xworm | b7f129259f95bb90ce75acf368286049fbb1acf57acaa5dafd91c2254411384f

Analysis

max time kernel
142s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 04:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Steel Pipe.exe
Size

874KB
MD5

4c0223344ce72af46f634cf58cfb8314
SHA1

ce6791cf8e62237fdcd8b49c02556e9c579bda12
SHA256

29c2b6e7cd3603b45fcc37dc5c024e9d690958a8813eeca83ba2d5dc76e9674b
SHA512

aaf3e76c41f5db5aa51e93575c789cba3660fc39150fcab0683dc70c4cc47b847ceb3aea8646e3587596ebaa4a823a5ff0217166283c507eec4a34df0f6a1450
SSDEEP

12288:UdJIf9Cvo3CRmDSDehD6X3R5igERqFTYHdMqbUEKJnfzu08hgDuWOv71MdAA:UdJIlCvo3KmvhD6Xh5VqkaSnquuDWA

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

127.0.0.1:4001

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral1/memory/2552-12-0x0000000000400000-0x0000000000472000-memory.dmp	family_xworm
behavioral1/memory/2552-14-0x0000000000400000-0x0000000000472000-memory.dmp	family_xworm
behavioral1/memory/2552-18-0x0000000000400000-0x0000000000472000-memory.dmp	family_xworm
behavioral1/memory/2552-20-0x0000000000400000-0x0000000000472000-memory.dmp	family_xworm
behavioral1/memory/2552-22-0x0000000000400000-0x0000000000472000-memory.dmp	family_xworm
behavioral1/memory/1072-51-0x0000000002050000-0x0000000002090000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steel Pipe.lnk	Steel Pipe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steel Pipe.lnk	Steel Pipe.exe

Loads dropped DLL 1 IoCs

pid	Process
2552	Steel Pipe.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2228 set thread context of 2552	2228	Steel Pipe.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2552	Steel Pipe.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2632	powershell.exe
2996	powershell.exe
1072	powershell.exe
652	powershell.exe
2552	Steel Pipe.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	Steel Pipe.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	652	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2552	Steel Pipe.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2632	2228	Steel Pipe.exe	30
PID 2228 wrote to memory of 2632	2228	Steel Pipe.exe	30
PID 2228 wrote to memory of 2632	2228	Steel Pipe.exe	30
PID 2228 wrote to memory of 2632	2228	Steel Pipe.exe	30
PID 2228 wrote to memory of 2552	2228	Steel Pipe.exe	32
PID 2228 wrote to memory of 2552	2228	Steel Pipe.exe	32
PID 2228 wrote to memory of 2552	2228	Steel Pipe.exe	32
PID 2228 wrote to memory of 2552	2228	Steel Pipe.exe	32
PID 2228 wrote to memory of 2552	2228	Steel Pipe.exe	32
PID 2228 wrote to memory of 2552	2228	Steel Pipe.exe	32
PID 2228 wrote to memory of 2552	2228	Steel Pipe.exe	32
PID 2228 wrote to memory of 2552	2228	Steel Pipe.exe	32
PID 2228 wrote to memory of 2552	2228	Steel Pipe.exe	32
PID 2552 wrote to memory of 2996	2552	Steel Pipe.exe	33
PID 2552 wrote to memory of 2996	2552	Steel Pipe.exe	33
PID 2552 wrote to memory of 2996	2552	Steel Pipe.exe	33
PID 2552 wrote to memory of 2996	2552	Steel Pipe.exe	33
PID 2996 wrote to memory of 2876	2996	powershell.exe	35
PID 2996 wrote to memory of 2876	2996	powershell.exe	35
PID 2996 wrote to memory of 2876	2996	powershell.exe	35
PID 2996 wrote to memory of 2876	2996	powershell.exe	35
PID 2552 wrote to memory of 1072	2552	Steel Pipe.exe	36
PID 2552 wrote to memory of 1072	2552	Steel Pipe.exe	36
PID 2552 wrote to memory of 1072	2552	Steel Pipe.exe	36
PID 2552 wrote to memory of 1072	2552	Steel Pipe.exe	36
PID 2552 wrote to memory of 652	2552	Steel Pipe.exe	38
PID 2552 wrote to memory of 652	2552	Steel Pipe.exe	38
PID 2552 wrote to memory of 652	2552	Steel Pipe.exe	38
PID 2552 wrote to memory of 652	2552	Steel Pipe.exe	38

C:\Users\Admin\AppData\Local\Temp\Steel Pipe.exe
"C:\Users\Admin\AppData\Local\Temp\Steel Pipe.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Steel Pipe.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\Steel Pipe.exe
  "C:\Users\Admin\AppData\Local\Temp\Steel Pipe.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Steel Pipe.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 800
      4⤵
      PID:2876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Steel Pipe.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1072
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Steel Pipe.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FV1AK0CF24NFG7KO42J2.temp

Filesize
7KB

MD5
a1a6f3003ae1aecd8c99225a7d9b5004

SHA1
05ad9eeefb7ccb8112e568aec17a69ee992c8274

SHA256
2e2fea0f97598dbcd7e19df6ac249f879fb45013c4f7a5002005b4d7c7942c12

SHA512
306a1a5fff910f66dbf3d6e408238c15cb7f23ba3fd809aac7edd76dbbbc1ebee689b94b3689a47494c3a01aba05a389f8c98c279a2de845b8f1d6b08332d040

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a1a6f3003ae1aecd8c99225a7d9b5004

SHA1
05ad9eeefb7ccb8112e568aec17a69ee992c8274

SHA256
2e2fea0f97598dbcd7e19df6ac249f879fb45013c4f7a5002005b4d7c7942c12

SHA512
306a1a5fff910f66dbf3d6e408238c15cb7f23ba3fd809aac7edd76dbbbc1ebee689b94b3689a47494c3a01aba05a389f8c98c279a2de845b8f1d6b08332d040

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a1a6f3003ae1aecd8c99225a7d9b5004

SHA1
05ad9eeefb7ccb8112e568aec17a69ee992c8274

SHA256
2e2fea0f97598dbcd7e19df6ac249f879fb45013c4f7a5002005b4d7c7942c12

SHA512
306a1a5fff910f66dbf3d6e408238c15cb7f23ba3fd809aac7edd76dbbbc1ebee689b94b3689a47494c3a01aba05a389f8c98c279a2de845b8f1d6b08332d040

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a1a6f3003ae1aecd8c99225a7d9b5004

SHA1
05ad9eeefb7ccb8112e568aec17a69ee992c8274

SHA256
2e2fea0f97598dbcd7e19df6ac249f879fb45013c4f7a5002005b4d7c7942c12

SHA512
306a1a5fff910f66dbf3d6e408238c15cb7f23ba3fd809aac7edd76dbbbc1ebee689b94b3689a47494c3a01aba05a389f8c98c279a2de845b8f1d6b08332d040

Download Submit
\Users\Admin\AppData\Roaming\Steel Pipe.exe

Filesize
874KB

MD5
4c0223344ce72af46f634cf58cfb8314

SHA1
ce6791cf8e62237fdcd8b49c02556e9c579bda12

SHA256
29c2b6e7cd3603b45fcc37dc5c024e9d690958a8813eeca83ba2d5dc76e9674b

SHA512
aaf3e76c41f5db5aa51e93575c789cba3660fc39150fcab0683dc70c4cc47b847ceb3aea8646e3587596ebaa4a823a5ff0217166283c507eec4a34df0f6a1450

Download Submit
memory/652-64-0x0000000071070000-0x000000007161B000-memory.dmp

Filesize
5.7MB

Download
memory/652-63-0x0000000071070000-0x000000007161B000-memory.dmp

Filesize
5.7MB

Download
memory/652-65-0x0000000002550000-0x0000000002590000-memory.dmp

Filesize
256KB

Download
memory/652-68-0x0000000071070000-0x000000007161B000-memory.dmp

Filesize
5.7MB

Download
memory/652-67-0x0000000002550000-0x0000000002590000-memory.dmp

Filesize
256KB

Download
memory/652-66-0x0000000002550000-0x0000000002590000-memory.dmp

Filesize
256KB

Download
memory/1072-54-0x0000000070AC0000-0x000000007106B000-memory.dmp

Filesize
5.7MB

Download
memory/1072-55-0x0000000070AC0000-0x000000007106B000-memory.dmp

Filesize
5.7MB

Download
memory/1072-50-0x0000000070AC0000-0x000000007106B000-memory.dmp

Filesize
5.7MB

Download
memory/1072-51-0x0000000002050000-0x0000000002090000-memory.dmp

Filesize
256KB

Download
memory/1072-52-0x0000000002050000-0x0000000002090000-memory.dmp

Filesize
256KB

Download
memory/1072-53-0x0000000002050000-0x0000000002090000-memory.dmp

Filesize
256KB

Download
memory/2228-24-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2228-4-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2228-3-0x00000000005B0000-0x00000000005C6000-memory.dmp

Filesize
88KB

Download
memory/2228-2-0x00000000046A0000-0x00000000046E0000-memory.dmp

Filesize
256KB

Download
memory/2228-1-0x0000000001170000-0x0000000001250000-memory.dmp

Filesize
896KB

Download
memory/2228-5-0x00000000046A0000-0x00000000046E0000-memory.dmp

Filesize
256KB

Download
memory/2228-0-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2228-6-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/2228-7-0x0000000005780000-0x000000000582C000-memory.dmp

Filesize
688KB

Download
memory/2552-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2552-14-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2552-76-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/2552-75-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/2552-8-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2552-10-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2552-12-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2552-38-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2552-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2552-20-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2552-22-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2552-23-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2632-43-0x0000000071070000-0x000000007161B000-memory.dmp

Filesize
5.7MB

Download
memory/2632-28-0x0000000071070000-0x000000007161B000-memory.dmp

Filesize
5.7MB

Download
memory/2632-27-0x0000000071070000-0x000000007161B000-memory.dmp

Filesize
5.7MB

Download
memory/2632-29-0x0000000000450000-0x0000000000490000-memory.dmp

Filesize
256KB

Download
memory/2632-30-0x0000000000450000-0x0000000000490000-memory.dmp

Filesize
256KB

Download
memory/2876-42-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/2876-56-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/2996-37-0x0000000071070000-0x000000007161B000-memory.dmp

Filesize
5.7MB

Download
memory/2996-39-0x0000000002710000-0x0000000002750000-memory.dmp

Filesize
256KB

Download
memory/2996-40-0x0000000002710000-0x0000000002750000-memory.dmp

Filesize
256KB

Download
memory/2996-44-0x0000000071070000-0x000000007161B000-memory.dmp

Filesize
5.7MB

Download
memory/2996-41-0x0000000002710000-0x0000000002750000-memory.dmp

Filesize
256KB

Download
memory/2996-36-0x0000000071070000-0x000000007161B000-memory.dmp

Filesize
5.7MB

Download