xworm | ebf760dbfa32628221a5a902ffd7e98f560d181225e260ed4326aa36aa99f659

Analysis

max time kernel
2s
max time network
16s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cmd.exe
Size

305KB
MD5

17a914cf391fd8afff071aaa9dbb6d0e
SHA1

bdc7aecf8298fc9742cc2d093b39a93d69b56d90
SHA256

fb8ca27363234ce063f034f47bce0ff739273d6880ac93c32ac89750a9bbae3a
SHA512

ccae9abe5e6116fad65699382bf5641a83bd94b7d95ed9159ea0176d2887d226f092ab97cb271d7cacec250c1aa78c0ba8eda75d6e19c6836b2bd2c648f75278
SSDEEP

6144:I7qJFjwoMUnZqaXMhJ99LJJ8KsnlXfEUcP87PyXvUGRhIc/9oLCm:I7qJOBiZlXMT9BwnllcP8WXvvh

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

Attributes

Install_directory
%Port%

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral19/memory/2768-47-0x0000000000750000-0x0000000000764000-memory.dmp	family_xworm
behavioral19/memory/2768-22-0x000000013F5D0000-0x000000013F620000-memory.dmp	family_xworm
behavioral19/files/0x0007000000004e76-21.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
1⤵
PID:2268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.exe'
  2⤵
  PID:2156
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2BB2.tmp.bat""
  2⤵
  PID:2608
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.exe"
  2⤵
  PID:2768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.exe'
    3⤵
    PID:1644

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{dbb690f9-a633-4386-a592-7a0a5f4903d9}
1⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp343A.tmp.bat""
1⤵
PID:2536
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7A2F.tmp.bat""
  2⤵
  PID:804
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8298.tmp.bat""
    3⤵
    PID:1460

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2232

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:1920
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  PID:1488

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:2104

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2BB2.tmp.bat

Filesize
155B

MD5
8e33572ab2a25a808c3ff17c6711afe3

SHA1
5231891d6841c9dcfdcc4f9adb0a1d8d7050cc7d

SHA256
bc5ad80808680df02ba312805a2e76bb3b1d974eccdcc866bbec8d2eda3f0f49

SHA512
bfd143b39216114095bacc9dd142bbc6de0bde217f2c0cb7455158e61ea0e35a6f4f14a707321aeeed34b1578642c6815c922e654be2db007456d86bbded87c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp343A.tmp.bat

Filesize
155B

MD5
2aadc553e57f7d532f359853a3b369e8

SHA1
b741ff72327cb0a0d22b505767d360cdae201521

SHA256
79e60840a38364057d829e7fd5d329c02286e59e670844272a28e8870916df99

SHA512
63152f8e608f9ad2ca4eb55a6717a3e7299a2ed15007b9e72f468a0a87ccba703b3a92ce816783f35f910fa510aabfedce5559aa17a299b115d22173ef5b6e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7A2F.tmp.bat

Filesize
155B

MD5
69b9cb1405d98e717045ddd78b485b0e

SHA1
930643d666cf34669f46a7a5f506068032db300b

SHA256
fc10fa6670cfff00f9b6f923a01872560afa9343e4b8846beb85d66354dd1fc8

SHA512
7fea0bd8e241e1ed7eba54bb7d3044ec38f9b6731ee7bb22942e02bf6319d7e92d8a925c81eea0e5ceb0ff63e45f5afde278017eb665936124e83b3766eaa443

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8298.tmp.bat

Filesize
155B

MD5
2f964cb575008d4cab0f39e291810eb6

SHA1
e9c27769659cbce7259ed567247d53811337f78a

SHA256
6c59068d55cf02ae50efce1a13b5c7313b8e3145a7d7145a255e79c6ec78de56

SHA512
2916f98efea7901d72efc40ee3e404bc4d22931dfbd07b24eb54fe66f12f966ec7176e27a65589c9775cd6ee1b94beabe962cfaa250076c205674086e1e6c759

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0fda3510c1bfe96214ce93bcf304b2dc

SHA1
4150024fb990ee5e3d098569e79f079012cc72a4

SHA256
95f2ece0f0cf831ddce0ad63eed27213162b262f9444678366870da1b9d8d581

SHA512
796fd73d9df648877f058f8daaaabde00b1882d98d168b14d963895960a420bc4087b373f3f00592cf91bb1067ac45ee66932f123520ea87d9a5df031ccd14f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.exe

Filesize
300KB

MD5
3c09d9c6df337337adaa6f3880a318c9

SHA1
a4a3a1222476e739e12b28e3bcc8c9dbe2d07fdb

SHA256
6f6d67095f0b3ee860ebeb646c7ed14413f1b7cbfccae682109790e84bb461ef

SHA512
c0bd827b401ee1cfb4fbc53ceb6f3c40d7d6ee2c14b74832c5367c0df06b37dfd6733b840ebe0f091e6397a35e3b60f11cbbc3db893b68b92b8053c45fd1b24d

Download Submit
memory/436-61-0x000007FEBDF70000-0x000007FEBDF80000-memory.dmp

Filesize
64KB

Download
memory/436-62-0x0000000000E10000-0x0000000000E3A000-memory.dmp

Filesize
168KB

Download
memory/436-48-0x0000000000C30000-0x0000000000C53000-memory.dmp

Filesize
140KB

Download
memory/436-156-0x0000000000E10000-0x0000000000E3A000-memory.dmp

Filesize
168KB

Download
memory/436-59-0x0000000000E10000-0x0000000000E3A000-memory.dmp

Filesize
168KB

Download
memory/436-49-0x0000000000C30000-0x0000000000C53000-memory.dmp

Filesize
140KB

Download
memory/480-83-0x00000000771C1000-0x00000000771C2000-memory.dmp

Filesize
4KB

Download
memory/480-71-0x00000000371B0000-0x00000000371C0000-memory.dmp

Filesize
64KB

Download
memory/480-69-0x000007FEBDF70000-0x000007FEBDF80000-memory.dmp

Filesize
64KB

Download
memory/480-65-0x0000000000160000-0x000000000018A000-memory.dmp

Filesize
168KB

Download
memory/480-136-0x0000000000160000-0x000000000018A000-memory.dmp

Filesize
168KB

Download
memory/496-87-0x0000000000A20000-0x0000000000A4A000-memory.dmp

Filesize
168KB

Download
memory/496-75-0x0000000000A20000-0x0000000000A4A000-memory.dmp

Filesize
168KB

Download
memory/496-78-0x00000000371B0000-0x00000000371C0000-memory.dmp

Filesize
64KB

Download
memory/496-76-0x000007FEBDF70000-0x000007FEBDF80000-memory.dmp

Filesize
64KB

Download
memory/504-94-0x00000000007C0000-0x00000000007EA000-memory.dmp

Filesize
168KB

Download
memory/504-82-0x00000000007C0000-0x00000000007EA000-memory.dmp

Filesize
168KB

Download
memory/504-85-0x000007FEBDF70000-0x000007FEBDF80000-memory.dmp

Filesize
64KB

Download
memory/504-153-0x00000000007C0000-0x00000000007EA000-memory.dmp

Filesize
168KB

Download
memory/504-89-0x00000000371B0000-0x00000000371C0000-memory.dmp

Filesize
64KB

Download
memory/596-99-0x000007FEBDF70000-0x000007FEBDF80000-memory.dmp

Filesize
64KB

Download
memory/596-95-0x00000000003A0000-0x00000000003CA000-memory.dmp

Filesize
168KB

Download
memory/596-104-0x00000000371B0000-0x00000000371C0000-memory.dmp

Filesize
64KB

Download
memory/596-100-0x00000000003A0000-0x00000000003CA000-memory.dmp

Filesize
168KB

Download
memory/596-155-0x00000000003A0000-0x00000000003CA000-memory.dmp

Filesize
168KB

Download
memory/672-114-0x00000000371B0000-0x00000000371C0000-memory.dmp

Filesize
64KB

Download
memory/672-110-0x00000000003E0000-0x000000000040A000-memory.dmp

Filesize
168KB

Download
memory/672-112-0x000007FEBDF70000-0x000007FEBDF80000-memory.dmp

Filesize
64KB

Download
memory/672-117-0x00000000003E0000-0x000000000040A000-memory.dmp

Filesize
168KB

Download
memory/672-152-0x00000000003E0000-0x000000000040A000-memory.dmp

Filesize
168KB

Download
memory/748-127-0x0000000000ED0000-0x0000000000EFA000-memory.dmp

Filesize
168KB

Download
memory/748-132-0x00000000371B0000-0x00000000371C0000-memory.dmp

Filesize
64KB

Download
memory/748-128-0x000007FEBDF70000-0x000007FEBDF80000-memory.dmp

Filesize
64KB

Download
memory/748-154-0x0000000000ED0000-0x0000000000EFA000-memory.dmp

Filesize
168KB

Download
memory/804-135-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/804-149-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/1460-150-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/1488-151-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/1488-157-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/1644-115-0x0000000002D50000-0x0000000002DD0000-memory.dmp

Filesize
512KB

Download
memory/1644-105-0x0000000002D50000-0x0000000002DD0000-memory.dmp

Filesize
512KB

Download
memory/1644-141-0x000007FEF9AB0000-0x000007FEFA44D000-memory.dmp

Filesize
9.6MB

Download
memory/1644-140-0x0000000002D54000-0x0000000002D57000-memory.dmp

Filesize
12KB

Download
memory/1644-138-0x0000000002D5B000-0x0000000002DC2000-memory.dmp

Filesize
412KB

Download
memory/1644-113-0x000007FEF9AB0000-0x000007FEFA44D000-memory.dmp

Filesize
9.6MB

Download
memory/1644-139-0x000007FEF9AB0000-0x000007FEFA44D000-memory.dmp

Filesize
9.6MB

Download
memory/1644-107-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/1644-101-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2156-10-0x000007FEEEA00000-0x000007FEEF39D000-memory.dmp

Filesize
9.6MB

Download
memory/2156-13-0x000007FEEEA00000-0x000007FEEF39D000-memory.dmp

Filesize
9.6MB

Download
memory/2156-11-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2156-9-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2156-6-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2156-7-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2156-8-0x000007FEEEA00000-0x000007FEEF39D000-memory.dmp

Filesize
9.6MB

Download
memory/2156-12-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2268-34-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2268-16-0x000000001BEA0000-0x000000001BF20000-memory.dmp

Filesize
512KB

Download
memory/2268-0-0x0000000000940000-0x0000000000992000-memory.dmp

Filesize
328KB

Download
memory/2268-1-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2536-137-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2536-67-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2608-40-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2608-66-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2632-41-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2632-133-0x0000000077170000-0x0000000077319000-memory.dmp

Filesize
1.7MB

Download
memory/2632-44-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2632-45-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2632-42-0x0000000077170000-0x0000000077319000-memory.dmp

Filesize
1.7MB

Download
memory/2632-38-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2632-43-0x0000000077050000-0x000000007716F000-memory.dmp

Filesize
1.1MB

Download
memory/2768-47-0x0000000000750000-0x0000000000764000-memory.dmp

Filesize
80KB

Download
memory/2768-31-0x0000000077170000-0x0000000077319000-memory.dmp

Filesize
1.7MB

Download
memory/2768-35-0x0000000077170000-0x0000000077319000-memory.dmp

Filesize
1.7MB

Download
memory/2768-109-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-37-0x000000001C050000-0x000000001C0D0000-memory.dmp

Filesize
512KB

Download
memory/2768-36-0x0000000077050000-0x000000007716F000-memory.dmp

Filesize
1.1MB

Download
memory/2768-103-0x0000000077050000-0x000000007716F000-memory.dmp

Filesize
1.1MB

Download
memory/2768-97-0x0000000077170000-0x0000000077319000-memory.dmp

Filesize
1.7MB

Download
memory/2768-33-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-32-0x0000000077050000-0x000000007716F000-memory.dmp

Filesize
1.1MB

Download
memory/2768-30-0x0000000000770000-0x00000000007AE000-memory.dmp

Filesize
248KB

Download
memory/2768-22-0x000000013F5D0000-0x000000013F620000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads