Overview

overview

10

Static

static

10

XWorm Ping...er.exe

windows7-x64

10

XWorm Ping...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2023, 03:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XWorm Ping Optimizer.exe

  • Size

    209KB

  • MD5

    43bb693a4d3ca23a85015b487f0db69a

  • SHA1

    4a29501c02988e111c2c6c9dccdbd135c119a4e8

  • SHA256

    f645030d125dac92a38f919cc0b134f7cba5f70f0fc5ce421a532dfe1515c22e

  • SHA512

    3694b42ef2f8ad357df9934349c100a0fd6a8386c7859ee1299bc34ba200429ac9584695a174050c425c91f120d9f40091773963e9a3427c323f614a36b7ca13

  • SSDEEP

    3072:ugUv1gB5CLa9bqqsBoO/Ya1W7T4MxK08cnNizrQxs/DrGQG3v9RfPJ:uJ1I5CLqbYlIT4MxKJzrAP

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

functions-screensavers.gl.at.ply.gg:11035

Attributes
  • Install_directory

    %Temp%

  • install_file

    XWorm Auto Updater.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWorm Ping Optimizer.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm Ping Optimizer.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm Ping Optimizer.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2572
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm Ping Optimizer.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm Auto Updater.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2428
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm Auto Updater.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1924
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XWorm Auto Updater" /tr "C:\Users\Admin\AppData\Local\Temp\XWorm Auto Updater.exe"
      2⤵
      • Creates scheduled task(s)
      PID:2000
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {B6072E8C-4B3E-4B7B-8185-BE9809C7552B} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]
    1⤵
      PID:1640

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      aaac3959f00c4858fa1956a88aa4c557

      SHA1

      8d3c58db530d0b62d49da7c17ec32f9fd79572bc

      SHA256

      515d7e602e8256ac07dd527c2e5149cfa158b3f392475fb6c79b8396aa213169

      SHA512

      3dac758c20db344c710ca2cac753abea2487b1ca9f3483eab259b46bfa9a12d57aa950ba772bea84210e8a35414688788a4ec2fbef3480395441a4a431967c77

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      aaac3959f00c4858fa1956a88aa4c557

      SHA1

      8d3c58db530d0b62d49da7c17ec32f9fd79572bc

      SHA256

      515d7e602e8256ac07dd527c2e5149cfa158b3f392475fb6c79b8396aa213169

      SHA512

      3dac758c20db344c710ca2cac753abea2487b1ca9f3483eab259b46bfa9a12d57aa950ba772bea84210e8a35414688788a4ec2fbef3480395441a4a431967c77

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      aaac3959f00c4858fa1956a88aa4c557

      SHA1

      8d3c58db530d0b62d49da7c17ec32f9fd79572bc

      SHA256

      515d7e602e8256ac07dd527c2e5149cfa158b3f392475fb6c79b8396aa213169

      SHA512

      3dac758c20db344c710ca2cac753abea2487b1ca9f3483eab259b46bfa9a12d57aa950ba772bea84210e8a35414688788a4ec2fbef3480395441a4a431967c77

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\860YQ6IOQSLBEY4XOJ5M.temp
      Filesize

      7KB

      MD5

      aaac3959f00c4858fa1956a88aa4c557

      SHA1

      8d3c58db530d0b62d49da7c17ec32f9fd79572bc

      SHA256

      515d7e602e8256ac07dd527c2e5149cfa158b3f392475fb6c79b8396aa213169

      SHA512

      3dac758c20db344c710ca2cac753abea2487b1ca9f3483eab259b46bfa9a12d57aa950ba772bea84210e8a35414688788a4ec2fbef3480395441a4a431967c77

      Download Submit

    • memory/1896-0-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1896-1-0x0000000000BA0000-0x0000000000BD8000-memory.dmp

      Filesize

      224KB

      Download

    • memory/1896-2-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1896-59-0x0000000002000000-0x0000000002080000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1896-58-0x0000000002000000-0x0000000002080000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1924-51-0x0000000002870000-0x00000000028F0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1924-49-0x0000000002870000-0x00000000028F0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1924-50-0x0000000002870000-0x00000000028F0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1924-48-0x000007FEEE9F0000-0x000007FEEF38D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1924-47-0x000007FEEE9F0000-0x000007FEEF38D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1924-52-0x0000000002870000-0x00000000028F0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1924-53-0x000007FEEE9F0000-0x000007FEEF38D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2428-40-0x0000000002850000-0x00000000028D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2428-39-0x0000000002850000-0x00000000028D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2428-38-0x0000000002850000-0x00000000028D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2428-37-0x0000000002850000-0x00000000028D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2428-36-0x000007FEEF800000-0x000007FEF019D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2428-35-0x000007FEEF800000-0x000007FEF019D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2428-41-0x000007FEEF800000-0x000007FEF019D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2572-14-0x000007FEEF800000-0x000007FEF019D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2572-13-0x000007FEEF800000-0x000007FEF019D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2572-7-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2572-8-0x0000000002490000-0x0000000002498000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2572-9-0x000007FEEF800000-0x000007FEF019D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2572-10-0x0000000002580000-0x0000000002600000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2572-11-0x0000000002580000-0x0000000002600000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2572-12-0x0000000002580000-0x0000000002600000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2808-24-0x000007FEEE9F0000-0x000007FEEF38D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2808-20-0x000000001B290000-0x000000001B572000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2808-21-0x00000000025E0000-0x00000000025E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2808-22-0x000007FEEE9F0000-0x000007FEEF38D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2808-23-0x0000000002960000-0x00000000029E0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2808-28-0x000007FEEE9F0000-0x000007FEEF38D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2808-25-0x0000000002960000-0x00000000029E0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2808-26-0x0000000002960000-0x00000000029E0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2808-27-0x0000000002960000-0x00000000029E0000-memory.dmp

      Filesize

      512KB

      Download