xworm | 305817d3405f3f1d344836b74d5e04af40da8e11d5334c6401c94a3baceb34ea

Analysis

max time kernel
8s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a231145abbb216fb9ad0bb81c51832f5.exe
Size

92KB
MD5

a231145abbb216fb9ad0bb81c51832f5
SHA1

c93e051e8c374bbcb153b1862e6e101abb73775c
SHA256

305817d3405f3f1d344836b74d5e04af40da8e11d5334c6401c94a3baceb34ea
SHA512

3c67f60a04495fc14b3bdacf6d19a509c13dddcf29227696d69336878f3059bc33eb6a2183d12fd6a88c8fe0533c0787eb9599686564c061e3d500b1d34c3fcd
SSDEEP

1536:jynazMODiSbl57b/4tXzQP8AltrOSWht1s5qXxx3M9H+NjExnCMT3JuT+d/1SWPO:jOa9Dnv7ba85OTt25x+Z6Lh1ZP/Bjvfs

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/TgduC2Px

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/924-32-0x0000000000FA0000-0x0000000000FBA000-memory.dmp	family_xworm

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Templates\\ibkcqwg5.azq.exe"	a231145abbb216fb9ad0bb81c51832f5.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	a231145abbb216fb9ad0bb81c51832f5.exe

Executes dropped EXE 1 IoCs

pid	Process
924	ibkcqwg5.azq.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4556	schtasks.exe
5100	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	924	ibkcqwg5.azq.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2884	1512	a231145abbb216fb9ad0bb81c51832f5.exe	86
PID 1512 wrote to memory of 2884	1512	a231145abbb216fb9ad0bb81c51832f5.exe	86
PID 2884 wrote to memory of 4556	2884	CMD.exe	88
PID 2884 wrote to memory of 4556	2884	CMD.exe	88
PID 1512 wrote to memory of 924	1512	a231145abbb216fb9ad0bb81c51832f5.exe	92
PID 1512 wrote to memory of 924	1512	a231145abbb216fb9ad0bb81c51832f5.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a231145abbb216fb9ad0bb81c51832f5.exe
"C:\Users\Admin\AppData\Local\Temp\a231145abbb216fb9ad0bb81c51832f5.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "System Update" /tr "C:\ProgramData\Microsoft\Windows\Templates\ibkcqwg5.azq.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "System Update" /tr "C:\ProgramData\Microsoft\Windows\Templates\ibkcqwg5.azq.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4556
- C:\ProgramData\Microsoft\Windows\Templates\ibkcqwg5.azq.exe
  "C:\ProgramData\Microsoft\Windows\Templates\ibkcqwg5.azq.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Templates\ibkcqwg5.azq.exe'
    3⤵
    PID:3856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ibkcqwg5.azq.exe'
    3⤵
    PID:4392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    PID:1272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    PID:4916
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Creates scheduled task(s)
    PID:5100

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:528

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Templates\ibkcqwg5.azq.exe

Filesize
245KB

MD5
e50a1df2027bca41c1fdb49e96687ae6

SHA1
96551834b644c25c12a72452023b101e38c9d68d

SHA256
ff9b0ec3d4acaf62a5a65fab5577ac5815e028d0315494b040bb638de3d18bbb

SHA512
e8e2ba4dfd76ea45fcd1762b5db4e3d55c9e701e914b68247cdd4a76231d7fd97f602402b2740a8a34bf771614f1a0f53a81289b838825b20b32a12be846f60b

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\ibkcqwg5.azq.exe

Filesize
108KB

MD5
1931d908fcb5755d456482729dcd0d74

SHA1
86100ca1bf6fce44e28295c14ef673b1275d5d31

SHA256
d2f4316aafabc1880f6f5c2223a67072eddd25b288e116d873e5f5dc77cbcdf7

SHA512
db844634332c3b0d85ab9cdea0dfe60b8d38eea2b67059ea6a2ecdb29a95ac38bbfba3f0bd9c16cf6ad641b79b1eb237ce2cf8ad9752ba5a7292379a53cb0e39

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\ibkcqwg5.azq.exe

Filesize
4.4MB

MD5
dcd2dca23b9f3e60091e2e8855ccc5f3

SHA1
2d13dc88f2fdf29c96cf6bfa91ac50999f5afc58

SHA256
9510615696bf0d472ea32f62dd61b30f93bc5320ec448dcd0026f91112a625df

SHA512
076d229b50ef7fee8c1d221a6e79e164f4999ac4c55d81306b6929b2e0c092b0c0e7a9ca8a9cd947b2ef15d6c674961127302d938b0abf93a9f27ddf730dd94f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4178a021dab6578724f63a6a72b9b13b

SHA1
8e5d61c21edaafe4e2257ebe53f9b37b723838b7

SHA256
347338241585c510bb1fafae13447879318610ca4d844b0e73089957911d77fe

SHA512
0f49991948129415c2a02298072055d4de521e4a8cb9ae887bb2096683668fcb491b99d58fd6e239463a5ac981d756c4b2827cb52c1e1253b9cb114095e140c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2zaedeyb.hs4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
1.1MB

MD5
62dc77e0e8dd3f0f0ef72d72d1038825

SHA1
45dbe8f53baf463edd1e9cbef67291e383257eb1

SHA256
9d2310696504c8a2da80ef05115e7fb6affcb97d7d2a22c43a6eab5b0ca8471b

SHA512
3bde5892639c59ec7e5ef2ecddf7a798f8b87c229c9859906e94706edb8f63673b3251f91e3efdb46fdee3034f6c8e5d86f7d1870dbb8a38ffb6f98fee6f60be

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
1003KB

MD5
eb8d09117f8b384eefdba1f92ce612bb

SHA1
6fb28010b5dcfe92e50316dcd7862ae27a41cc1e

SHA256
8b46fa0fc6ba5968d3df7767d81d90fce1a00da192749eedc93fa0200ccf25eb

SHA512
149b8b959a5216a26899d95f9631ae2ac21c42e145ade28e6e92bb1257e2b4024f827c1f1bc8a31bca3cfe11e9f855dc4a0e0f9ed6a5db978188d4fda53f0bbd

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
177KB

MD5
5e67c5a6e1bfc4226ac30f144bf1cb22

SHA1
9496c9583efc0dcbff5bf7c980946cc67363282c

SHA256
9add375ce8863cbff39fd0f3f88d75ef176637d000cc25b75f61263e8718c34e

SHA512
618a2a2c9658d7726019ad576084e040eab528dc4cc5ddcd6beb1264865cd9629fe130cfb36a13cbd777f7568a50b68934951cf14349366cdc9f563fdc622340

Download Submit
memory/528-108-0x00007FFCF0B20000-0x00007FFCF15E1000-memory.dmp

Filesize
10.8MB

Download
memory/528-106-0x00007FFCF0B20000-0x00007FFCF15E1000-memory.dmp

Filesize
10.8MB

Download
memory/924-34-0x000000001BBE0000-0x000000001BBF0000-memory.dmp

Filesize
64KB

Download
memory/924-102-0x000000001BBE0000-0x000000001BBF0000-memory.dmp

Filesize
64KB

Download
memory/924-33-0x00007FFCF0B20000-0x00007FFCF15E1000-memory.dmp

Filesize
10.8MB

Download
memory/924-32-0x0000000000FA0000-0x0000000000FBA000-memory.dmp

Filesize
104KB

Download
memory/924-80-0x00007FFCF0B20000-0x00007FFCF15E1000-memory.dmp

Filesize
10.8MB

Download
memory/1272-82-0x00007FFCF0B20000-0x00007FFCF15E1000-memory.dmp

Filesize
10.8MB

Download
memory/1272-77-0x00007FFCF0B20000-0x00007FFCF15E1000-memory.dmp

Filesize
10.8MB

Download
memory/1272-79-0x000001DC62B20000-0x000001DC62B30000-memory.dmp

Filesize
64KB

Download
memory/1272-78-0x000001DC62B20000-0x000001DC62B30000-memory.dmp

Filesize
64KB

Download
memory/1512-2-0x00007FFCF0B20000-0x00007FFCF15E1000-memory.dmp

Filesize
10.8MB

Download
memory/1512-31-0x00007FFCF0B20000-0x00007FFCF15E1000-memory.dmp

Filesize
10.8MB

Download
memory/1512-0-0x00000000005E0000-0x00000000005FE000-memory.dmp

Filesize
120KB

Download
memory/2216-111-0x00007FFCF0B20000-0x00007FFCF15E1000-memory.dmp

Filesize
10.8MB

Download
memory/2216-112-0x00007FFCF0B20000-0x00007FFCF15E1000-memory.dmp

Filesize
10.8MB

Download
memory/3856-35-0x000001F62C210000-0x000001F62C232000-memory.dmp

Filesize
136KB

Download
memory/3856-45-0x00007FFCF0B20000-0x00007FFCF15E1000-memory.dmp

Filesize
10.8MB

Download
memory/3856-50-0x00007FFCF0B20000-0x00007FFCF15E1000-memory.dmp

Filesize
10.8MB

Download
memory/3856-47-0x000001F62C040000-0x000001F62C050000-memory.dmp

Filesize
64KB

Download
memory/3856-46-0x000001F62C040000-0x000001F62C050000-memory.dmp

Filesize
64KB

Download
memory/4392-66-0x00007FFCF0B20000-0x00007FFCF15E1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-52-0x00007FFCF0B20000-0x00007FFCF15E1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-53-0x000001E95AEC0000-0x000001E95AED0000-memory.dmp

Filesize
64KB

Download
memory/4392-63-0x000001E95AEC0000-0x000001E95AED0000-memory.dmp

Filesize
64KB

Download
memory/4916-92-0x00007FFCF0B20000-0x00007FFCF15E1000-memory.dmp

Filesize
10.8MB

Download
memory/4916-97-0x00007FFCF0B20000-0x00007FFCF15E1000-memory.dmp

Filesize
10.8MB

Download
memory/4916-93-0x000001B0FD5A0000-0x000001B0FD5B0000-memory.dmp

Filesize
64KB

Download
memory/4916-94-0x000001B0FD5A0000-0x000001B0FD5B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads