xworm | 4fb7670cba8b18af31a799186e456d78b34db5982e96b9a9be538346025d96b8

Analysis

max time kernel
37s
max time network
45s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
24-02-2024 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

willitconnect.exe
Size

54KB
MD5

f11cc37f7d2c48a8067e8ead6022e086
SHA1

dc5a0f45ccab1bcde0c80302a2e7249795f750ec
SHA256

4fb7670cba8b18af31a799186e456d78b34db5982e96b9a9be538346025d96b8
SHA512

601e82f96b4a0ee31d8684c7f6fc6f493210e8024b076a1c19d34b19ab52f605db126ef99fd826f5c1e74f02c5c646925e414808392ac3850c6d24dec81ffb0b
SSDEEP

1536:vljkaa4Bpv/R/jR7akbUkGplSqx3v66iGquOOWHuM:q4bZ17akbUkGz4GPOHOM

Score

10^/10

xworm rat trojan

Malware Config

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2864-0-0x0000000000140000-0x0000000000154000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FPSaider.lnk	willitconnect.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FPSaider.lnk	willitconnect.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3904	powershell.exe
3904	powershell.exe
3904	powershell.exe
2884	powershell.exe
2884	powershell.exe
2884	powershell.exe
372	powershell.exe
372	powershell.exe
372	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	willitconnect.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeIncreaseQuotaPrivilege	3904	powershell.exe
Token: SeSecurityPrivilege	3904	powershell.exe
Token: SeTakeOwnershipPrivilege	3904	powershell.exe
Token: SeLoadDriverPrivilege	3904	powershell.exe
Token: SeSystemProfilePrivilege	3904	powershell.exe
Token: SeSystemtimePrivilege	3904	powershell.exe
Token: SeProfSingleProcessPrivilege	3904	powershell.exe
Token: SeIncBasePriorityPrivilege	3904	powershell.exe
Token: SeCreatePagefilePrivilege	3904	powershell.exe
Token: SeBackupPrivilege	3904	powershell.exe
Token: SeRestorePrivilege	3904	powershell.exe
Token: SeShutdownPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeSystemEnvironmentPrivilege	3904	powershell.exe
Token: SeRemoteShutdownPrivilege	3904	powershell.exe
Token: SeUndockPrivilege	3904	powershell.exe
Token: SeManageVolumePrivilege	3904	powershell.exe
Token: 33	3904	powershell.exe
Token: 34	3904	powershell.exe
Token: 35	3904	powershell.exe
Token: 36	3904	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeIncreaseQuotaPrivilege	2884	powershell.exe
Token: SeSecurityPrivilege	2884	powershell.exe
Token: SeTakeOwnershipPrivilege	2884	powershell.exe
Token: SeLoadDriverPrivilege	2884	powershell.exe
Token: SeSystemProfilePrivilege	2884	powershell.exe
Token: SeSystemtimePrivilege	2884	powershell.exe
Token: SeProfSingleProcessPrivilege	2884	powershell.exe
Token: SeIncBasePriorityPrivilege	2884	powershell.exe
Token: SeCreatePagefilePrivilege	2884	powershell.exe
Token: SeBackupPrivilege	2884	powershell.exe
Token: SeRestorePrivilege	2884	powershell.exe
Token: SeShutdownPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeSystemEnvironmentPrivilege	2884	powershell.exe
Token: SeRemoteShutdownPrivilege	2884	powershell.exe
Token: SeUndockPrivilege	2884	powershell.exe
Token: SeManageVolumePrivilege	2884	powershell.exe
Token: 33	2884	powershell.exe
Token: 34	2884	powershell.exe
Token: 35	2884	powershell.exe
Token: 36	2884	powershell.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeIncreaseQuotaPrivilege	372	powershell.exe
Token: SeSecurityPrivilege	372	powershell.exe
Token: SeTakeOwnershipPrivilege	372	powershell.exe
Token: SeLoadDriverPrivilege	372	powershell.exe
Token: SeSystemProfilePrivilege	372	powershell.exe
Token: SeSystemtimePrivilege	372	powershell.exe
Token: SeProfSingleProcessPrivilege	372	powershell.exe
Token: SeIncBasePriorityPrivilege	372	powershell.exe
Token: SeCreatePagefilePrivilege	372	powershell.exe
Token: SeBackupPrivilege	372	powershell.exe
Token: SeRestorePrivilege	372	powershell.exe
Token: SeShutdownPrivilege	372	powershell.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeSystemEnvironmentPrivilege	372	powershell.exe
Token: SeRemoteShutdownPrivilege	372	powershell.exe
Token: SeUndockPrivilege	372	powershell.exe
Token: SeManageVolumePrivilege	372	powershell.exe
Token: 33	372	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 3904	2864	willitconnect.exe	72
PID 2864 wrote to memory of 3904	2864	willitconnect.exe	72
PID 2864 wrote to memory of 2884	2864	willitconnect.exe	75
PID 2864 wrote to memory of 2884	2864	willitconnect.exe	75
PID 2864 wrote to memory of 372	2864	willitconnect.exe	77
PID 2864 wrote to memory of 372	2864	willitconnect.exe	77
PID 2864 wrote to memory of 1444	2864	willitconnect.exe	79
PID 2864 wrote to memory of 1444	2864	willitconnect.exe	79

C:\Users\Admin\AppData\Local\Temp\willitconnect.exe
"C:\Users\Admin\AppData\Local\Temp\willitconnect.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\willitconnect.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'willitconnect.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\FPSaider.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FPSaider.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0d4241b86e9e567cfc63cdd7edf65aaf

SHA1
285cf0de3233affe98dbbb4381f87ac9ab875502

SHA256
ef00703d5e0840cd6a981bd9bf4fe1dff25511e6dce3855444784bd8b9283b60

SHA512
f93c35f732ee3a5ac2c1567622722932fa64ee272e28bf5b72a60a084831a1358c5d8092089a3c3683f0b140070dc89d5fc0223a269a7f83c8fe8afed6aaa2c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
84e616bdb1a27619a08d827184b05802

SHA1
0ad624d88be9bcd50dc427ababefedba14d25fd1

SHA256
2caeb36b717e94ca9226313ff551a95f33be2cdb95ba55ab64a3b18d460d1146

SHA512
44633392890fe8fbc983fb889f1f330cf2f12df152f04a6fffe832a0b1c6d7bcc83dbc72a6bf5714c719e785b7d555952b3a6d367059453334773034868093e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
51b27223e327ca9e2c267cc869b6f5b1

SHA1
becbb554e2305e818331a7ba1e4703ffa12913f2

SHA256
c7aa373bea9de4ae95d4d202e5834b37c2529f8b20b995ae4692f85c92f1dfad

SHA512
f3e1da6fe772b0d1d37a7b613e50dd724f783a6e7651ecbab473b21a9c96d61aea806780816d550af4a3b38c0e70b0b0d1a6a9cff5cd7eacf3b9e4e791e9aaeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xramewjp.45f.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/372-126-0x000001AF76870000-0x000001AF76880000-memory.dmp

Filesize
64KB

Download
memory/372-151-0x00007FFB1C1E0000-0x00007FFB1CBCC000-memory.dmp

Filesize
9.9MB

Download
memory/372-149-0x000001AF76870000-0x000001AF76880000-memory.dmp

Filesize
64KB

Download
memory/372-108-0x00007FFB1C1E0000-0x00007FFB1CBCC000-memory.dmp

Filesize
9.9MB

Download
memory/372-110-0x000001AF76870000-0x000001AF76880000-memory.dmp

Filesize
64KB

Download
memory/372-109-0x000001AF76870000-0x000001AF76880000-memory.dmp

Filesize
64KB

Download
memory/1444-157-0x0000023951CC0000-0x0000023951CD0000-memory.dmp

Filesize
64KB

Download
memory/1444-158-0x0000023951CC0000-0x0000023951CD0000-memory.dmp

Filesize
64KB

Download
memory/1444-155-0x00007FFB1C1E0000-0x00007FFB1CBCC000-memory.dmp

Filesize
9.9MB

Download
memory/1444-174-0x0000023951CC0000-0x0000023951CD0000-memory.dmp

Filesize
64KB

Download
memory/1444-197-0x0000023951CC0000-0x0000023951CD0000-memory.dmp

Filesize
64KB

Download
memory/1444-200-0x00007FFB1C1E0000-0x00007FFB1CBCC000-memory.dmp

Filesize
9.9MB

Download
memory/2864-76-0x00007FFB1C1E0000-0x00007FFB1CBCC000-memory.dmp

Filesize
9.9MB

Download
memory/2864-1-0x00007FFB1C1E0000-0x00007FFB1CBCC000-memory.dmp

Filesize
9.9MB

Download
memory/2864-0-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download
memory/2864-205-0x000000001AD20000-0x000000001AD30000-memory.dmp

Filesize
64KB

Download
memory/2884-103-0x00007FFB1C1E0000-0x00007FFB1CBCC000-memory.dmp

Filesize
9.9MB

Download
memory/2884-79-0x0000022F8C780000-0x0000022F8C790000-memory.dmp

Filesize
64KB

Download
memory/2884-60-0x0000022F8C780000-0x0000022F8C790000-memory.dmp

Filesize
64KB

Download
memory/2884-59-0x0000022F8C780000-0x0000022F8C790000-memory.dmp

Filesize
64KB

Download
memory/2884-57-0x00007FFB1C1E0000-0x00007FFB1CBCC000-memory.dmp

Filesize
9.9MB

Download
memory/2884-100-0x0000022F8C780000-0x0000022F8C790000-memory.dmp

Filesize
64KB

Download
memory/3904-48-0x000001E7E7950000-0x000001E7E7960000-memory.dmp

Filesize
64KB

Download
memory/3904-12-0x000001E780390000-0x000001E780406000-memory.dmp

Filesize
472KB

Download
memory/3904-9-0x000001E7801E0000-0x000001E780202000-memory.dmp

Filesize
136KB

Download
memory/3904-7-0x000001E7E7950000-0x000001E7E7960000-memory.dmp

Filesize
64KB

Download
memory/3904-8-0x000001E7E7950000-0x000001E7E7960000-memory.dmp

Filesize
64KB

Download
memory/3904-6-0x00007FFB1C1E0000-0x00007FFB1CBCC000-memory.dmp

Filesize
9.9MB

Download
memory/3904-25-0x000001E7E7950000-0x000001E7E7960000-memory.dmp

Filesize
64KB

Download
memory/3904-52-0x00007FFB1C1E0000-0x00007FFB1CBCC000-memory.dmp

Filesize
9.9MB

Download