xworm | ebf760dbfa32628221a5a902ffd7e98f560d181225e260ed4326aa36aa99f659

Analysis

max time kernel
0s
max time network
5s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Freemasonry (2).exe
Size

5KB
MD5

ff7e6dfa113f9f87601e895a40260678
SHA1

8e313c176605587b2d9b7111d35c5b51f09f6606
SHA256

156c9e8bef9013a1b498d6ba5aa8582ec7f2d02e6123ac777bca863f087e7c62
SHA512

53975519c17bf8b24ca46e0326a084e7959e475c47c4e8cd74672dd1a2df570279dd34801460b3fcd630f581aaaff12058b77f09414b411ddac285cc8db45bed
SSDEEP

48:6in5YDNwtZdLP10NjDCPp9glLGoNMDyxAoQ5WD9KLGNI6iqAa54tdXl4f59FWpfG:UDOrVmGIIy8UBKS26iBmBQzNt

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

Attributes

Install_directory
%Port%

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral4/memory/3872-51-0x00000222236F0000-0x0000022223704000-memory.dmp	family_xworm
behavioral4/memory/1188-52-0x0000000005490000-0x00000000054A0000-memory.dmp	family_xworm
behavioral4/memory/3872-38-0x00000222232C0000-0x0000022223310000-memory.dmp	family_xworm
behavioral4/files/0x0008000000023202-36.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4608	timeout.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 508	1188	Freemasonry (2).exe	44
PID 1188 wrote to memory of 508	1188	Freemasonry (2).exe	44

C:\Users\Admin\AppData\Local\Temp\Freemasonry (2).exe
"C:\Users\Admin\AppData\Local\Temp\Freemasonry (2).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  "cmd.exe"
  2⤵
  PID:508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.exe'
    3⤵
    PID:1172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4805.tmp.bat""
    3⤵
    PID:4424
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.exe"
    3⤵
    PID:3872

C:\Windows\system32\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:4608

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{3779c601-e68a-4c07-9829-8bf9f2c846c9}
1⤵
PID:1612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.exe'
1⤵
PID:2764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_htn4fjm2.qbh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4805.tmp.bat

Filesize
155B

MD5
70412749cb760f4fda78a981c2852bfb

SHA1
ea9ea04d0d3c20ce321df962ec14c02367d1bc57

SHA256
e0f70a388a91020d4baf23185c23b16b547e5037a226344373a119c384ac53ef

SHA512
c598fbdd5b37ffd912d23575b1aaec8715f532a1705bf36ab10338a0aef69eb3652c9d106e3f9c3cb748e27da4dca627f8e31323b97bf85db4d61fd9e27ebaa5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.exe

Filesize
300KB

MD5
3c09d9c6df337337adaa6f3880a318c9

SHA1
a4a3a1222476e739e12b28e3bcc8c9dbe2d07fdb

SHA256
6f6d67095f0b3ee860ebeb646c7ed14413f1b7cbfccae682109790e84bb461ef

SHA512
c0bd827b401ee1cfb4fbc53ceb6f3c40d7d6ee2c14b74832c5367c0df06b37dfd6733b840ebe0f091e6397a35e3b60f11cbbc3db893b68b92b8053c45fd1b24d

Download Submit
memory/332-82-0x00007FFA60990000-0x00007FFA609A0000-memory.dmp

Filesize
64KB

Download
memory/332-86-0x0000021A278C0000-0x0000021A278EA000-memory.dmp

Filesize
168KB

Download
memory/332-80-0x0000021A278C0000-0x0000021A278EA000-memory.dmp

Filesize
168KB

Download
memory/372-73-0x000001B7767E0000-0x000001B77680A000-memory.dmp

Filesize
168KB

Download
memory/372-83-0x000001B7767E0000-0x000001B77680A000-memory.dmp

Filesize
168KB

Download
memory/508-46-0x00007FFA828F0000-0x00007FFA833B1000-memory.dmp

Filesize
10.8MB

Download
memory/508-4-0x00000000005B0000-0x0000000000602000-memory.dmp

Filesize
328KB

Download
memory/508-5-0x00007FFA828F0000-0x00007FFA833B1000-memory.dmp

Filesize
10.8MB

Download
memory/508-24-0x000000001BB40000-0x000000001BB50000-memory.dmp

Filesize
64KB

Download
memory/608-64-0x000002622CB90000-0x000002622CBBA000-memory.dmp

Filesize
168KB

Download
memory/608-68-0x00007FFAA09AD000-0x00007FFAA09AE000-memory.dmp

Filesize
4KB

Download
memory/608-63-0x000002622CB90000-0x000002622CBBA000-memory.dmp

Filesize
168KB

Download
memory/608-70-0x00007FFAA09AF000-0x00007FFAA09B0000-memory.dmp

Filesize
4KB

Download
memory/608-61-0x000002622CAF0000-0x000002622CB13000-memory.dmp

Filesize
140KB

Download
memory/672-67-0x00007FFA60990000-0x00007FFA609A0000-memory.dmp

Filesize
64KB

Download
memory/672-65-0x00000193430E0000-0x000001934310A000-memory.dmp

Filesize
168KB

Download
memory/672-77-0x00007FFAA09AD000-0x00007FFAA09AE000-memory.dmp

Filesize
4KB

Download
memory/672-75-0x00000193430E0000-0x000001934310A000-memory.dmp

Filesize
168KB

Download
memory/672-79-0x00007FFAA09AF000-0x00007FFAA09B0000-memory.dmp

Filesize
4KB

Download
memory/968-85-0x00007FFAA09AC000-0x00007FFAA09AD000-memory.dmp

Filesize
4KB

Download
memory/968-81-0x000001F1CB5D0000-0x000001F1CB5FA000-memory.dmp

Filesize
168KB

Download
memory/968-76-0x00007FFA60990000-0x00007FFA609A0000-memory.dmp

Filesize
64KB

Download
memory/968-72-0x000001F1CB5D0000-0x000001F1CB5FA000-memory.dmp

Filesize
168KB

Download
memory/1028-89-0x000002B081290000-0x000002B0812BA000-memory.dmp

Filesize
168KB

Download
memory/1028-92-0x00007FFA60990000-0x00007FFA609A0000-memory.dmp

Filesize
64KB

Download
memory/1036-91-0x000001F40ABC0000-0x000001F40ABEA000-memory.dmp

Filesize
168KB

Download
memory/1036-93-0x00007FFA60990000-0x00007FFA609A0000-memory.dmp

Filesize
64KB

Download
memory/1044-101-0x00007FFA60990000-0x00007FFA609A0000-memory.dmp

Filesize
64KB

Download
memory/1044-98-0x00000157E1D40000-0x00000157E1D6A000-memory.dmp

Filesize
168KB

Download
memory/1172-6-0x0000023CB5F20000-0x0000023CB5F42000-memory.dmp

Filesize
136KB

Download
memory/1172-18-0x0000023C9B8A0000-0x0000023C9B8B0000-memory.dmp

Filesize
64KB

Download
memory/1172-17-0x0000023C9B8A0000-0x0000023C9B8B0000-memory.dmp

Filesize
64KB

Download
memory/1172-16-0x00007FFA828F0000-0x00007FFA833B1000-memory.dmp

Filesize
10.8MB

Download
memory/1172-21-0x00007FFA828F0000-0x00007FFA833B1000-memory.dmp

Filesize
10.8MB

Download
memory/1188-0-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/1188-3-0x0000000005520000-0x00000000055B2000-memory.dmp

Filesize
584KB

Download
memory/1188-54-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/1188-2-0x00000000059B0000-0x0000000005F54000-memory.dmp

Filesize
5.6MB

Download
memory/1188-1-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/1188-52-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/1200-100-0x0000021A269D0000-0x0000021A269FA000-memory.dmp

Filesize
168KB

Download
memory/1612-59-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1612-57-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1612-55-0x00007FFAA0910000-0x00007FFAA0B05000-memory.dmp

Filesize
2.0MB

Download
memory/1612-47-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1612-49-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1612-53-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1612-56-0x00007FFAA0630000-0x00007FFAA06EE000-memory.dmp

Filesize
760KB

Download
memory/3872-44-0x00007FFAA0910000-0x00007FFAA0B05000-memory.dmp

Filesize
2.0MB

Download
memory/3872-45-0x00007FFAA0630000-0x00007FFAA06EE000-memory.dmp

Filesize
760KB

Download
memory/3872-38-0x00000222232C0000-0x0000022223310000-memory.dmp

Filesize
320KB

Download
memory/3872-51-0x00000222236F0000-0x0000022223704000-memory.dmp

Filesize
80KB

Download
memory/3872-48-0x000002223DBA0000-0x000002223DBB0000-memory.dmp

Filesize
64KB

Download
memory/3872-42-0x00007FFA828F0000-0x00007FFA833B1000-memory.dmp

Filesize
10.8MB

Download
memory/3872-43-0x00000222236B0000-0x00000222236EE000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads