xworm | 4229b3925fbd80f2316493b19c1c7fd23898507284bae4754e76c79a096f2133

Analysis

max time kernel
160s
max time network
181s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e568bed1c5e03e331654dee826b23930_JC.exe
Size

675KB
MD5

e568bed1c5e03e331654dee826b23930
SHA1

7c0afd12c32103cbd4362e42f334bc072f0ae110
SHA256

4229b3925fbd80f2316493b19c1c7fd23898507284bae4754e76c79a096f2133
SHA512

488c6e5e11127abda7667de1b4a7d457d43effea5c245258cac35f50c63a7829d74cee16c7d3de72d6f66642d2ea7929bb9e61ae72af3fa801c0e137e6df607f
SSDEEP

12288:SrUbmtTf+IR5xblqCdcqzKAuqctZTX2LpeiZCZ6i:6UbK9rtuyLZY

Score

10^/10

xworm persistence rat trojan

Malware Config

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2960-41-0x00000000005F0000-0x000000000060E000-memory.dmp	family_xworm
behavioral1/memory/2960-45-0x0000000000820000-0x000000000083C000-memory.dmp	family_xworm

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\yuejduhr.exe,"	reg.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 3 IoCs

pid	Process
2444	yuejduhr.exe
760	windaprOc.exe
2340	windaprOc.exe

Loads dropped DLL 3 IoCs

pid	Process
2612	cmd.exe
2444	yuejduhr.exe
760	windaprOc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2444 set thread context of 2960	2444	yuejduhr.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2256	PING.EXE
2044	PING.EXE
1100	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2960	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2512	NEAS.e568bed1c5e03e331654dee826b23930_JC.exe
2512	NEAS.e568bed1c5e03e331654dee826b23930_JC.exe
2512	NEAS.e568bed1c5e03e331654dee826b23930_JC.exe
2512	NEAS.e568bed1c5e03e331654dee826b23930_JC.exe
2512	NEAS.e568bed1c5e03e331654dee826b23930_JC.exe
2512	NEAS.e568bed1c5e03e331654dee826b23930_JC.exe
2444	yuejduhr.exe
2444	yuejduhr.exe
2444	yuejduhr.exe
2444	yuejduhr.exe
760	windaprOc.exe
2340	windaprOc.exe
2340	windaprOc.exe
2340	windaprOc.exe
2444	yuejduhr.exe
2444	yuejduhr.exe
2960	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	NEAS.e568bed1c5e03e331654dee826b23930_JC.exe
Token: SeDebugPrivilege	2444	yuejduhr.exe
Token: SeDebugPrivilege	2960	AddInProcess32.exe
Token: SeDebugPrivilege	760	windaprOc.exe
Token: SeDebugPrivilege	2340	windaprOc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2960	AddInProcess32.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2704	2512	NEAS.e568bed1c5e03e331654dee826b23930_JC.exe	30
PID 2512 wrote to memory of 2704	2512	NEAS.e568bed1c5e03e331654dee826b23930_JC.exe	30
PID 2512 wrote to memory of 2704	2512	NEAS.e568bed1c5e03e331654dee826b23930_JC.exe	30
PID 2512 wrote to memory of 2704	2512	NEAS.e568bed1c5e03e331654dee826b23930_JC.exe	30
PID 2704 wrote to memory of 2256	2704	cmd.exe	32
PID 2704 wrote to memory of 2256	2704	cmd.exe	32
PID 2704 wrote to memory of 2256	2704	cmd.exe	32
PID 2704 wrote to memory of 2256	2704	cmd.exe	32
PID 2512 wrote to memory of 2612	2512	NEAS.e568bed1c5e03e331654dee826b23930_JC.exe	33
PID 2512 wrote to memory of 2612	2512	NEAS.e568bed1c5e03e331654dee826b23930_JC.exe	33
PID 2512 wrote to memory of 2612	2512	NEAS.e568bed1c5e03e331654dee826b23930_JC.exe	33
PID 2512 wrote to memory of 2612	2512	NEAS.e568bed1c5e03e331654dee826b23930_JC.exe	33
PID 2612 wrote to memory of 2044	2612	cmd.exe	35
PID 2612 wrote to memory of 2044	2612	cmd.exe	35
PID 2612 wrote to memory of 2044	2612	cmd.exe	35
PID 2612 wrote to memory of 2044	2612	cmd.exe	35
PID 2704 wrote to memory of 2636	2704	cmd.exe	36
PID 2704 wrote to memory of 2636	2704	cmd.exe	36
PID 2704 wrote to memory of 2636	2704	cmd.exe	36
PID 2704 wrote to memory of 2636	2704	cmd.exe	36
PID 2612 wrote to memory of 1100	2612	cmd.exe	37
PID 2612 wrote to memory of 1100	2612	cmd.exe	37
PID 2612 wrote to memory of 1100	2612	cmd.exe	37
PID 2612 wrote to memory of 1100	2612	cmd.exe	37
PID 2612 wrote to memory of 2444	2612	cmd.exe	38
PID 2612 wrote to memory of 2444	2612	cmd.exe	38
PID 2612 wrote to memory of 2444	2612	cmd.exe	38
PID 2612 wrote to memory of 2444	2612	cmd.exe	38
PID 2444 wrote to memory of 2960	2444	yuejduhr.exe	39
PID 2444 wrote to memory of 2960	2444	yuejduhr.exe	39
PID 2444 wrote to memory of 2960	2444	yuejduhr.exe	39
PID 2444 wrote to memory of 2960	2444	yuejduhr.exe	39
PID 2444 wrote to memory of 2960	2444	yuejduhr.exe	39
PID 2444 wrote to memory of 2960	2444	yuejduhr.exe	39
PID 2444 wrote to memory of 2960	2444	yuejduhr.exe	39
PID 2444 wrote to memory of 2960	2444	yuejduhr.exe	39
PID 2444 wrote to memory of 2960	2444	yuejduhr.exe	39
PID 2444 wrote to memory of 2960	2444	yuejduhr.exe	39
PID 2444 wrote to memory of 760	2444	yuejduhr.exe	40
PID 2444 wrote to memory of 760	2444	yuejduhr.exe	40
PID 2444 wrote to memory of 760	2444	yuejduhr.exe	40
PID 2444 wrote to memory of 760	2444	yuejduhr.exe	40
PID 760 wrote to memory of 2340	760	windaprOc.exe	42
PID 760 wrote to memory of 2340	760	windaprOc.exe	42
PID 760 wrote to memory of 2340	760	windaprOc.exe	42
PID 760 wrote to memory of 2340	760	windaprOc.exe	42

C:\Users\Admin\AppData\Local\Temp\NEAS.e568bed1c5e03e331654dee826b23930_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e568bed1c5e03e331654dee826b23930_JC.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 9 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\yuejduhr.exe,"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 9
    3⤵
    - Runs ping.exe
    PID:2256
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\yuejduhr.exe,"
    3⤵
    - Modifies WinLogon for persistence
    PID:2636
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 18 > nul && copy "C:\Users\Admin\AppData\Local\Temp\NEAS.e568bed1c5e03e331654dee826b23930_JC.exe" "C:\Users\Admin\AppData\Roaming\yuejduhr.exe" && ping 127.0.0.1 -n 18 > nul && "C:\Users\Admin\AppData\Roaming\yuejduhr.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 18
    3⤵
    - Runs ping.exe
    PID:2044
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 18
    3⤵
    - Runs ping.exe
    PID:1100
- - C:\Users\Admin\AppData\Roaming\yuejduhr.exe
    "C:\Users\Admin\AppData\Roaming\yuejduhr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\windaprOc.exe
      "C:\Users\Admin\AppData\Local\Temp\windaprOc.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:760
    - - C:\Users\Admin\AppData\Local\Temp\windaprOc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\windaprOc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\windaprOc.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\windaprOc.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\windaprOc.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\windaprOc.txt

Filesize
56B

MD5
a0fff0e681ef25ee9eb913d0619a6ada

SHA1
6b6591495cb3723d9781dfec232667e1c9de16ae

SHA256
2572e4b5accaeefad43e9b435709dbf404e2b31738878222bdfd1059d39b5e12

SHA512
83a5f79792be6db571baf1eb80f67c12d5b0b8dc99c1320301bee3cc8395b9dce2842e5f9ffc9b5d9b5f07b02397fc31c4892f554116663600a6682bcf13bd97

Download Submit
C:\Users\Admin\AppData\Local\Temp\windaprOc.txt

Filesize
57B

MD5
cf0d11e27028aa1b88929a7c01877a12

SHA1
b48b482f3f4eaaa5609e7a21760ace659a16f701

SHA256
ea88f6238776c7070790cf091216aa6eaa08540aea643c6a844231350faf35d2

SHA512
db58a7a269f2d98798947ce35c5da0147db72e639e3c8f7453c88016e271c717e851e57b96794a663307bbfa565234edf031c67a86b119ab8749be17b711f2c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\windaprOc.txt

Filesize
57B

MD5
cf0d11e27028aa1b88929a7c01877a12

SHA1
b48b482f3f4eaaa5609e7a21760ace659a16f701

SHA256
ea88f6238776c7070790cf091216aa6eaa08540aea643c6a844231350faf35d2

SHA512
db58a7a269f2d98798947ce35c5da0147db72e639e3c8f7453c88016e271c717e851e57b96794a663307bbfa565234edf031c67a86b119ab8749be17b711f2c6

Download Submit
C:\Users\Admin\AppData\Roaming\yuejduhr.exe

Filesize
675KB

MD5
e568bed1c5e03e331654dee826b23930

SHA1
7c0afd12c32103cbd4362e42f334bc072f0ae110

SHA256
4229b3925fbd80f2316493b19c1c7fd23898507284bae4754e76c79a096f2133

SHA512
488c6e5e11127abda7667de1b4a7d457d43effea5c245258cac35f50c63a7829d74cee16c7d3de72d6f66642d2ea7929bb9e61ae72af3fa801c0e137e6df607f

Download Submit
C:\Users\Admin\AppData\Roaming\yuejduhr.exe

Filesize
675KB

MD5
e568bed1c5e03e331654dee826b23930

SHA1
7c0afd12c32103cbd4362e42f334bc072f0ae110

SHA256
4229b3925fbd80f2316493b19c1c7fd23898507284bae4754e76c79a096f2133

SHA512
488c6e5e11127abda7667de1b4a7d457d43effea5c245258cac35f50c63a7829d74cee16c7d3de72d6f66642d2ea7929bb9e61ae72af3fa801c0e137e6df607f

Download Submit
\Users\Admin\AppData\Local\Temp\windaprOc.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Local\Temp\windaprOc.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Roaming\yuejduhr.exe

Filesize
675KB

MD5
e568bed1c5e03e331654dee826b23930

SHA1
7c0afd12c32103cbd4362e42f334bc072f0ae110

SHA256
4229b3925fbd80f2316493b19c1c7fd23898507284bae4754e76c79a096f2133

SHA512
488c6e5e11127abda7667de1b4a7d457d43effea5c245258cac35f50c63a7829d74cee16c7d3de72d6f66642d2ea7929bb9e61ae72af3fa801c0e137e6df607f

Download Submit
memory/760-53-0x0000000073C50000-0x000000007433E000-memory.dmp

Filesize
6.9MB

Download
memory/760-52-0x0000000000E70000-0x0000000000E8A000-memory.dmp

Filesize
104KB

Download
memory/760-62-0x0000000073C50000-0x000000007433E000-memory.dmp

Filesize
6.9MB

Download
memory/2340-63-0x0000000073C50000-0x000000007433E000-memory.dmp

Filesize
6.9MB

Download
memory/2340-69-0x0000000073C50000-0x000000007433E000-memory.dmp

Filesize
6.9MB

Download
memory/2444-17-0x0000000073C50000-0x000000007433E000-memory.dmp

Filesize
6.9MB

Download
memory/2444-20-0x0000000000A80000-0x0000000000A86000-memory.dmp

Filesize
24KB

Download
memory/2444-21-0x00000000047E0000-0x0000000004820000-memory.dmp

Filesize
256KB

Download
memory/2444-14-0x0000000000D90000-0x0000000000E3E000-memory.dmp

Filesize
696KB

Download
memory/2444-15-0x0000000073C50000-0x000000007433E000-memory.dmp

Filesize
6.9MB

Download
memory/2444-16-0x00000000047E0000-0x0000000004820000-memory.dmp

Filesize
256KB

Download
memory/2444-18-0x00000000047E0000-0x0000000004820000-memory.dmp

Filesize
256KB

Download
memory/2444-19-0x0000000000990000-0x00000000009AA000-memory.dmp

Filesize
104KB

Download
memory/2444-34-0x00000000047E0000-0x0000000004820000-memory.dmp

Filesize
256KB

Download
memory/2512-6-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-0-0x00000000013C0000-0x000000000146E000-memory.dmp

Filesize
696KB

Download
memory/2512-1-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-2-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download
memory/2512-3-0x0000000000910000-0x0000000000952000-memory.dmp

Filesize
264KB

Download
memory/2512-4-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-5-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download
memory/2960-45-0x0000000000820000-0x000000000083C000-memory.dmp

Filesize
112KB

Download
memory/2960-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2960-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2960-30-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2960-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2960-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2960-54-0x0000000000C10000-0x0000000000C50000-memory.dmp

Filesize
256KB

Download
memory/2960-26-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2960-24-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2960-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2960-59-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2960-41-0x00000000005F0000-0x000000000060E000-memory.dmp

Filesize
120KB

Download
memory/2960-44-0x0000000000C10000-0x0000000000C50000-memory.dmp

Filesize
256KB

Download
memory/2960-43-0x0000000000C10000-0x0000000000C50000-memory.dmp

Filesize
256KB

Download
memory/2960-42-0x0000000073C50000-0x000000007433E000-memory.dmp

Filesize
6.9MB

Download
memory/2960-65-0x0000000073C50000-0x000000007433E000-memory.dmp

Filesize
6.9MB

Download
memory/2960-66-0x0000000000C10000-0x0000000000C50000-memory.dmp

Filesize
256KB

Download
memory/2960-67-0x0000000000C10000-0x0000000000C50000-memory.dmp

Filesize
256KB

Download
memory/2960-68-0x0000000000C10000-0x0000000000C50000-memory.dmp

Filesize
256KB

Download
memory/2960-40-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download