xworm | b17fd59db88521a35cbbc39eae8c46f9f9a14008f9bab8bfd00f7d3aa40ea7fe

Analysis

max time kernel
162s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 23:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

docxw20230908.exe
Size

400.0MB
MD5

35057f07a32f74f8ba044659343f59ea
SHA1

0bdc40820ee90b7471ec5241e6dacc4eb9514331
SHA256

b17fd59db88521a35cbbc39eae8c46f9f9a14008f9bab8bfd00f7d3aa40ea7fe
SHA512

7306fd401a1484084c6e4b667a2efc54551a8f7eae339ad75b24f58f2dfb4ba507cbe50015ba0241e7f6b99e25fb548c9b8c6f8b9714e6d0f5f2e815ea84d0f7
SSDEEP

3072:E+BnTi90t/wqfMpCMAPs3UIGiszAVLCbilsjVJi1MaKKKKKKldjVKKKKVKbKKKKr:E+BnTiq2QM53NGNzeCb9jVJi1xelFY

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

homesafe1000.duckdns.org:7000

Mutex

MbQZfUWuaRfd8jkh

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1504-9-0x0000000000420000-0x0000000000430000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 2 IoCs

pid	Process
3704	svchost.exe
3256	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4620 set thread context of 1504	4620	docxw20230908.exe	106
PID 3704 set thread context of 3256	3704	svchost.exe	118

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2296	schtasks.exe
2036	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1504	docxw20230908.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1504	docxw20230908.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	docxw20230908.exe
Token: SeDebugPrivilege	3256	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1504	docxw20230908.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 1504	4620	docxw20230908.exe	106
PID 4620 wrote to memory of 1504	4620	docxw20230908.exe	106
PID 4620 wrote to memory of 1504	4620	docxw20230908.exe	106
PID 4620 wrote to memory of 1504	4620	docxw20230908.exe	106
PID 4620 wrote to memory of 1504	4620	docxw20230908.exe	106
PID 4620 wrote to memory of 1504	4620	docxw20230908.exe	106
PID 4620 wrote to memory of 1504	4620	docxw20230908.exe	106
PID 4620 wrote to memory of 1504	4620	docxw20230908.exe	106
PID 4620 wrote to memory of 640	4620	docxw20230908.exe	108
PID 4620 wrote to memory of 640	4620	docxw20230908.exe	108
PID 4620 wrote to memory of 640	4620	docxw20230908.exe	108
PID 4620 wrote to memory of 3932	4620	docxw20230908.exe	111
PID 4620 wrote to memory of 3932	4620	docxw20230908.exe	111
PID 4620 wrote to memory of 3932	4620	docxw20230908.exe	111
PID 4620 wrote to memory of 3496	4620	docxw20230908.exe	110
PID 4620 wrote to memory of 3496	4620	docxw20230908.exe	110
PID 4620 wrote to memory of 3496	4620	docxw20230908.exe	110
PID 3932 wrote to memory of 2296	3932	cmd.exe	114
PID 3932 wrote to memory of 2296	3932	cmd.exe	114
PID 3932 wrote to memory of 2296	3932	cmd.exe	114
PID 3704 wrote to memory of 3256	3704	svchost.exe	118
PID 3704 wrote to memory of 3256	3704	svchost.exe	118
PID 3704 wrote to memory of 3256	3704	svchost.exe	118
PID 3704 wrote to memory of 3256	3704	svchost.exe	118
PID 3704 wrote to memory of 3256	3704	svchost.exe	118
PID 3704 wrote to memory of 3256	3704	svchost.exe	118
PID 3704 wrote to memory of 3256	3704	svchost.exe	118
PID 3704 wrote to memory of 3256	3704	svchost.exe	118
PID 3704 wrote to memory of 3668	3704	svchost.exe	119
PID 3704 wrote to memory of 3668	3704	svchost.exe	119
PID 3704 wrote to memory of 3668	3704	svchost.exe	119
PID 3704 wrote to memory of 4560	3704	svchost.exe	120
PID 3704 wrote to memory of 4560	3704	svchost.exe	120
PID 3704 wrote to memory of 4560	3704	svchost.exe	120
PID 3704 wrote to memory of 5056	3704	svchost.exe	122
PID 3704 wrote to memory of 5056	3704	svchost.exe	122
PID 3704 wrote to memory of 5056	3704	svchost.exe	122
PID 4560 wrote to memory of 2036	4560	cmd.exe	125
PID 4560 wrote to memory of 2036	4560	cmd.exe	125
PID 4560 wrote to memory of 2036	4560	cmd.exe	125

C:\Users\Admin\AppData\Local\Temp\docxw20230908.exe
"C:\Users\Admin\AppData\Local\Temp\docxw20230908.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Users\Admin\AppData\Local\Temp\docxw20230908.exe
  "C:\Users\Admin\AppData\Local\Temp\docxw20230908.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1504
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
  2⤵
  PID:640
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\docxw20230908.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  PID:3496
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2296

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3256
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
  2⤵
  PID:3668
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Filesize
520B

MD5
03febbff58da1d3318c31657d89c8542

SHA1
c9e017bd9d0a4fe533795b227c855935d86c2092

SHA256
5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4

SHA512
3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
155.2MB

MD5
1fb651177c602b84e30ed34e55177516

SHA1
1a03f8e52ff86ff7a058f1c6c5b6c293305b082c

SHA256
4e5eb80db34a29a2aa5c870135f9c16e315a128304856c8957c466976cac3f6d

SHA512
2f4bea1c3e017052643342906047b08e6c014a48c5ad58efeeca95d11abdc8523dc7bc7b8563933d806e62f7b8777e779d23fa2d75c9d5c0c940d40229553e31

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
152.7MB

MD5
48284962f8800dcc4caca828bdd92a7a

SHA1
b4627fbc387e500f1cd5410754b1d9d1ce3b420c

SHA256
4f3ebe6b00de518a41dd1378f058d59754fd0bdf9629594b05a92cf09736597c

SHA512
6dd7c6bd71bdb5d90a6099731920ebf16d9c67d9b1dd2116f29050b1635dd724cca47b090a2ad206184c72a1237a5b1a70f1c00f1f1e6b149641d2d4f2076576

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
64.9MB

MD5
8b67091c573a5b45910492d6209ab016

SHA1
b928f6ae21e17e60a890df062da314738abeb22f

SHA256
2d64b99e6e0473743e1563cece014473fc9224301513d16ff3d3a7dd1bc29432

SHA512
044051486449cda00fe78cc69b045babc437c7e901b43effc9c312874cc8ff149a9e11f2d0a0d413cba4cebb51b0afa44ae6e48277710fbf2480e1e9980d0399

Download Submit
memory/1504-18-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/1504-8-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/1504-9-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/1504-10-0x00000000048E0000-0x000000000497C000-memory.dmp

Filesize
624KB

Download
memory/1504-19-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/1504-15-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/1504-16-0x0000000005900000-0x0000000005992000-memory.dmp

Filesize
584KB

Download
memory/1504-17-0x0000000005AF0000-0x0000000005AFA000-memory.dmp

Filesize
40KB

Download
memory/3256-28-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/3256-30-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/3704-22-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/3704-23-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/3704-29-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/4620-12-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/4620-6-0x00000000050B0000-0x00000000050BE000-memory.dmp

Filesize
56KB

Download
memory/4620-5-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/4620-0-0x00000000006E0000-0x000000000072E000-memory.dmp

Filesize
312KB

Download
memory/4620-4-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/4620-3-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/4620-2-0x00000000056D0000-0x0000000005C74000-memory.dmp

Filesize
5.6MB

Download
memory/4620-1-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download