Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 14:10
Behavioral task
behavioral1
Sample
XWorm-V5.0/FixNoStart/Fix64.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
XWorm-V5.0/FixNoStart/Fix64.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
XWorm-V5.0/XWormLoader.exe
Resource
win7-20240221-en
General
-
Target
XWorm-V5.0/XWormLoader.exe
-
Size
111KB
-
MD5
9158e38c3bacd6cc50e4355783fead8b
-
SHA1
c30c982c2d061e4bd8b5e0e3f89693b3939a0833
-
SHA256
1f10356e86d377e76ab31ca4401f0f49f4caa9587227c61c56f8fc38dc4d7bda
-
SHA512
98683f6d5954238428b83df22acef64b7b3ca12b84c6b7cdd90063e4800006d3243b678eb5702045c32e8a7fd76c44cd453d6b6aca732b5a4d50d555d1b753bd
-
SSDEEP
1536:SrHEKSUVTbZgAfQFj9136yOsvSqmyVttdGFQeOPig09:SrFXgkQFj91/OsvSqmyBez9
Malware Config
Extracted
xworm
5.0
testarosa.duckdns.org:7110
Rg1w8TcZ1AXGhMnB
-
Install_directory
%ProgramData%
-
install_file
WindowsDefender.exe
Signatures
-
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule behavioral3/memory/2020-0-0x0000000000170000-0x0000000000192000-memory.dmp family_xworm C:\ProgramData\WindowsDefender.exe family_xworm behavioral3/memory/452-62-0x00000000011A0000-0x00000000011C2000-memory.dmp family_xworm -
Executes dropped EXE 2 IoCs
Processes:
WindowsDefender.exeWindowsDefender.exepid process 640 WindowsDefender.exe 452 WindowsDefender.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
XWormLoader.exepid process 2020 XWormLoader.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2640 powershell.exe 2296 powershell.exe 2552 powershell.exe 2520 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
XWormLoader.exepowershell.exepowershell.exepowershell.exepowershell.exeWindowsDefender.exeWindowsDefender.exedescription pid process Token: SeDebugPrivilege 2020 XWormLoader.exe Token: SeDebugPrivilege 2640 powershell.exe Token: SeDebugPrivilege 2296 powershell.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeDebugPrivilege 2520 powershell.exe Token: SeDebugPrivilege 2020 XWormLoader.exe Token: SeDebugPrivilege 640 WindowsDefender.exe Token: SeDebugPrivilege 452 WindowsDefender.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
XWormLoader.exetaskeng.exedescription pid process target process PID 2020 wrote to memory of 2640 2020 XWormLoader.exe powershell.exe PID 2020 wrote to memory of 2640 2020 XWormLoader.exe powershell.exe PID 2020 wrote to memory of 2640 2020 XWormLoader.exe powershell.exe PID 2020 wrote to memory of 2296 2020 XWormLoader.exe powershell.exe PID 2020 wrote to memory of 2296 2020 XWormLoader.exe powershell.exe PID 2020 wrote to memory of 2296 2020 XWormLoader.exe powershell.exe PID 2020 wrote to memory of 2552 2020 XWormLoader.exe powershell.exe PID 2020 wrote to memory of 2552 2020 XWormLoader.exe powershell.exe PID 2020 wrote to memory of 2552 2020 XWormLoader.exe powershell.exe PID 2020 wrote to memory of 2520 2020 XWormLoader.exe powershell.exe PID 2020 wrote to memory of 2520 2020 XWormLoader.exe powershell.exe PID 2020 wrote to memory of 2520 2020 XWormLoader.exe powershell.exe PID 2020 wrote to memory of 2196 2020 XWormLoader.exe schtasks.exe PID 2020 wrote to memory of 2196 2020 XWormLoader.exe schtasks.exe PID 2020 wrote to memory of 2196 2020 XWormLoader.exe schtasks.exe PID 1572 wrote to memory of 640 1572 taskeng.exe WindowsDefender.exe PID 1572 wrote to memory of 640 1572 taskeng.exe WindowsDefender.exe PID 1572 wrote to memory of 640 1572 taskeng.exe WindowsDefender.exe PID 1572 wrote to memory of 452 1572 taskeng.exe WindowsDefender.exe PID 1572 wrote to memory of 452 1572 taskeng.exe WindowsDefender.exe PID 1572 wrote to memory of 452 1572 taskeng.exe WindowsDefender.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\XWormLoader.exe"C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\XWormLoader.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\XWormLoader.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWormLoader.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender.exe"2⤵
- Creates scheduled task(s)
PID:2196
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {BD6902AD-4608-4D06-A19A-852B0348D0E8} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\ProgramData\WindowsDefender.exeC:\ProgramData\WindowsDefender.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:640
-
-
C:\ProgramData\WindowsDefender.exeC:\ProgramData\WindowsDefender.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:452
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
111KB
MD59158e38c3bacd6cc50e4355783fead8b
SHA1c30c982c2d061e4bd8b5e0e3f89693b3939a0833
SHA2561f10356e86d377e76ab31ca4401f0f49f4caa9587227c61c56f8fc38dc4d7bda
SHA51298683f6d5954238428b83df22acef64b7b3ca12b84c6b7cdd90063e4800006d3243b678eb5702045c32e8a7fd76c44cd453d6b6aca732b5a4d50d555d1b753bd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53ca53a35d2f22c702929cb34faed088f
SHA1dd5a78609e4a041a8a39ac55d4d989ab2100fa7e
SHA2569d89d0650f7e298b8dd164b9507fa89de6cd56f48aa3104a455f5e095108577c
SHA51238eb17def6f7f6de082c6c87a391439023f8c3c2cebafc9fd6a4033ba2216616fa3564c0e380c61d5a3ae7324de9cc2c518b89a5e7d80c96b1f29fdc708ea730