xworm | 0eec0c305ac36e8ed4b23d13b181fe8b89ed1cd1e91ed2d6a74e9c823df9b876

Analysis

max time kernel
132s
max time network
146s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
12/11/2023, 17:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1231231234.exe
Size

41KB
MD5

457d477db559d4c3639f95a1db360a96
SHA1

53bcc6a79a86dc98925d4be3824923877162c86b
SHA256

0eec0c305ac36e8ed4b23d13b181fe8b89ed1cd1e91ed2d6a74e9c823df9b876
SHA512

4ebf336d1baae14520f7d55c6dc9887b07ef551c8bbede03c2f5bb833a647e1b32d1e420d32c5a90d535901b9aa54fdda61b68e4b39200bcb64484bbbc79a26a
SSDEEP

768:kwV5gUaKc2YKjOpfJF5PM90vNq6MOwhR3Eua:ksiUHjYKjsFS92M6MOw79a

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

house-rooms.gl.at.ply.gg:5050

Mutex

oz8Ibpmd1olfFKd1

Attributes

Install_directory
%AppData%
install_file
2234.exe

aes.plain

Signatures

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral1/memory/884-0-0x0000000000C10000-0x0000000000C20000-memory.dmp	family_xworm
behavioral1/files/0x00090000000120ca-63.dat	family_xworm
behavioral1/memory/2736-64-0x0000000000960000-0x0000000000970000-memory.dmp	family_xworm
behavioral1/files/0x00090000000120ca-62.dat	family_xworm
behavioral1/files/0x00090000000120ca-67.dat	family_xworm
behavioral1/memory/2064-68-0x0000000000A40000-0x0000000000A50000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2234.lnk	1231231234.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2234.lnk	1231231234.exe

Executes dropped EXE 2 IoCs

pid	Process
2736	2234.exe
2064	2234.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2776	powershell.exe
2648	powershell.exe
2528	powershell.exe
108	powershell.exe
884	1231231234.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	884	1231231234.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	108	powershell.exe
Token: SeDebugPrivilege	884	1231231234.exe
Token: SeDebugPrivilege	2736	2234.exe
Token: SeDebugPrivilege	2064	2234.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
884	1231231234.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 2776	884	1231231234.exe	30
PID 884 wrote to memory of 2776	884	1231231234.exe	30
PID 884 wrote to memory of 2776	884	1231231234.exe	30
PID 884 wrote to memory of 2648	884	1231231234.exe	32
PID 884 wrote to memory of 2648	884	1231231234.exe	32
PID 884 wrote to memory of 2648	884	1231231234.exe	32
PID 884 wrote to memory of 2528	884	1231231234.exe	34
PID 884 wrote to memory of 2528	884	1231231234.exe	34
PID 884 wrote to memory of 2528	884	1231231234.exe	34
PID 884 wrote to memory of 108	884	1231231234.exe	36
PID 884 wrote to memory of 108	884	1231231234.exe	36
PID 884 wrote to memory of 108	884	1231231234.exe	36
PID 884 wrote to memory of 2884	884	1231231234.exe	38
PID 884 wrote to memory of 2884	884	1231231234.exe	38
PID 884 wrote to memory of 2884	884	1231231234.exe	38
PID 2712 wrote to memory of 2736	2712	taskeng.exe	42
PID 2712 wrote to memory of 2736	2712	taskeng.exe	42
PID 2712 wrote to memory of 2736	2712	taskeng.exe	42
PID 2712 wrote to memory of 2064	2712	taskeng.exe	43
PID 2712 wrote to memory of 2064	2712	taskeng.exe	43
PID 2712 wrote to memory of 2064	2712	taskeng.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1231231234.exe
"C:\Users\Admin\AppData\Local\Temp\1231231234.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1231231234.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1231231234.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\2234.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2234.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:108
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "2234" /tr "C:\Users\Admin\AppData\Roaming\2234.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2884

C:\Windows\system32\taskeng.exe
taskeng.exe {B0F9120D-40BF-48DC-BB05-57FCC5E06A2D} S-1-5-21-2085049433-1067986815-1244098655-1000:AHLBRYJO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Users\Admin\AppData\Roaming\2234.exe
  C:\Users\Admin\AppData\Roaming\2234.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Users\Admin\AppData\Roaming\2234.exe
  C:\Users\Admin\AppData\Roaming\2234.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2234.exe

Filesize
41KB

MD5
457d477db559d4c3639f95a1db360a96

SHA1
53bcc6a79a86dc98925d4be3824923877162c86b

SHA256
0eec0c305ac36e8ed4b23d13b181fe8b89ed1cd1e91ed2d6a74e9c823df9b876

SHA512
4ebf336d1baae14520f7d55c6dc9887b07ef551c8bbede03c2f5bb833a647e1b32d1e420d32c5a90d535901b9aa54fdda61b68e4b39200bcb64484bbbc79a26a

Download Submit
C:\Users\Admin\AppData\Roaming\2234.exe

Filesize
41KB

MD5
457d477db559d4c3639f95a1db360a96

SHA1
53bcc6a79a86dc98925d4be3824923877162c86b

SHA256
0eec0c305ac36e8ed4b23d13b181fe8b89ed1cd1e91ed2d6a74e9c823df9b876

SHA512
4ebf336d1baae14520f7d55c6dc9887b07ef551c8bbede03c2f5bb833a647e1b32d1e420d32c5a90d535901b9aa54fdda61b68e4b39200bcb64484bbbc79a26a

Download Submit
C:\Users\Admin\AppData\Roaming\2234.exe

Filesize
41KB

MD5
457d477db559d4c3639f95a1db360a96

SHA1
53bcc6a79a86dc98925d4be3824923877162c86b

SHA256
0eec0c305ac36e8ed4b23d13b181fe8b89ed1cd1e91ed2d6a74e9c823df9b876

SHA512
4ebf336d1baae14520f7d55c6dc9887b07ef551c8bbede03c2f5bb833a647e1b32d1e420d32c5a90d535901b9aa54fdda61b68e4b39200bcb64484bbbc79a26a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
259cc28f6be4c5f4220be33609d00bd3

SHA1
8989e8b69ded48419bb795115b33dbf26a040cc6

SHA256
655ed481137a9c2868c367c755cf01c1978e0d7a43defabf1e5166fe9d2656eb

SHA512
ca17e21296815e3f86f65806664fb92475a86a5daacdf92cf813e010dbd7059817f041109c1c6a458e00dbab6868b9243d2dc74779acf2883532dbdb7220aeee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
259cc28f6be4c5f4220be33609d00bd3

SHA1
8989e8b69ded48419bb795115b33dbf26a040cc6

SHA256
655ed481137a9c2868c367c755cf01c1978e0d7a43defabf1e5166fe9d2656eb

SHA512
ca17e21296815e3f86f65806664fb92475a86a5daacdf92cf813e010dbd7059817f041109c1c6a458e00dbab6868b9243d2dc74779acf2883532dbdb7220aeee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
259cc28f6be4c5f4220be33609d00bd3

SHA1
8989e8b69ded48419bb795115b33dbf26a040cc6

SHA256
655ed481137a9c2868c367c755cf01c1978e0d7a43defabf1e5166fe9d2656eb

SHA512
ca17e21296815e3f86f65806664fb92475a86a5daacdf92cf813e010dbd7059817f041109c1c6a458e00dbab6868b9243d2dc74779acf2883532dbdb7220aeee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V1N5RBVX6ATJRFV04JFV.temp

Filesize
7KB

MD5
259cc28f6be4c5f4220be33609d00bd3

SHA1
8989e8b69ded48419bb795115b33dbf26a040cc6

SHA256
655ed481137a9c2868c367c755cf01c1978e0d7a43defabf1e5166fe9d2656eb

SHA512
ca17e21296815e3f86f65806664fb92475a86a5daacdf92cf813e010dbd7059817f041109c1c6a458e00dbab6868b9243d2dc74779acf2883532dbdb7220aeee

Download Submit
memory/108-49-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/108-50-0x000007FEED260000-0x000007FEEDBFD000-memory.dmp

Filesize
9.6MB

Download
memory/108-54-0x000007FEED260000-0x000007FEEDBFD000-memory.dmp

Filesize
9.6MB

Download
memory/108-52-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/108-53-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/108-48-0x000007FEED260000-0x000007FEEDBFD000-memory.dmp

Filesize
9.6MB

Download
memory/108-51-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/884-42-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/884-2-0x000000001AA80000-0x000000001AB00000-memory.dmp

Filesize
512KB

Download
memory/884-0-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/884-1-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2064-68-0x0000000000A40000-0x0000000000A50000-memory.dmp

Filesize
64KB

Download
memory/2064-70-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2064-69-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2528-35-0x000007FEEDC00000-0x000007FEEE59D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-39-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/2528-59-0x000007FEEDC00000-0x000007FEEE59D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-41-0x000007FEEDC00000-0x000007FEEE59D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-36-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/2528-38-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/2528-37-0x000007FEEDC00000-0x000007FEEE59D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-40-0x000000000265B000-0x00000000026C2000-memory.dmp

Filesize
412KB

Download
memory/2648-21-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/2648-29-0x000007FEED260000-0x000007FEEDBFD000-memory.dmp

Filesize
9.6MB

Download
memory/2648-27-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/2648-25-0x000007FEED260000-0x000007FEEDBFD000-memory.dmp

Filesize
9.6MB

Download
memory/2648-26-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/2648-23-0x000007FEED260000-0x000007FEEDBFD000-memory.dmp

Filesize
9.6MB

Download
memory/2648-24-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/2648-22-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2648-28-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/2736-64-0x0000000000960000-0x0000000000970000-memory.dmp

Filesize
64KB

Download
memory/2736-65-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2736-66-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2776-15-0x000007FEEDC00000-0x000007FEEE59D000-memory.dmp

Filesize
9.6MB

Download
memory/2776-14-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/2776-13-0x000007FEEDC00000-0x000007FEEE59D000-memory.dmp

Filesize
9.6MB

Download
memory/2776-9-0x000007FEEDC00000-0x000007FEEE59D000-memory.dmp

Filesize
9.6MB

Download
memory/2776-11-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2776-12-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2776-10-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2776-8-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2776-7-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download