xworm | 9d4991393962992db54a17e7aad1152a8965c3d51ac309d35768953f7e20dac5

Analysis

max time kernel
148s
max time network
127s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
25/11/2023, 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

235KB
MD5

715d9e1786839981fc5aa6ec4c9df1a6
SHA1

e4f3d03f3e92faa404669b55c7c28aba157a44ac
SHA256

9d4991393962992db54a17e7aad1152a8965c3d51ac309d35768953f7e20dac5
SHA512

be181551a7c705e9b18c812defbc86790bd32f67da474e61dd07fc8cd36030b58e7cf908a1db2fe826ec0ec8ed3d08c0b42bda1a8731213424ba7e5ef477c534
SSDEEP

3072:FjToRFRb8MPOin68SKfbzxcwg7es6/Vsb8VKTu549oJMfF/H9N3Ky9NzLnQ:2RFRbVX6UhcX7elbKTua9bfF/H9d9n

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:8888

93.123.85.68:8888

Attributes

Install_directory
%ProgramData%
install_file
WinRar.exe
telegram
https://api.telegram.org/bot5831501082:AAELkQ6xM7p_N7x74e8Xrku-_ibYekoBMcY

Signatures

Detect Xworm Payload 8 IoCs

resource	yara_rule
behavioral1/memory/2108-0-0x0000000000170000-0x00000000001B0000-memory.dmp	family_xworm
behavioral1/files/0x00080000000120e5-61.dat	family_xworm
behavioral1/files/0x00080000000120e5-62.dat	family_xworm
behavioral1/memory/1232-63-0x0000000000F00000-0x0000000000F40000-memory.dmp	family_xworm
behavioral1/files/0x00080000000120e5-68.dat	family_xworm
behavioral1/memory/1816-69-0x0000000000110000-0x0000000000150000-memory.dmp	family_xworm
behavioral1/files/0x00080000000120e5-72.dat	family_xworm
behavioral1/memory/2008-73-0x0000000000340000-0x0000000000380000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRar.lnk	tmp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRar.lnk	tmp.exe

Executes dropped EXE 3 IoCs

pid	Process
1232	WinRar.exe
1816	WinRar.exe
2008	WinRar.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinRar = "C:\\ProgramData\\WinRar.exe"	tmp.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1076	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2692	powershell.exe
2860	powershell.exe
2568	powershell.exe
2812	powershell.exe
2108	tmp.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	tmp.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2108	tmp.exe
Token: SeDebugPrivilege	1232	WinRar.exe
Token: SeDebugPrivilege	1816	WinRar.exe
Token: SeDebugPrivilege	2008	WinRar.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2108	tmp.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2692	2108	tmp.exe	29
PID 2108 wrote to memory of 2692	2108	tmp.exe	29
PID 2108 wrote to memory of 2692	2108	tmp.exe	29
PID 2108 wrote to memory of 2860	2108	tmp.exe	31
PID 2108 wrote to memory of 2860	2108	tmp.exe	31
PID 2108 wrote to memory of 2860	2108	tmp.exe	31
PID 2108 wrote to memory of 2568	2108	tmp.exe	33
PID 2108 wrote to memory of 2568	2108	tmp.exe	33
PID 2108 wrote to memory of 2568	2108	tmp.exe	33
PID 2108 wrote to memory of 2812	2108	tmp.exe	35
PID 2108 wrote to memory of 2812	2108	tmp.exe	35
PID 2108 wrote to memory of 2812	2108	tmp.exe	35
PID 2108 wrote to memory of 1076	2108	tmp.exe	38
PID 2108 wrote to memory of 1076	2108	tmp.exe	38
PID 2108 wrote to memory of 1076	2108	tmp.exe	38
PID 2800 wrote to memory of 1232	2800	taskeng.exe	40
PID 2800 wrote to memory of 1232	2800	taskeng.exe	40
PID 2800 wrote to memory of 1232	2800	taskeng.exe	40
PID 2800 wrote to memory of 1816	2800	taskeng.exe	43
PID 2800 wrote to memory of 1816	2800	taskeng.exe	43
PID 2800 wrote to memory of 1816	2800	taskeng.exe	43
PID 2800 wrote to memory of 2008	2800	taskeng.exe	44
PID 2800 wrote to memory of 2008	2800	taskeng.exe	44
PID 2800 wrote to memory of 2008	2800	taskeng.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\tmp.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'tmp.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WinRar.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinRar.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinRar" /tr "C:\ProgramData\WinRar.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1076

C:\Windows\system32\taskeng.exe
taskeng.exe {6E080EA9-E511-44BF-ADE8-AE65AAC22EF5} S-1-5-21-3425689832-2386927309-2650718742-1000:AWDHTXES\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2800
- C:\ProgramData\WinRar.exe
  C:\ProgramData\WinRar.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1232
- C:\ProgramData\WinRar.exe
  C:\ProgramData\WinRar.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\ProgramData\WinRar.exe
  C:\ProgramData\WinRar.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WinRar.exe

Filesize
235KB

MD5
715d9e1786839981fc5aa6ec4c9df1a6

SHA1
e4f3d03f3e92faa404669b55c7c28aba157a44ac

SHA256
9d4991393962992db54a17e7aad1152a8965c3d51ac309d35768953f7e20dac5

SHA512
be181551a7c705e9b18c812defbc86790bd32f67da474e61dd07fc8cd36030b58e7cf908a1db2fe826ec0ec8ed3d08c0b42bda1a8731213424ba7e5ef477c534

Download Submit
C:\ProgramData\WinRar.exe

Filesize
235KB

MD5
715d9e1786839981fc5aa6ec4c9df1a6

SHA1
e4f3d03f3e92faa404669b55c7c28aba157a44ac

SHA256
9d4991393962992db54a17e7aad1152a8965c3d51ac309d35768953f7e20dac5

SHA512
be181551a7c705e9b18c812defbc86790bd32f67da474e61dd07fc8cd36030b58e7cf908a1db2fe826ec0ec8ed3d08c0b42bda1a8731213424ba7e5ef477c534

Download Submit
C:\ProgramData\WinRar.exe

Filesize
235KB

MD5
715d9e1786839981fc5aa6ec4c9df1a6

SHA1
e4f3d03f3e92faa404669b55c7c28aba157a44ac

SHA256
9d4991393962992db54a17e7aad1152a8965c3d51ac309d35768953f7e20dac5

SHA512
be181551a7c705e9b18c812defbc86790bd32f67da474e61dd07fc8cd36030b58e7cf908a1db2fe826ec0ec8ed3d08c0b42bda1a8731213424ba7e5ef477c534

Download Submit
C:\ProgramData\WinRar.exe

Filesize
235KB

MD5
715d9e1786839981fc5aa6ec4c9df1a6

SHA1
e4f3d03f3e92faa404669b55c7c28aba157a44ac

SHA256
9d4991393962992db54a17e7aad1152a8965c3d51ac309d35768953f7e20dac5

SHA512
be181551a7c705e9b18c812defbc86790bd32f67da474e61dd07fc8cd36030b58e7cf908a1db2fe826ec0ec8ed3d08c0b42bda1a8731213424ba7e5ef477c534

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
33a5b49d7378fdc1c8565470983ad46e

SHA1
3a42540fc742c61078acfe210738e65acaf3e322

SHA256
131b9b403c85e0a547d39c62a366dfa619794d5f5e00e9745712c6d2228eea9d

SHA512
6362bf03fa0df5809618cedbf5bde63a024ab386286ee0c162234daff6a45a6952fc3ed4ebdffceee2de18d172e89faa06fdfa47a020fc4f6be58a31868c688b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
33a5b49d7378fdc1c8565470983ad46e

SHA1
3a42540fc742c61078acfe210738e65acaf3e322

SHA256
131b9b403c85e0a547d39c62a366dfa619794d5f5e00e9745712c6d2228eea9d

SHA512
6362bf03fa0df5809618cedbf5bde63a024ab386286ee0c162234daff6a45a6952fc3ed4ebdffceee2de18d172e89faa06fdfa47a020fc4f6be58a31868c688b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
33a5b49d7378fdc1c8565470983ad46e

SHA1
3a42540fc742c61078acfe210738e65acaf3e322

SHA256
131b9b403c85e0a547d39c62a366dfa619794d5f5e00e9745712c6d2228eea9d

SHA512
6362bf03fa0df5809618cedbf5bde63a024ab386286ee0c162234daff6a45a6952fc3ed4ebdffceee2de18d172e89faa06fdfa47a020fc4f6be58a31868c688b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BY2EQ8OVOWYULW4AGBP7.temp

Filesize
7KB

MD5
33a5b49d7378fdc1c8565470983ad46e

SHA1
3a42540fc742c61078acfe210738e65acaf3e322

SHA256
131b9b403c85e0a547d39c62a366dfa619794d5f5e00e9745712c6d2228eea9d

SHA512
6362bf03fa0df5809618cedbf5bde63a024ab386286ee0c162234daff6a45a6952fc3ed4ebdffceee2de18d172e89faa06fdfa47a020fc4f6be58a31868c688b

Download Submit
memory/1232-65-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/1232-64-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/1232-63-0x0000000000F00000-0x0000000000F40000-memory.dmp

Filesize
256KB

Download
memory/1816-71-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/1816-70-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/1816-69-0x0000000000110000-0x0000000000150000-memory.dmp

Filesize
256KB

Download
memory/2008-73-0x0000000000340000-0x0000000000380000-memory.dmp

Filesize
256KB

Download
memory/2008-74-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/2108-28-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/2108-2-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/2108-1-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/2108-0-0x0000000000170000-0x00000000001B0000-memory.dmp

Filesize
256KB

Download
memory/2108-42-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/2568-40-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/2568-43-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/2568-38-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/2568-39-0x000007FEEEF00000-0x000007FEEF89D000-memory.dmp

Filesize
9.6MB

Download
memory/2568-37-0x000007FEEEF00000-0x000007FEEF89D000-memory.dmp

Filesize
9.6MB

Download
memory/2568-41-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/2568-44-0x000007FEEEF00000-0x000007FEEF89D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-13-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/2692-10-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/2692-7-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

Filesize
2.9MB

Download
memory/2692-9-0x000007FEEEF00000-0x000007FEEF89D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-8-0x0000000001F90000-0x0000000001F98000-memory.dmp

Filesize
32KB

Download
memory/2692-11-0x000007FEEEF00000-0x000007FEEF89D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-12-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/2692-14-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/2692-15-0x000007FEEEF00000-0x000007FEEF89D000-memory.dmp

Filesize
9.6MB

Download
memory/2812-52-0x0000000002BB0000-0x0000000002C30000-memory.dmp

Filesize
512KB

Download
memory/2812-51-0x0000000002BB0000-0x0000000002C30000-memory.dmp

Filesize
512KB

Download
memory/2812-50-0x000007FEEE560000-0x000007FEEEEFD000-memory.dmp

Filesize
9.6MB

Download
memory/2812-55-0x0000000002BBB000-0x0000000002C22000-memory.dmp

Filesize
412KB

Download
memory/2812-54-0x000007FEEE560000-0x000007FEEEEFD000-memory.dmp

Filesize
9.6MB

Download
memory/2812-66-0x0000000002BB0000-0x0000000002C30000-memory.dmp

Filesize
512KB

Download
memory/2812-53-0x0000000002BB0000-0x0000000002C30000-memory.dmp

Filesize
512KB

Download
memory/2860-26-0x000007FEEE560000-0x000007FEEEEFD000-memory.dmp

Filesize
9.6MB

Download
memory/2860-23-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/2860-21-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/2860-25-0x0000000002550000-0x0000000002558000-memory.dmp

Filesize
32KB

Download
memory/2860-22-0x000007FEEE560000-0x000007FEEEEFD000-memory.dmp

Filesize
9.6MB

Download
memory/2860-24-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/2860-27-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/2860-29-0x000007FEEE560000-0x000007FEEEEFD000-memory.dmp

Filesize
9.6MB

Download
memory/2860-30-0x00000000028BB000-0x0000000002922000-memory.dmp

Filesize
412KB

Download