xworm | ebf760dbfa32628221a5a902ffd7e98f560d181225e260ed4326aa36aa99f659

Analysis

max time kernel
60s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NisSrv.exe
Size

286KB
MD5

4105f6abba105cc27f89c2ebfc0c06b9
SHA1

416adb89cdf50bc1dffd5d386a391a2c32bec3a9
SHA256

dddac27a8c4fc66d1fdbe65cddae474b50f5b21a0bdc7f02594426089d898cc8
SHA512

c73a124afa416227b7b9e297934e5f454f7fe5bab229e0e95a633517bffbd61026accaa6c0573757be5e2f60afc80bcaf70000a20d9b60190935715c8d206541
SSDEEP

6144:pu0CsWLsWwYnZqiXMhD5RL3t8os+E4sch8pP6Dv8NubGv3xcD89eL:4CWNwuZvXMB5DuGsch8QDvt8i

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

Attributes

install_file
game.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral8/memory/4052-34-0x000001D31A630000-0x000001D31A68E000-memory.dmp	family_xworm
behavioral8/files/0x00030000000228c7-32.dat	family_xworm
behavioral8/memory/4052-42-0x000001D31AA70000-0x000001D31AA84000-memory.dmp	family_xworm
behavioral8/files/0x00030000000228c7-31.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

C:\Users\Admin\AppData\Local\Temp\NisSrv.exe
"C:\Users\Admin\AppData\Local\Temp\NisSrv.exe"
1⤵
PID:1688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wind32.exe'
  2⤵
  PID:1668
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wind32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wind32.exe"
  2⤵
  PID:4052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wind32.exe'
    3⤵
    PID:4512

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{aaf4782f-06c9-4846-aa50-eb58dae9d20b}
1⤵
PID:1072

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3136

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1880

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3676

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3188

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:5108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aw3ndwec.whu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wind32.exe

Filesize
355KB

MD5
55ab75d168d110fa869e0dade4510172

SHA1
30e05525914ddbdc88b95a4148c2b56cca03e0cc

SHA256
f345fc3969b1f0183b6b8738ab3633c0b840763910f3825f1a3bc2e963648589

SHA512
b565faf3ddd44ce9b25864195475b46cc7ed8bf26b61158deeb1d1f98fc3cb4a105baba97fa9546315fe6234bb3e1077800a7bbad99d33341b0f17d367409a03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wind32.exe

Filesize
1KB

MD5
2f09b0bbb99a876f4c686f783301071c

SHA1
e56e2874f0b8a7ae1af384cb1191089d49c92da4

SHA256
ef7a4b9378596b034ab801ba6114c413e16358e28445c467697b08cdbcafd57c

SHA512
2bc1787bfc6e1d85a6c48ba5afaf07ae3f5b0395a776f8f4380e7b02f36b5a1ff0607437647f245433244571a4ee950b84da340d01f12b2bc20488e08d7be09b

Download Submit
memory/616-50-0x00000252DDBB0000-0x00000252DDBD3000-memory.dmp

Filesize
140KB

Download
memory/616-103-0x00000252DDBE0000-0x00000252DDC0A000-memory.dmp

Filesize
168KB

Download
memory/616-59-0x00007FF88B68F000-0x00007FF88B690000-memory.dmp

Filesize
4KB

Download
memory/616-53-0x00000252DDBE0000-0x00000252DDC0A000-memory.dmp

Filesize
168KB

Download
memory/616-56-0x00007FF88B68D000-0x00007FF88B68E000-memory.dmp

Filesize
4KB

Download
memory/664-63-0x000001ECF7880000-0x000001ECF78AA000-memory.dmp

Filesize
168KB

Download
memory/664-57-0x00007FF84B670000-0x00007FF84B680000-memory.dmp

Filesize
64KB

Download
memory/664-55-0x000001ECF7880000-0x000001ECF78AA000-memory.dmp

Filesize
168KB

Download
memory/724-73-0x000001AC8F6B0000-0x000001AC8F6DA000-memory.dmp

Filesize
168KB

Download
memory/724-72-0x000001AC8F6B0000-0x000001AC8F6DA000-memory.dmp

Filesize
168KB

Download
memory/724-130-0x000001AC8F6B0000-0x000001AC8F6DA000-memory.dmp

Filesize
168KB

Download
memory/724-74-0x00007FF84B670000-0x00007FF84B680000-memory.dmp

Filesize
64KB

Download
memory/948-115-0x000002CC4B7D0000-0x000002CC4B7FA000-memory.dmp

Filesize
168KB

Download
memory/948-68-0x00007FF88B68C000-0x00007FF88B68D000-memory.dmp

Filesize
4KB

Download
memory/948-65-0x000002CC4B7D0000-0x000002CC4B7FA000-memory.dmp

Filesize
168KB

Download
memory/948-60-0x000002CC4B7D0000-0x000002CC4B7FA000-memory.dmp

Filesize
168KB

Download
memory/948-64-0x00007FF84B670000-0x00007FF84B680000-memory.dmp

Filesize
64KB

Download
memory/1020-128-0x00000265AFD40000-0x00000265AFD6A000-memory.dmp

Filesize
168KB

Download
memory/1020-70-0x00007FF88B68F000-0x00007FF88B690000-memory.dmp

Filesize
4KB

Download
memory/1020-62-0x00000265AFD40000-0x00000265AFD6A000-memory.dmp

Filesize
168KB

Download
memory/1020-69-0x00007FF88B68D000-0x00007FF88B68E000-memory.dmp

Filesize
4KB

Download
memory/1020-67-0x00000265AFD40000-0x00000265AFD6A000-memory.dmp

Filesize
168KB

Download
memory/1028-79-0x00007FF84B670000-0x00007FF84B680000-memory.dmp

Filesize
64KB

Download
memory/1028-78-0x000001C0933D0000-0x000001C0933FA000-memory.dmp

Filesize
168KB

Download
memory/1028-139-0x000001C0933D0000-0x000001C0933FA000-memory.dmp

Filesize
168KB

Download
memory/1072-47-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1072-41-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1072-44-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1072-43-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1072-45-0x00007FF88B5F0000-0x00007FF88B7E5000-memory.dmp

Filesize
2.0MB

Download
memory/1072-46-0x00007FF88A330000-0x00007FF88A3EE000-memory.dmp

Filesize
760KB

Download
memory/1104-83-0x000001588E310000-0x000001588E33A000-memory.dmp

Filesize
168KB

Download
memory/1104-85-0x00007FF84B670000-0x00007FF84B680000-memory.dmp

Filesize
64KB

Download
memory/1104-141-0x000001588E310000-0x000001588E33A000-memory.dmp

Filesize
168KB

Download
memory/1132-89-0x000002C188ED0000-0x000002C188EFA000-memory.dmp

Filesize
168KB

Download
memory/1132-90-0x00007FF84B670000-0x00007FF84B680000-memory.dmp

Filesize
64KB

Download
memory/1132-98-0x000002C188ED0000-0x000002C188EFA000-memory.dmp

Filesize
168KB

Download
memory/1188-96-0x00000160555B0000-0x00000160555DA000-memory.dmp

Filesize
168KB

Download
memory/1188-91-0x00007FF84B670000-0x00007FF84B680000-memory.dmp

Filesize
64KB

Download
memory/1188-88-0x00000160555B0000-0x00000160555DA000-memory.dmp

Filesize
168KB

Download
memory/1248-97-0x00007FF84B670000-0x00007FF84B680000-memory.dmp

Filesize
64KB

Download
memory/1248-100-0x000001E5AED40000-0x000001E5AED6A000-memory.dmp

Filesize
168KB

Download
memory/1248-92-0x000001E5AED40000-0x000001E5AED6A000-memory.dmp

Filesize
168KB

Download
memory/1260-105-0x000001682C390000-0x000001682C3BA000-memory.dmp

Filesize
168KB

Download
memory/1260-108-0x00007FF84B670000-0x00007FF84B680000-memory.dmp

Filesize
64KB

Download
memory/1260-109-0x000001682C390000-0x000001682C3BA000-memory.dmp

Filesize
168KB

Download
memory/1300-133-0x00007FF84B670000-0x00007FF84B680000-memory.dmp

Filesize
64KB

Download
memory/1372-136-0x0000017165D30000-0x0000017165D5A000-memory.dmp

Filesize
168KB

Download
memory/1372-138-0x00007FF84B670000-0x00007FF84B680000-memory.dmp

Filesize
64KB

Download
memory/1668-17-0x00007FF86CBF0000-0x00007FF86D6B1000-memory.dmp

Filesize
10.8MB

Download
memory/1668-11-0x0000025E57ED0000-0x0000025E57EF2000-memory.dmp

Filesize
136KB

Download
memory/1668-12-0x00007FF86CBF0000-0x00007FF86D6B1000-memory.dmp

Filesize
10.8MB

Download
memory/1668-14-0x0000025E57F00000-0x0000025E57F10000-memory.dmp

Filesize
64KB

Download
memory/1668-13-0x0000025E57F00000-0x0000025E57F10000-memory.dmp

Filesize
64KB

Download
memory/1688-37-0x00007FF86CBF0000-0x00007FF86D6B1000-memory.dmp

Filesize
10.8MB

Download
memory/1688-18-0x000000001BE80000-0x000000001BE90000-memory.dmp

Filesize
64KB

Download
memory/1688-1-0x00007FF86CBF0000-0x00007FF86D6B1000-memory.dmp

Filesize
10.8MB

Download
memory/1688-0-0x0000000000900000-0x000000000094E000-memory.dmp

Filesize
312KB

Download
memory/4052-39-0x00007FF88B5F0000-0x00007FF88B7E5000-memory.dmp

Filesize
2.0MB

Download
memory/4052-34-0x000001D31A630000-0x000001D31A68E000-memory.dmp

Filesize
376KB

Download
memory/4052-38-0x000001D31AA30000-0x000001D31AA6E000-memory.dmp

Filesize
248KB

Download
memory/4052-36-0x000001D334BB0000-0x000001D334BC0000-memory.dmp

Filesize
64KB

Download
memory/4052-42-0x000001D31AA70000-0x000001D31AA84000-memory.dmp

Filesize
80KB

Download
memory/4052-93-0x00007FF86CBF0000-0x00007FF86D6B1000-memory.dmp

Filesize
10.8MB

Download
memory/4052-40-0x00007FF88A330000-0x00007FF88A3EE000-memory.dmp

Filesize
760KB

Download
memory/4052-101-0x000001D334BB0000-0x000001D334BC0000-memory.dmp

Filesize
64KB

Download
memory/4052-35-0x00007FF86CBF0000-0x00007FF86D6B1000-memory.dmp

Filesize
10.8MB

Download
memory/4512-134-0x00007FF86CBF0000-0x00007FF86D6B1000-memory.dmp

Filesize
10.8MB

Download
memory/4512-107-0x000001E4E86D0000-0x000001E4E86E0000-memory.dmp

Filesize
64KB

Download
memory/4512-111-0x000001E4E86D0000-0x000001E4E86E0000-memory.dmp

Filesize
64KB

Download
memory/4512-106-0x00007FF86CBF0000-0x00007FF86D6B1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads