xworm | b17fd59db88521a35cbbc39eae8c46f9f9a14008f9bab8bfd00f7d3aa40ea7fe

Analysis

max time kernel
153s
max time network
168s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 23:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

docxw20230908.exe
Size

400.0MB
MD5

35057f07a32f74f8ba044659343f59ea
SHA1

0bdc40820ee90b7471ec5241e6dacc4eb9514331
SHA256

b17fd59db88521a35cbbc39eae8c46f9f9a14008f9bab8bfd00f7d3aa40ea7fe
SHA512

7306fd401a1484084c6e4b667a2efc54551a8f7eae339ad75b24f58f2dfb4ba507cbe50015ba0241e7f6b99e25fb548c9b8c6f8b9714e6d0f5f2e815ea84d0f7
SSDEEP

3072:E+BnTi90t/wqfMpCMAPs3UIGiszAVLCbilsjVJi1MaKKKKKKldjVKKKKVKbKKKKr:E+BnTiq2QM53NGNzeCb9jVJi1xelFY

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

homesafe1000.duckdns.org:7000

Mutex

MbQZfUWuaRfd8jkh

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/940-8-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/940-9-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/940-12-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/940-14-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/940-16-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 3 IoCs

pid	Process
2668	svchost.exe
2160	svchost.exe
2004	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1700 set thread context of 940	1700	docxw20230908.exe	30
PID 2668 set thread context of 2160	2668	svchost.exe	40

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2284	schtasks.exe
1692	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
940	docxw20230908.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
940	docxw20230908.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	940	docxw20230908.exe
Token: SeDebugPrivilege	2160	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
940	docxw20230908.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 940	1700	docxw20230908.exe	30
PID 1700 wrote to memory of 940	1700	docxw20230908.exe	30
PID 1700 wrote to memory of 940	1700	docxw20230908.exe	30
PID 1700 wrote to memory of 940	1700	docxw20230908.exe	30
PID 1700 wrote to memory of 940	1700	docxw20230908.exe	30
PID 1700 wrote to memory of 940	1700	docxw20230908.exe	30
PID 1700 wrote to memory of 940	1700	docxw20230908.exe	30
PID 1700 wrote to memory of 940	1700	docxw20230908.exe	30
PID 1700 wrote to memory of 940	1700	docxw20230908.exe	30
PID 1700 wrote to memory of 2516	1700	docxw20230908.exe	31
PID 1700 wrote to memory of 2516	1700	docxw20230908.exe	31
PID 1700 wrote to memory of 2516	1700	docxw20230908.exe	31
PID 1700 wrote to memory of 2516	1700	docxw20230908.exe	31
PID 1700 wrote to memory of 1596	1700	docxw20230908.exe	32
PID 1700 wrote to memory of 1596	1700	docxw20230908.exe	32
PID 1700 wrote to memory of 1596	1700	docxw20230908.exe	32
PID 1700 wrote to memory of 1596	1700	docxw20230908.exe	32
PID 1700 wrote to memory of 2604	1700	docxw20230908.exe	34
PID 1700 wrote to memory of 2604	1700	docxw20230908.exe	34
PID 1700 wrote to memory of 2604	1700	docxw20230908.exe	34
PID 1700 wrote to memory of 2604	1700	docxw20230908.exe	34
PID 1596 wrote to memory of 2284	1596	cmd.exe	37
PID 1596 wrote to memory of 2284	1596	cmd.exe	37
PID 1596 wrote to memory of 2284	1596	cmd.exe	37
PID 1596 wrote to memory of 2284	1596	cmd.exe	37
PID 1676 wrote to memory of 2668	1676	taskeng.exe	39
PID 1676 wrote to memory of 2668	1676	taskeng.exe	39
PID 1676 wrote to memory of 2668	1676	taskeng.exe	39
PID 1676 wrote to memory of 2668	1676	taskeng.exe	39
PID 2668 wrote to memory of 2160	2668	svchost.exe	40
PID 2668 wrote to memory of 2160	2668	svchost.exe	40
PID 2668 wrote to memory of 2160	2668	svchost.exe	40
PID 2668 wrote to memory of 2160	2668	svchost.exe	40
PID 2668 wrote to memory of 2160	2668	svchost.exe	40
PID 2668 wrote to memory of 2160	2668	svchost.exe	40
PID 2668 wrote to memory of 2160	2668	svchost.exe	40
PID 2668 wrote to memory of 2160	2668	svchost.exe	40
PID 2668 wrote to memory of 2160	2668	svchost.exe	40
PID 2668 wrote to memory of 796	2668	svchost.exe	44
PID 2668 wrote to memory of 796	2668	svchost.exe	44
PID 2668 wrote to memory of 796	2668	svchost.exe	44
PID 2668 wrote to memory of 796	2668	svchost.exe	44
PID 2668 wrote to memory of 1044	2668	svchost.exe	43
PID 2668 wrote to memory of 1044	2668	svchost.exe	43
PID 2668 wrote to memory of 1044	2668	svchost.exe	43
PID 2668 wrote to memory of 1044	2668	svchost.exe	43
PID 2668 wrote to memory of 1276	2668	svchost.exe	42
PID 2668 wrote to memory of 1276	2668	svchost.exe	42
PID 2668 wrote to memory of 1276	2668	svchost.exe	42
PID 2668 wrote to memory of 1276	2668	svchost.exe	42
PID 1044 wrote to memory of 1692	1044	cmd.exe	47
PID 1044 wrote to memory of 1692	1044	cmd.exe	47
PID 1044 wrote to memory of 1692	1044	cmd.exe	47
PID 1044 wrote to memory of 1692	1044	cmd.exe	47
PID 1676 wrote to memory of 2004	1676	taskeng.exe	48
PID 1676 wrote to memory of 2004	1676	taskeng.exe	48
PID 1676 wrote to memory of 2004	1676	taskeng.exe	48
PID 1676 wrote to memory of 2004	1676	taskeng.exe	48

C:\Users\Admin\AppData\Local\Temp\docxw20230908.exe
"C:\Users\Admin\AppData\Local\Temp\docxw20230908.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\docxw20230908.exe
  "C:\Users\Admin\AppData\Local\Temp\docxw20230908.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:940
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
  2⤵
  PID:2516
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2284
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\docxw20230908.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  PID:2604

C:\Windows\system32\taskeng.exe
taskeng.exe {59C107EC-4B8E-4CEB-B045-3C047504238F} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
    3⤵
    PID:796
- C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
92.3MB

MD5
a9b8fe498d3a4faafa3125176665b74b

SHA1
2d32860768404385a4c374f3dfb6b0623a226333

SHA256
47bb1d011640a2586e63cc467584ed0343ebe20d0bda92944557f3ec2620247a

SHA512
d5ef45a5d5696aeffdb89676c75db0bd95e9eefae006b927ab1ac516619f3b533a6dde5fecce8bf8aa2c53ac452ac7129813ae90d4feea7dd29ccc781c19f9d7

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
91.8MB

MD5
b18a21fbe66416dd2b00fc467c1ec1b1

SHA1
ecae925d2614c9b271941eebe3148c83c3686c49

SHA256
e7cf00ffe57887d627cc3ea00717802120089148ed8fed037196c7aac09dbb41

SHA512
3ec7c2e80619f67894a35a1d1b3530c7deaa3a59770fad7752417cd6c66496dbb85c547452d868f7219fefbec73ba5236f7e4a1a9be4d79c26af3be2a1c1ecf5

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
33.9MB

MD5
046bc89c1f416a0c4c9167aa327cb67f

SHA1
710b3d260ad9a98d5e5948d17b7b08035c51350a

SHA256
4bf5f766dfd33b73cc268861a75cdcc63b282591cbf816f4bd3756eaf5fa8a51

SHA512
03c58ba06175b46a0bfe8656ad2448d8992453022733d4cee9c11cfa8cb0ec27f92f552906516d70d39b332f1fd4eb19938c6b5903f46355f485a9a48c33f665

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
640KB

MD5
61370e7d12344e516b034c4cd20f4990

SHA1
7d744e27d30f8c6cd7f90ecc9d1724b4702ee993

SHA256
25ffd7d6248c9118cf01ef7a1f1e788974438128db5ac5dbc345d4915f844997

SHA512
ed3b1d9295eb5f7212302dfb337c1c9c8aa0c2f9e4eb4cbbe40dc58dfd9a3ba6a07c6ba59116dbaa0474f17e210082e4e15312d275bb3837406b1275baceb63f

Download Submit
memory/940-21-0x0000000004B00000-0x0000000004B40000-memory.dmp

Filesize
256KB

Download
memory/940-22-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/940-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/940-7-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/940-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/940-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/940-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/940-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/940-14-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/940-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/940-17-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/940-23-0x0000000004B00000-0x0000000004B40000-memory.dmp

Filesize
256KB

Download
memory/1700-4-0x0000000000B90000-0x0000000000BD0000-memory.dmp

Filesize
256KB

Download
memory/1700-2-0x0000000000B90000-0x0000000000BD0000-memory.dmp

Filesize
256KB

Download
memory/1700-18-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/1700-5-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/1700-3-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/1700-0-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/1700-1-0x0000000000220000-0x000000000026E000-memory.dmp

Filesize
312KB

Download
memory/2004-48-0x0000000000110000-0x000000000015E000-memory.dmp

Filesize
312KB

Download
memory/2160-46-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2160-44-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2160-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2668-26-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2668-45-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2668-30-0x0000000002020000-0x0000000002060000-memory.dmp

Filesize
256KB

Download
memory/2668-29-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2668-28-0x0000000002020000-0x0000000002060000-memory.dmp

Filesize
256KB

Download
memory/2668-27-0x0000000000120000-0x000000000016E000-memory.dmp

Filesize
312KB

Download