xworm | ebf760dbfa32628221a5a902ffd7e98f560d181225e260ed4326aa36aa99f659

Analysis

max time kernel
3s
max time network
63s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SgrmBroker.exe
Size

771KB
MD5

bda31b88c53cee7ee196b15f4f6ed413
SHA1

ae530f0d0459cea03e6d362e6a88c066a60e31e6
SHA256

d4965411f163368758c151b7d90bccfebe2067f65472847701cc880d00e15bab
SHA512

5b34cd28d5a5dfca43e5f2d9cf7cc156aff344b2b2c5625dfd387d81a5755d8afcb09ae723c3d76ea08930a84f92f83e8c72afc011ec61c836c27edd2b47155f
SSDEEP

12288:NcREkD5DFr/cp9gxh/xiAa5HLL4UYUdcpc3RrC2H1VdPQz2XzUBWOKK1sS/78yrA:NcR1vUbXvdPS1WmsS/FM

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

Attributes

install_file
game.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral15/files/0x000b000000012185-6.dat	family_xworm
behavioral15/memory/2788-10-0x000000013F6E0000-0x000000013F732000-memory.dmp	family_xworm
behavioral15/memory/2788-26-0x0000000000190000-0x00000000001A6000-memory.dmp	family_xworm
behavioral15/memory/1692-120-0x000000013F890000-0x000000013F8E2000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1768	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\SgrmBroker.exe
"C:\Users\Admin\AppData\Local\Temp\SgrmBroker.exe"
1⤵
PID:2312
- C:\Users\Admin\MusNotify.exe
  "C:\Users\Admin\MusNotify.exe"
  2⤵
  PID:2788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\MusNotify.exe'
    3⤵
    PID:2548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MusNotify.exe'
    3⤵
    PID:2804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\MusNotify.exe'
    3⤵
    PID:1980
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MusNotify" /tr "C:\Users\Admin\AppData\Roaming\MusNotify.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1768

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{5a921f01-d630-4ed2-a316-7874519bcb86}
1⤵
PID:2572

C:\Windows\system32\taskeng.exe
taskeng.exe {1A566D7D-3952-4736-BA0E-BBC61B565D04} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
1⤵
PID:2952
- C:\Users\Admin\AppData\Roaming\MusNotify.exe
  C:\Users\Admin\AppData\Roaming\MusNotify.exe
  2⤵
  PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab28A8.tmp

Filesize
64KB

MD5
d71dff97ca86ca16c3db8bdb5285fb35

SHA1
271c01246897497d069b81ed37af296cf6c1e498

SHA256
4a19255504acfbd49c4e1aed722c7e62b50b5742b860eedabc5f46160f8aefac

SHA512
1fed2a183296b563e35d803927e539d28169895f6ca5b522a1c714f222a2d3e578b1e167b19568b5ad4800b898f7ac041c7bd8f6bb02d1361b32cbdcfb0f682a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar28E9.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cf820344c0a3ff99e0f8c0abf854878c

SHA1
59562c31a36689d1e1305b9f9dd6e20b650ffe72

SHA256
796f44cc47620a8bf8c66a8d7a7b86aa568a9ff8e21108d65ffec35a097942d9

SHA512
95175ebdfebffde65b390df0f3c28e7a63ab8b659d1a2c8b6b4341a3bf3fd0c2a0c7b1a7a15bc05da192750106bc8d2c720fe6c419c378a5afce51d9a91cb72b

Download Submit
\Users\Admin\MusNotify.exe

Filesize
313KB

MD5
c703e9e2e16ebf10c606c732feb529a1

SHA1
5d3d24ab58163593e07358d548051ae74633edaa

SHA256
b001c7a20e66761cec31abb0eaf86f93716b932f59e564caa0c6b1d50369e854

SHA512
34bde8a7c283b194e5a463075925b9873bda5752683461e2108e971437e2aca1f5f9c3305cc2f3596fc05befe4ffbb54a0c0407111f7dc653b376d952d940f73

Download Submit
memory/424-31-0x000007FEBF470000-0x000007FEBF480000-memory.dmp

Filesize
64KB

Download
memory/424-29-0x00000000008E0000-0x0000000000903000-memory.dmp

Filesize
140KB

Download
memory/424-30-0x00000000009A0000-0x00000000009CA000-memory.dmp

Filesize
168KB

Download
memory/424-27-0x00000000008E0000-0x0000000000903000-memory.dmp

Filesize
140KB

Download
memory/424-32-0x0000000037A90000-0x0000000037AA0000-memory.dmp

Filesize
64KB

Download
memory/424-35-0x0000000077AA1000-0x0000000077AA2000-memory.dmp

Filesize
4KB

Download
memory/424-34-0x00000000009A0000-0x00000000009CA000-memory.dmp

Filesize
168KB

Download
memory/468-43-0x0000000037A90000-0x0000000037AA0000-memory.dmp

Filesize
64KB

Download
memory/468-40-0x0000000000140000-0x000000000016A000-memory.dmp

Filesize
168KB

Download
memory/468-42-0x000007FEBF470000-0x000007FEBF480000-memory.dmp

Filesize
64KB

Download
memory/484-46-0x0000000000A70000-0x0000000000A9A000-memory.dmp

Filesize
168KB

Download
memory/484-47-0x000007FEBF470000-0x000007FEBF480000-memory.dmp

Filesize
64KB

Download
memory/484-49-0x0000000037A90000-0x0000000037AA0000-memory.dmp

Filesize
64KB

Download
memory/1692-120-0x000000013F890000-0x000000013F8E2000-memory.dmp

Filesize
328KB

Download
memory/1980-78-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/1980-77-0x000007FEF2550000-0x000007FEF2EED000-memory.dmp

Filesize
9.6MB

Download
memory/1980-79-0x00000000024EB000-0x0000000002552000-memory.dmp

Filesize
412KB

Download
memory/2312-0-0x0000000001260000-0x00000000012CA000-memory.dmp

Filesize
424KB

Download
memory/2312-1-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2312-81-0x0000000000F80000-0x0000000000FA0000-memory.dmp

Filesize
128KB

Download
memory/2312-2-0x0000000000410000-0x000000000045C000-memory.dmp

Filesize
304KB

Download
memory/2312-3-0x000000001B360000-0x000000001B3E0000-memory.dmp

Filesize
512KB

Download
memory/2548-60-0x00000000029BB000-0x0000000002A22000-memory.dmp

Filesize
412KB

Download
memory/2548-57-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/2548-59-0x00000000029B4000-0x00000000029B7000-memory.dmp

Filesize
12KB

Download
memory/2548-58-0x000007FEF2550000-0x000007FEF2EED000-memory.dmp

Filesize
9.6MB

Download
memory/2548-56-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

Filesize
2.9MB

Download
memory/2572-19-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2572-17-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2572-23-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2572-21-0x0000000077830000-0x000000007794F000-memory.dmp

Filesize
1.1MB

Download
memory/2572-24-0x0000000077A50000-0x0000000077BF9000-memory.dmp

Filesize
1.7MB

Download
memory/2572-20-0x0000000077A50000-0x0000000077BF9000-memory.dmp

Filesize
1.7MB

Download
memory/2572-22-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2788-16-0x000000001BEE0000-0x000000001BF60000-memory.dmp

Filesize
512KB

Download
memory/2788-26-0x0000000000190000-0x00000000001A6000-memory.dmp

Filesize
88KB

Download
memory/2788-15-0x0000000077830000-0x000000007794F000-memory.dmp

Filesize
1.1MB

Download
memory/2788-13-0x0000000077A50000-0x0000000077BF9000-memory.dmp

Filesize
1.7MB

Download
memory/2788-12-0x0000000000150000-0x000000000018E000-memory.dmp

Filesize
248KB

Download
memory/2788-11-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2788-10-0x000000013F6E0000-0x000000013F732000-memory.dmp

Filesize
328KB

Download
memory/2804-68-0x000007FEEF9B0000-0x000007FEF034D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-69-0x0000000002A84000-0x0000000002A87000-memory.dmp

Filesize
12KB

Download
memory/2804-70-0x0000000002A8B000-0x0000000002AF2000-memory.dmp

Filesize
412KB

Download
memory/2804-67-0x0000000001FA0000-0x0000000001FA8000-memory.dmp

Filesize
32KB

Download
memory/2804-66-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads