.exe

Filesize
444KB

MD5
1354e84b20a806a0a19ee056dc50f54b

SHA1
0b2ba75f398946efacbdaeb24ea9f69dccd95cbd

SHA256
b9e2318ccb966f02f3758d0cc2f0726ce997bf9677545385c438cb547c60fd5b

SHA512
3dd4250d51393ac7f6b00e7b3c423351b87edef22a75ee474405737d27368f80d154e7ac96b589b771e7f90b4f601eed51eccc4db10b94a3f84f721d41117365

Download Submit
\Users\Admin\AppData\Local\Temp\esdvsdf.exe

Filesize
133KB

MD5
3f279039d26af3a7a18a2cdd9a35b5a2

SHA1
53bfffe732dc5f170f38b2731dd4aba0564f4f14

SHA256
3d3260683eaa752648a2e72bbbf572bfcb3229d889f6da46ba25c2d82567b792

SHA512
03bf43818e9755876c8f461321afbdebc74008f3ac50b0de9ce505997fbd3f25fcce3dfa85cf195965e976378e749ab4a7ecea47e50e7d349ba8d16f6e09a070

Download Submit
\Users\Admin\AppData\Local\Temp\esdvsdf.exe

Filesize
133KB

MD5
3f279039d26af3a7a18a2cdd9a35b5a2

SHA1
53bfffe732dc5f170f38b2731dd4aba0564f4f14

SHA256
3d3260683eaa752648a2e72bbbf572bfcb3229d889f6da46ba25c2d82567b792

SHA512
03bf43818e9755876c8f461321afbdebc74008f3ac50b0de9ce505997fbd3f25fcce3dfa85cf195965e976378e749ab4a7ecea47e50e7d349ba8d16f6e09a070

Download Submit
\Users\Admin\AppData\Local\Temp\esdvsdf.exe

Filesize
133KB

MD5
3f279039d26af3a7a18a2cdd9a35b5a2

SHA1
53bfffe732dc5f170f38b2731dd4aba0564f4f14

SHA256
3d3260683eaa752648a2e72bbbf572bfcb3229d889f6da46ba25c2d82567b792

SHA512
03bf43818e9755876c8f461321afbdebc74008f3ac50b0de9ce505997fbd3f25fcce3dfa85cf195965e976378e749ab4a7ecea47e50e7d349ba8d16f6e09a070

Download Submit
\Users\Admin\AppData\Local\Temp\esdvsdf.exe

Filesize
133KB

MD5
3f279039d26af3a7a18a2cdd9a35b5a2

SHA1
53bfffe732dc5f170f38b2731dd4aba0564f4f14

SHA256
3d3260683eaa752648a2e72bbbf572bfcb3229d889f6da46ba25c2d82567b792

SHA512
03bf43818e9755876c8f461321afbdebc74008f3ac50b0de9ce505997fbd3f25fcce3dfa85cf195965e976378e749ab4a7ecea47e50e7d349ba8d16f6e09a070

Download Submit
\Users\Admin\AppData\Local\Temp\esdvsdf.exe

Filesize
133KB

MD5
3f279039d26af3a7a18a2cdd9a35b5a2

SHA1
53bfffe732dc5f170f38b2731dd4aba0564f4f14

SHA256
3d3260683eaa752648a2e72bbbf572bfcb3229d889f6da46ba25c2d82567b792

SHA512
03bf43818e9755876c8f461321afbdebc74008f3ac50b0de9ce505997fbd3f25fcce3dfa85cf195965e976378e749ab4a7ecea47e50e7d349ba8d16f6e09a070

Download Submit
\Users\Admin\AppData\Local\Temp\esdvsdf.sfx.exe

Filesize
444KB

MD5
1354e84b20a806a0a19ee056dc50f54b

SHA1
0b2ba75f398946efacbdaeb24ea9f69dccd95cbd

SHA256
b9e2318ccb966f02f3758d0cc2f0726ce997bf9677545385c438cb547c60fd5b

SHA512
3dd4250d51393ac7f6b00e7b3c423351b87edef22a75ee474405737d27368f80d154e7ac96b589b771e7f90b4f601eed51eccc4db10b94a3f84f721d41117365

Download Submit
\Users\Admin\AppData\Roaming\esdvsdf.exe

Filesize
133KB

MD5
3f279039d26af3a7a18a2cdd9a35b5a2

SHA1
53bfffe732dc5f170f38b2731dd4aba0564f4f14

SHA256
3d3260683eaa752648a2e72bbbf572bfcb3229d889f6da46ba25c2d82567b792

SHA512
03bf43818e9755876c8f461321afbdebc74008f3ac50b0de9ce505997fbd3f25fcce3dfa85cf195965e976378e749ab4a7ecea47e50e7d349ba8d16f6e09a070

Download Submit
memory/2784-44-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2784-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2784-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2784-47-0x0000000074930000-0x000000007501E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-48-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/2784-54-0x0000000074930000-0x000000007501E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-55-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/3056-43-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/3056-38-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/3056-37-0x0000000000320000-0x0000000000346000-memory.dmp

Filesize
152KB

Download