xworm | 6d5cc4169a9cf1cbc7acfe5c08cfaa8ee0ffa5e705fb163ba09bcd507b2c9869

Analysis

max time kernel
1762s
max time network
1772s
platform
windows10-1703_x64
resource
win10-20231129-en
resource tags

arch:x64arch:x86image:win10-20231129-enlocale:en-usos:windows10-1703-x64system
submitted
12/12/2023, 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CRACK.exe
Size

60KB
MD5

01324458749373682aa6851e1632eeb0
SHA1

f358e48cbd4fb5c005e554eba414a245affcface
SHA256

6d5cc4169a9cf1cbc7acfe5c08cfaa8ee0ffa5e705fb163ba09bcd507b2c9869
SHA512

75ee09cfcc02fdf26dbf8e42185c92c2c85ea77755327bf1eda9fd7280b291882119b894a33e16860776487f6d7fe7bcb0a9832d5d82740443a56a0e70dd8c2f
SSDEEP

1536:osTETXuSwKG3ut0zBiwagTkba1FiaGGPHY6xDKXOU70ssF:pEdwzk0zB1Tkb4F77KXOU70ssF

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

major-alloy.gl.at.ply.gg:42963

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2484-0-0x00000000009D0000-0x00000000009E6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.lnk	CRACK.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.lnk	CRACK.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5104	powershell.exe
5104	powershell.exe
5104	powershell.exe
3092	powershell.exe
3092	powershell.exe
3092	powershell.exe
2304	powershell.exe
2304	powershell.exe
2304	powershell.exe
2456	powershell.exe
2456	powershell.exe
2456	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	CRACK.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeIncreaseQuotaPrivilege	5104	powershell.exe
Token: SeSecurityPrivilege	5104	powershell.exe
Token: SeTakeOwnershipPrivilege	5104	powershell.exe
Token: SeLoadDriverPrivilege	5104	powershell.exe
Token: SeSystemProfilePrivilege	5104	powershell.exe
Token: SeSystemtimePrivilege	5104	powershell.exe
Token: SeProfSingleProcessPrivilege	5104	powershell.exe
Token: SeIncBasePriorityPrivilege	5104	powershell.exe
Token: SeCreatePagefilePrivilege	5104	powershell.exe
Token: SeBackupPrivilege	5104	powershell.exe
Token: SeRestorePrivilege	5104	powershell.exe
Token: SeShutdownPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeSystemEnvironmentPrivilege	5104	powershell.exe
Token: SeRemoteShutdownPrivilege	5104	powershell.exe
Token: SeUndockPrivilege	5104	powershell.exe
Token: SeManageVolumePrivilege	5104	powershell.exe
Token: 33	5104	powershell.exe
Token: 34	5104	powershell.exe
Token: 35	5104	powershell.exe
Token: 36	5104	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeIncreaseQuotaPrivilege	3092	powershell.exe
Token: SeSecurityPrivilege	3092	powershell.exe
Token: SeTakeOwnershipPrivilege	3092	powershell.exe
Token: SeLoadDriverPrivilege	3092	powershell.exe
Token: SeSystemProfilePrivilege	3092	powershell.exe
Token: SeSystemtimePrivilege	3092	powershell.exe
Token: SeProfSingleProcessPrivilege	3092	powershell.exe
Token: SeIncBasePriorityPrivilege	3092	powershell.exe
Token: SeCreatePagefilePrivilege	3092	powershell.exe
Token: SeBackupPrivilege	3092	powershell.exe
Token: SeRestorePrivilege	3092	powershell.exe
Token: SeShutdownPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeSystemEnvironmentPrivilege	3092	powershell.exe
Token: SeRemoteShutdownPrivilege	3092	powershell.exe
Token: SeUndockPrivilege	3092	powershell.exe
Token: SeManageVolumePrivilege	3092	powershell.exe
Token: 33	3092	powershell.exe
Token: 34	3092	powershell.exe
Token: 35	3092	powershell.exe
Token: 36	3092	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeIncreaseQuotaPrivilege	2304	powershell.exe
Token: SeSecurityPrivilege	2304	powershell.exe
Token: SeTakeOwnershipPrivilege	2304	powershell.exe
Token: SeLoadDriverPrivilege	2304	powershell.exe
Token: SeSystemProfilePrivilege	2304	powershell.exe
Token: SeSystemtimePrivilege	2304	powershell.exe
Token: SeProfSingleProcessPrivilege	2304	powershell.exe
Token: SeIncBasePriorityPrivilege	2304	powershell.exe
Token: SeCreatePagefilePrivilege	2304	powershell.exe
Token: SeBackupPrivilege	2304	powershell.exe
Token: SeRestorePrivilege	2304	powershell.exe
Token: SeShutdownPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeSystemEnvironmentPrivilege	2304	powershell.exe
Token: SeRemoteShutdownPrivilege	2304	powershell.exe
Token: SeUndockPrivilege	2304	powershell.exe
Token: SeManageVolumePrivilege	2304	powershell.exe
Token: 33	2304	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 5104	2484	CRACK.exe	73
PID 2484 wrote to memory of 5104	2484	CRACK.exe	73
PID 2484 wrote to memory of 3092	2484	CRACK.exe	76
PID 2484 wrote to memory of 3092	2484	CRACK.exe	76
PID 2484 wrote to memory of 2304	2484	CRACK.exe	79
PID 2484 wrote to memory of 2304	2484	CRACK.exe	79
PID 2484 wrote to memory of 2456	2484	CRACK.exe	81
PID 2484 wrote to memory of 2456	2484	CRACK.exe	81

C:\Users\Admin\AppData\Local\Temp\CRACK.exe
"C:\Users\Admin\AppData\Local\Temp\CRACK.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CRACK.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CRACK.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Steam'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Steam'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
33ab21a1031e2effa1fd54b000c98c2a

SHA1
e338358c58738bfc49f2efb3c992958601fa040c

SHA256
35d91bab97ad91e43b4446a3173123bcabc19bb2b445c62c509d4cba44ac6b4c

SHA512
7900c69fb86d237ceb25592c0b17d0e5fc2041bbbfac76d0c294482ee3b1aa0e332eb71a90e8931f74ed0d93bc90b54183b4146b0155c7665eaa32f18a29c585

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f19122edc1c1db08c50168afe3297931

SHA1
8a4253822b04993916a8fe8d37c0a5588e9467ea

SHA256
f15868d1cda4f5f72995d4143e29359ef32790f88c8518d5137a592b5ee8c2c0

SHA512
413a61d9d619cae96e6b8320240b86730ac4700c3ee47307d13a3448572b596069f88ef07687d7042624b54d222c8ad0a544744f88bdaeaaf21b5cbf6a3a9222

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d10debb287e9f2d0ac62dce086b67aa3

SHA1
19a2599309c36532afce2a6336ddf7516a0efa23

SHA256
56fd7a477c9cd3dd3e28d9fd7f0c9a780c0f3c5a4a1403ce78a80bb5de8282c8

SHA512
73ddd125c6218ca44e667ffe96f8cb581cf711b486970c5e5fb28cb4d99d4f56391585f6e1343fab96aba3dec944b4b8bedc8e5346cd613ddca6292ad144018f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zp0txbzw.i4h.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2304-109-0x000001D741910000-0x000001D741920000-memory.dmp

Filesize
64KB

Download
memory/2304-108-0x00007FFE2D4B0000-0x00007FFE2DE9C000-memory.dmp

Filesize
9.9MB

Download
memory/2304-124-0x000001D741910000-0x000001D741920000-memory.dmp

Filesize
64KB

Download
memory/2304-111-0x000001D741910000-0x000001D741920000-memory.dmp

Filesize
64KB

Download
memory/2304-146-0x000001D741910000-0x000001D741920000-memory.dmp

Filesize
64KB

Download
memory/2304-150-0x00007FFE2D4B0000-0x00007FFE2DE9C000-memory.dmp

Filesize
9.9MB

Download
memory/2456-195-0x0000024E2A420000-0x0000024E2A430000-memory.dmp

Filesize
64KB

Download
memory/2456-156-0x0000024E2A420000-0x0000024E2A430000-memory.dmp

Filesize
64KB

Download
memory/2456-155-0x00007FFE2D4B0000-0x00007FFE2DE9C000-memory.dmp

Filesize
9.9MB

Download
memory/2456-158-0x0000024E2A420000-0x0000024E2A430000-memory.dmp

Filesize
64KB

Download
memory/2456-173-0x0000024E2A420000-0x0000024E2A430000-memory.dmp

Filesize
64KB

Download
memory/2456-199-0x00007FFE2D4B0000-0x00007FFE2DE9C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-0-0x00000000009D0000-0x00000000009E6000-memory.dmp

Filesize
88KB

Download
memory/2484-98-0x00007FFE2D4B0000-0x00007FFE2DE9C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-203-0x00000000011B0000-0x00000000011C0000-memory.dmp

Filesize
64KB

Download
memory/2484-204-0x00000000011B0000-0x00000000011C0000-memory.dmp

Filesize
64KB

Download
memory/2484-1-0x00007FFE2D4B0000-0x00007FFE2DE9C000-memory.dmp

Filesize
9.9MB

Download
memory/3092-99-0x0000024CAD560000-0x0000024CAD570000-memory.dmp

Filesize
64KB

Download
memory/3092-101-0x00007FFE2D4B0000-0x00007FFE2DE9C000-memory.dmp

Filesize
9.9MB

Download
memory/3092-75-0x0000024CAD560000-0x0000024CAD570000-memory.dmp

Filesize
64KB

Download
memory/3092-62-0x0000024CAD560000-0x0000024CAD570000-memory.dmp

Filesize
64KB

Download
memory/3092-60-0x00007FFE2D4B0000-0x00007FFE2DE9C000-memory.dmp

Filesize
9.9MB

Download
memory/5104-52-0x00007FFE2D4B0000-0x00007FFE2DE9C000-memory.dmp

Filesize
9.9MB

Download
memory/5104-48-0x000002C3EDB90000-0x000002C3EDBA0000-memory.dmp

Filesize
64KB

Download
memory/5104-25-0x000002C3EDB90000-0x000002C3EDBA0000-memory.dmp

Filesize
64KB

Download
memory/5104-12-0x000002C3EDE20000-0x000002C3EDE96000-memory.dmp

Filesize
472KB

Download
memory/5104-9-0x000002C3EDB00000-0x000002C3EDB22000-memory.dmp

Filesize
136KB

Download
memory/5104-8-0x000002C3EDB90000-0x000002C3EDBA0000-memory.dmp

Filesize
64KB

Download
memory/5104-7-0x000002C3EDB90000-0x000002C3EDBA0000-memory.dmp

Filesize
64KB

Download
memory/5104-6-0x00007FFE2D4B0000-0x00007FFE2DE9C000-memory.dmp

Filesize
9.9MB

Download