xworm | 7e538f304d733f1ef18175f7693748645b4425cd4dd3461a494bd45e9e7d75a6

Analysis

max time kernel
7s
max time network
19s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
06-11-2023 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xfnpub_protected.exe
Size

3.4MB
MD5

33b76c675cfddebb043ba6ec18b7bf6d
SHA1

582617d3c14ff7ccd75278b60c87cf87bee51ca0
SHA256

7e538f304d733f1ef18175f7693748645b4425cd4dd3461a494bd45e9e7d75a6
SHA512

1fcd6a9099bbe4485c3fe67140c951771d5f9abcf928c0931b91ee34d2937905bfefd1b0eda1825f0776870a19dc0df6b9724aefd9662fa11d9a1733e77c2f1f
SSDEEP

98304:mYwxP9hSuddhN7S1evZU5RXtCV/UzLnqPgYrb+zD:KzhzJSn0qjqPZbs

Score

10^/10

xworm evasion rat themida trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Attributes

Install_directory
%AppData%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/s2R3Fsug
telegram
https://api.telegram.org/bot6422351504:AAGnZ2RrQQvFeVRJkiAoCAqWwaCIWQBepcU/sendMessage?chat_id=6605360232

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012025-32.dat	family_xworm
behavioral1/files/0x000a000000012025-33.dat	family_xworm
behavioral1/files/0x000a000000012025-35.dat	family_xworm
behavioral1/memory/2688-50-0x00000000010A0000-0x00000000010BC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Xfnpub_protected.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Xfnpub_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Xfnpub_protected.exe

Executes dropped EXE 1 IoCs

pid	Process
2688	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2360	Xfnpub_protected.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2360-26-0x0000000000F40000-0x000000000182C000-memory.dmp	themida
behavioral1/memory/2360-27-0x0000000000F40000-0x000000000182C000-memory.dmp	themida
behavioral1/memory/2360-49-0x0000000000F40000-0x000000000182C000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Xfnpub_protected.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2360	Xfnpub_protected.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2360	Xfnpub_protected.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2688	2360	Xfnpub_protected.exe	28
PID 2360 wrote to memory of 2688	2360	Xfnpub_protected.exe	28
PID 2360 wrote to memory of 2688	2360	Xfnpub_protected.exe	28
PID 2360 wrote to memory of 2688	2360	Xfnpub_protected.exe	28

C:\Users\Admin\AppData\Local\Temp\Xfnpub_protected.exe
"C:\Users\Admin\AppData\Local\Temp\Xfnpub_protected.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:2688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
    3⤵
    PID:1452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    PID:1436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    PID:1752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    PID:1288
- C:\Users\Admin\AppData\Local\Temp\Xcheat.exe
  "C:\Users\Admin\AppData\Local\Temp\Xcheat.exe"
  2⤵
  PID:2684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color 3
    3⤵
    PID:2528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color 3
    3⤵
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Xcheat.exe

Filesize
305KB

MD5
492a14fdfe5f3cef7d8415c5c3000f02

SHA1
469b6dd59e2128767c92841f766d381431c251b4

SHA256
073b38f3bc17cfdaad97e1008686f5da55f201ac707b1919f0b9ace202303cfc

SHA512
314b1edae8b602a8a6dd1fb41a336c513707758d080fcbbcdfc241c7955b7e5602f7a2d6937020a3b0d92a9f4a7a1eff42dc5de17e68242ead0fa13aef8b9f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xcheat.exe

Filesize
305KB

MD5
492a14fdfe5f3cef7d8415c5c3000f02

SHA1
469b6dd59e2128767c92841f766d381431c251b4

SHA256
073b38f3bc17cfdaad97e1008686f5da55f201ac707b1919f0b9ace202303cfc

SHA512
314b1edae8b602a8a6dd1fb41a336c513707758d080fcbbcdfc241c7955b7e5602f7a2d6937020a3b0d92a9f4a7a1eff42dc5de17e68242ead0fa13aef8b9f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
88KB

MD5
fd64566ffd52e3c8444d2d0edce32744

SHA1
e5fe4bee07bbc9f8ef552938166ab93a98cb68f7

SHA256
3f86a761cdc8cd43b5610f74a8c4c476d8e3e4e77f2dbdaa92164a16ffa34fa4

SHA512
4f11475b3b8af36f52e6d289f3ecfed05dfa88e322ce987ac357d7602d280a5682f315e2a43f4fe3cb7538acdad936b01ff8e124e57332d36033c1384108f8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
88KB

MD5
fd64566ffd52e3c8444d2d0edce32744

SHA1
e5fe4bee07bbc9f8ef552938166ab93a98cb68f7

SHA256
3f86a761cdc8cd43b5610f74a8c4c476d8e3e4e77f2dbdaa92164a16ffa34fa4

SHA512
4f11475b3b8af36f52e6d289f3ecfed05dfa88e322ce987ac357d7602d280a5682f315e2a43f4fe3cb7538acdad936b01ff8e124e57332d36033c1384108f8bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0f0526a9cf9eb6c1021f0499314ecdb9

SHA1
28ef823130f8473489e06656021a4b57a2e01882

SHA256
e0a565cb33484d1fc47f2c67a3009e95172dcd05d713c827d3eb1090690d27b2

SHA512
6762aa820cfb4b3e194070146c001f2c47cbd75368a18c63e788fedde2a3df853dc6c8d93b12ea7890a5a12263598fe4f2017c9e7acec64aa59c7b9a77ea31e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0f0526a9cf9eb6c1021f0499314ecdb9

SHA1
28ef823130f8473489e06656021a4b57a2e01882

SHA256
e0a565cb33484d1fc47f2c67a3009e95172dcd05d713c827d3eb1090690d27b2

SHA512
6762aa820cfb4b3e194070146c001f2c47cbd75368a18c63e788fedde2a3df853dc6c8d93b12ea7890a5a12263598fe4f2017c9e7acec64aa59c7b9a77ea31e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0f0526a9cf9eb6c1021f0499314ecdb9

SHA1
28ef823130f8473489e06656021a4b57a2e01882

SHA256
e0a565cb33484d1fc47f2c67a3009e95172dcd05d713c827d3eb1090690d27b2

SHA512
6762aa820cfb4b3e194070146c001f2c47cbd75368a18c63e788fedde2a3df853dc6c8d93b12ea7890a5a12263598fe4f2017c9e7acec64aa59c7b9a77ea31e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6UO1393QG7G4Z3SJ6YX1.temp

Filesize
7KB

MD5
0f0526a9cf9eb6c1021f0499314ecdb9

SHA1
28ef823130f8473489e06656021a4b57a2e01882

SHA256
e0a565cb33484d1fc47f2c67a3009e95172dcd05d713c827d3eb1090690d27b2

SHA512
6762aa820cfb4b3e194070146c001f2c47cbd75368a18c63e788fedde2a3df853dc6c8d93b12ea7890a5a12263598fe4f2017c9e7acec64aa59c7b9a77ea31e2

Download Submit
\Users\Admin\AppData\Local\Temp\Xcheat.exe

Filesize
305KB

MD5
492a14fdfe5f3cef7d8415c5c3000f02

SHA1
469b6dd59e2128767c92841f766d381431c251b4

SHA256
073b38f3bc17cfdaad97e1008686f5da55f201ac707b1919f0b9ace202303cfc

SHA512
314b1edae8b602a8a6dd1fb41a336c513707758d080fcbbcdfc241c7955b7e5602f7a2d6937020a3b0d92a9f4a7a1eff42dc5de17e68242ead0fa13aef8b9f37

Download Submit
\Users\Admin\AppData\Local\Temp\Xcheat.exe

Filesize
305KB

MD5
492a14fdfe5f3cef7d8415c5c3000f02

SHA1
469b6dd59e2128767c92841f766d381431c251b4

SHA256
073b38f3bc17cfdaad97e1008686f5da55f201ac707b1919f0b9ace202303cfc

SHA512
314b1edae8b602a8a6dd1fb41a336c513707758d080fcbbcdfc241c7955b7e5602f7a2d6937020a3b0d92a9f4a7a1eff42dc5de17e68242ead0fa13aef8b9f37

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
88KB

MD5
fd64566ffd52e3c8444d2d0edce32744

SHA1
e5fe4bee07bbc9f8ef552938166ab93a98cb68f7

SHA256
3f86a761cdc8cd43b5610f74a8c4c476d8e3e4e77f2dbdaa92164a16ffa34fa4

SHA512
4f11475b3b8af36f52e6d289f3ecfed05dfa88e322ce987ac357d7602d280a5682f315e2a43f4fe3cb7538acdad936b01ff8e124e57332d36033c1384108f8bd

Download Submit
memory/1436-79-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/1436-78-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/1436-77-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/1436-76-0x000007FEED4A0000-0x000007FEEDE3D000-memory.dmp

Filesize
9.6MB

Download
memory/1436-73-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/1436-75-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/1436-74-0x000007FEED4A0000-0x000007FEEDE3D000-memory.dmp

Filesize
9.6MB

Download
memory/1436-72-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/1436-80-0x000007FEED4A0000-0x000007FEEDE3D000-memory.dmp

Filesize
9.6MB

Download
memory/1452-63-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/1452-58-0x000007FEEDE40000-0x000007FEEE7DD000-memory.dmp

Filesize
9.6MB

Download
memory/1452-65-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/1452-57-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download
memory/1452-62-0x000007FEEDE40000-0x000007FEEE7DD000-memory.dmp

Filesize
9.6MB

Download
memory/1452-59-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/1452-61-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/1452-66-0x000007FEEDE40000-0x000007FEEE7DD000-memory.dmp

Filesize
9.6MB

Download
memory/1452-60-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/1752-88-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1752-91-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1752-87-0x000007FEEDE40000-0x000007FEEE7DD000-memory.dmp

Filesize
9.6MB

Download
memory/1752-92-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1752-89-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1752-86-0x000007FEEDE40000-0x000007FEEE7DD000-memory.dmp

Filesize
9.6MB

Download
memory/1752-93-0x000007FEEDE40000-0x000007FEEE7DD000-memory.dmp

Filesize
9.6MB

Download
memory/2360-18-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download
memory/2360-17-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download
memory/2360-49-0x0000000000F40000-0x000000000182C000-memory.dmp

Filesize
8.9MB

Download
memory/2360-1-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download
memory/2360-2-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download
memory/2360-3-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download
memory/2360-47-0x00000000768E0000-0x0000000076927000-memory.dmp

Filesize
284KB

Download
memory/2360-45-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download
memory/2360-43-0x0000000000F40000-0x000000000182C000-memory.dmp

Filesize
8.9MB

Download
memory/2360-30-0x00000000055F0000-0x0000000005630000-memory.dmp

Filesize
256KB

Download
memory/2360-27-0x0000000000F40000-0x000000000182C000-memory.dmp

Filesize
8.9MB

Download
memory/2360-26-0x0000000000F40000-0x000000000182C000-memory.dmp

Filesize
8.9MB

Download
memory/2360-25-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2360-4-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download
memory/2360-23-0x00000000778D0000-0x00000000778D2000-memory.dmp

Filesize
8KB

Download
memory/2360-21-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download
memory/2360-20-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download
memory/2360-19-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download
memory/2360-0-0x0000000000F40000-0x000000000182C000-memory.dmp

Filesize
8.9MB

Download
memory/2360-48-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2360-16-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download
memory/2360-15-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download
memory/2360-14-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download
memory/2360-13-0x00000000768E0000-0x0000000076927000-memory.dmp

Filesize
284KB

Download
memory/2360-12-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download
memory/2360-11-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download
memory/2360-10-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download
memory/2360-7-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download
memory/2360-9-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download
memory/2360-8-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download
memory/2360-5-0x00000000768E0000-0x0000000076927000-memory.dmp

Filesize
284KB

Download
memory/2360-6-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download
memory/2688-90-0x000000001B200000-0x000000001B280000-memory.dmp

Filesize
512KB

Download
memory/2688-64-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

Filesize
9.9MB

Download
memory/2688-52-0x000000001B200000-0x000000001B280000-memory.dmp

Filesize
512KB

Download
memory/2688-51-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

Filesize
9.9MB

Download
memory/2688-50-0x00000000010A0000-0x00000000010BC000-memory.dmp

Filesize
112KB

Download