xworm | 40bd3a3b31b4aee8d5b7895ec1108de6bdb2351ee68ebc288cc54c0a10079c73

Analysis

max time kernel
139s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zqdZqQhxI1QOUR2.exe
Size

495KB
MD5

ddbc0653ec3a10b67141e6f8ec498a7e
SHA1

754e3c014f59c3b06461f4fcf651f84109e94a5a
SHA256

40bd3a3b31b4aee8d5b7895ec1108de6bdb2351ee68ebc288cc54c0a10079c73
SHA512

0e14f035314988c278cde4805ef249f394773e6f34a6e000c825d1fb0c105ff952d04569ac27fbca775a76e24eb64a8ababe87c52cb0ba808e5efd11c1ed2d1a
SSDEEP

12288:hZi34AfJw1UGUTazCmhDoFS2TH/9h5sJwZLMVPSSHDfJ:biBwqTmoc8fVsI09jB

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

chikes17.duckdns.org:7000

Mutex

JU8kX1cZxdKHfS72

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/824-24-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	zqdZqQhxI1QOUR2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1768 set thread context of 824	1768	zqdZqQhxI1QOUR2.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1768	zqdZqQhxI1QOUR2.exe
1768	zqdZqQhxI1QOUR2.exe
1768	zqdZqQhxI1QOUR2.exe
1768	zqdZqQhxI1QOUR2.exe
1768	zqdZqQhxI1QOUR2.exe
1768	zqdZqQhxI1QOUR2.exe
1768	zqdZqQhxI1QOUR2.exe
3056	powershell.exe
3056	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1768	zqdZqQhxI1QOUR2.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	824	zqdZqQhxI1QOUR2.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 3056	1768	zqdZqQhxI1QOUR2.exe	98
PID 1768 wrote to memory of 3056	1768	zqdZqQhxI1QOUR2.exe	98
PID 1768 wrote to memory of 3056	1768	zqdZqQhxI1QOUR2.exe	98
PID 1768 wrote to memory of 4532	1768	zqdZqQhxI1QOUR2.exe	100
PID 1768 wrote to memory of 4532	1768	zqdZqQhxI1QOUR2.exe	100
PID 1768 wrote to memory of 4532	1768	zqdZqQhxI1QOUR2.exe	100
PID 1768 wrote to memory of 824	1768	zqdZqQhxI1QOUR2.exe	102
PID 1768 wrote to memory of 824	1768	zqdZqQhxI1QOUR2.exe	102
PID 1768 wrote to memory of 824	1768	zqdZqQhxI1QOUR2.exe	102
PID 1768 wrote to memory of 824	1768	zqdZqQhxI1QOUR2.exe	102
PID 1768 wrote to memory of 824	1768	zqdZqQhxI1QOUR2.exe	102
PID 1768 wrote to memory of 824	1768	zqdZqQhxI1QOUR2.exe	102
PID 1768 wrote to memory of 824	1768	zqdZqQhxI1QOUR2.exe	102
PID 1768 wrote to memory of 824	1768	zqdZqQhxI1QOUR2.exe	102

C:\Users\Admin\AppData\Local\Temp\zqdZqQhxI1QOUR2.exe
"C:\Users\Admin\AppData\Local\Temp\zqdZqQhxI1QOUR2.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TpLvaNxoIQ.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TpLvaNxoIQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7BE2.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4532
- C:\Users\Admin\AppData\Local\Temp\zqdZqQhxI1QOUR2.exe
  "C:\Users\Admin\AppData\Local\Temp\zqdZqQhxI1QOUR2.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zqdZqQhxI1QOUR2.exe.log

Filesize
1KB

MD5
585182a56bc9ed2a07839034053e6cbe

SHA1
7cf490257c87d1dd3ccb781367318ebc42ec73a8

SHA256
c033ed46328435a7d44d26ad674d3ed49e370fb7c948d6ea1d6d427f90ee24be

SHA512
0a2d4af66076de2a7bf73b37c4c1e7609552dde0c97bd31a78a07cd14d3a80266150b98221a9a2d6e55ebe4f0ee1e507f7f31dbf038b9c00cbcfe048934dd928

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jtspquom.nml.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7BE2.tmp

Filesize
1KB

MD5
d45c2c81fd436c7eb26425a67f8eed2a

SHA1
1fb6884f394be4c1c54f861d5a6f76ec23c2d29a

SHA256
9d066f62c491b3c152b5f40b029858d96fa16d30ed042046ad0323559c18e7fc

SHA512
2ce326ce40589de323e0a8f61cfa007fb2093708dcbde17d7e4631068a5effde8b285875de9a499fa2c90f13e17e3b1a8f749088dc638a33cf76da2f49548362

Download Submit
memory/824-75-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/824-24-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/824-44-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/824-71-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/824-28-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/1768-6-0x0000000006020000-0x0000000006374000-memory.dmp

Filesize
3.3MB

Download
memory/1768-8-0x00000000059A0000-0x00000000059B2000-memory.dmp

Filesize
72KB

Download
memory/1768-10-0x0000000007360000-0x0000000007378000-memory.dmp

Filesize
96KB

Download
memory/1768-11-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/1768-12-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/1768-13-0x0000000005A60000-0x0000000005A6A000-memory.dmp

Filesize
40KB

Download
memory/1768-14-0x0000000009A40000-0x0000000009A88000-memory.dmp

Filesize
288KB

Download
memory/1768-9-0x00000000059F0000-0x0000000005A12000-memory.dmp

Filesize
136KB

Download
memory/1768-7-0x0000000005800000-0x000000000589C000-memory.dmp

Filesize
624KB

Download
memory/1768-5-0x0000000005500000-0x000000000550A000-memory.dmp

Filesize
40KB

Download
memory/1768-4-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/1768-3-0x0000000005560000-0x00000000055F2000-memory.dmp

Filesize
584KB

Download
memory/1768-2-0x0000000005A70000-0x0000000006014000-memory.dmp

Filesize
5.6MB

Download
memory/1768-0-0x0000000000A80000-0x0000000000B02000-memory.dmp

Filesize
520KB

Download
memory/1768-1-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/1768-29-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/3056-30-0x00000000055A0000-0x0000000005606000-memory.dmp

Filesize
408KB

Download
memory/3056-59-0x0000000007F50000-0x00000000085CA000-memory.dmp

Filesize
6.5MB

Download
memory/3056-31-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/3056-22-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

Filesize
64KB

Download
memory/3056-38-0x0000000005FC0000-0x0000000006314000-memory.dmp

Filesize
3.3MB

Download
memory/3056-42-0x0000000005350000-0x000000000536E000-memory.dmp

Filesize
120KB

Download
memory/3056-43-0x0000000006690000-0x00000000066DC000-memory.dmp

Filesize
304KB

Download
memory/3056-23-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

Filesize
64KB

Download
memory/3056-45-0x000000007F9E0000-0x000000007F9F0000-memory.dmp

Filesize
64KB

Download
memory/3056-46-0x0000000006BC0000-0x0000000006BF2000-memory.dmp

Filesize
200KB

Download
memory/3056-47-0x0000000070820000-0x000000007086C000-memory.dmp

Filesize
304KB

Download
memory/3056-57-0x0000000006BA0000-0x0000000006BBE000-memory.dmp

Filesize
120KB

Download
memory/3056-58-0x00000000075E0000-0x0000000007683000-memory.dmp

Filesize
652KB

Download
memory/3056-25-0x00000000057D0000-0x0000000005DF8000-memory.dmp

Filesize
6.2MB

Download
memory/3056-60-0x0000000007900000-0x000000000791A000-memory.dmp

Filesize
104KB

Download
memory/3056-61-0x0000000007970000-0x000000000797A000-memory.dmp

Filesize
40KB

Download
memory/3056-62-0x0000000007B80000-0x0000000007C16000-memory.dmp

Filesize
600KB

Download
memory/3056-63-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/3056-64-0x0000000007B00000-0x0000000007B11000-memory.dmp

Filesize
68KB

Download
memory/3056-65-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

Filesize
64KB

Download
memory/3056-66-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

Filesize
64KB

Download
memory/3056-67-0x0000000007B50000-0x0000000007B5E000-memory.dmp

Filesize
56KB

Download
memory/3056-68-0x0000000007B60000-0x0000000007B74000-memory.dmp

Filesize
80KB

Download
memory/3056-69-0x0000000007C60000-0x0000000007C7A000-memory.dmp

Filesize
104KB

Download
memory/3056-70-0x0000000007C40000-0x0000000007C48000-memory.dmp

Filesize
32KB

Download
memory/3056-21-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/3056-74-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/3056-19-0x0000000002D00000-0x0000000002D36000-memory.dmp

Filesize
216KB

Download