xworm | 7042893a76a71554dd5a47a61bf2c58b740969384a49abd4fc298d2f94271820

Analysis

max time kernel
567s
max time network
599s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

payload2.exe
Size

25KB
MD5

76e0195853f99115849ba1b15a3e92a7
SHA1

c252c38e6eded76ac998a77e3bc3da60bafce45e
SHA256

7042893a76a71554dd5a47a61bf2c58b740969384a49abd4fc298d2f94271820
SHA512

e65dc242de64880822f4c7b15260e67a514b15868990400467a0b36b9094e9ca71a7bdd7845647e97421e05a649b3a3451686205db962db3644068b2421f520f
SSDEEP

384:iMQGxoc++CmcbK0Oj3XSZNimlRmHDgHQSyZ2szuB9f1F6ZwG9fxJz:i6Cc+9mcmvj3inPicB9fG97

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

38.146.219.228:7001

Mutex

mpqxLif2hrZ6dHfO

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/432-29-0x0000000002930000-0x000000000293E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	payload2.exe

Executes dropped EXE 1 IoCs

pid	Process
432	Windows_Log_678.bat

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings	payload2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1300	powershell.exe
1300	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4736	payload2.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeIncreaseQuotaPrivilege	1300	powershell.exe
Token: SeSecurityPrivilege	1300	powershell.exe
Token: SeTakeOwnershipPrivilege	1300	powershell.exe
Token: SeLoadDriverPrivilege	1300	powershell.exe
Token: SeSystemProfilePrivilege	1300	powershell.exe
Token: SeSystemtimePrivilege	1300	powershell.exe
Token: SeProfSingleProcessPrivilege	1300	powershell.exe
Token: SeIncBasePriorityPrivilege	1300	powershell.exe
Token: SeCreatePagefilePrivilege	1300	powershell.exe
Token: SeBackupPrivilege	1300	powershell.exe
Token: SeRestorePrivilege	1300	powershell.exe
Token: SeShutdownPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeSystemEnvironmentPrivilege	1300	powershell.exe
Token: SeRemoteShutdownPrivilege	1300	powershell.exe
Token: SeUndockPrivilege	1300	powershell.exe
Token: SeManageVolumePrivilege	1300	powershell.exe
Token: 33	1300	powershell.exe
Token: 34	1300	powershell.exe
Token: 35	1300	powershell.exe
Token: 36	1300	powershell.exe
Token: SeIncreaseQuotaPrivilege	1300	powershell.exe
Token: SeSecurityPrivilege	1300	powershell.exe
Token: SeTakeOwnershipPrivilege	1300	powershell.exe
Token: SeLoadDriverPrivilege	1300	powershell.exe
Token: SeSystemProfilePrivilege	1300	powershell.exe
Token: SeSystemtimePrivilege	1300	powershell.exe
Token: SeProfSingleProcessPrivilege	1300	powershell.exe
Token: SeIncBasePriorityPrivilege	1300	powershell.exe
Token: SeCreatePagefilePrivilege	1300	powershell.exe
Token: SeBackupPrivilege	1300	powershell.exe
Token: SeRestorePrivilege	1300	powershell.exe
Token: SeShutdownPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeSystemEnvironmentPrivilege	1300	powershell.exe
Token: SeRemoteShutdownPrivilege	1300	powershell.exe
Token: SeUndockPrivilege	1300	powershell.exe
Token: SeManageVolumePrivilege	1300	powershell.exe
Token: 33	1300	powershell.exe
Token: 34	1300	powershell.exe
Token: 35	1300	powershell.exe
Token: 36	1300	powershell.exe
Token: SeIncreaseQuotaPrivilege	1300	powershell.exe
Token: SeSecurityPrivilege	1300	powershell.exe
Token: SeTakeOwnershipPrivilege	1300	powershell.exe
Token: SeLoadDriverPrivilege	1300	powershell.exe
Token: SeSystemProfilePrivilege	1300	powershell.exe
Token: SeSystemtimePrivilege	1300	powershell.exe
Token: SeProfSingleProcessPrivilege	1300	powershell.exe
Token: SeIncBasePriorityPrivilege	1300	powershell.exe
Token: SeCreatePagefilePrivilege	1300	powershell.exe
Token: SeBackupPrivilege	1300	powershell.exe
Token: SeRestorePrivilege	1300	powershell.exe
Token: SeShutdownPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeSystemEnvironmentPrivilege	1300	powershell.exe
Token: SeRemoteShutdownPrivilege	1300	powershell.exe
Token: SeUndockPrivilege	1300	powershell.exe
Token: SeManageVolumePrivilege	1300	powershell.exe
Token: 33	1300	powershell.exe
Token: 34	1300	powershell.exe
Token: 35	1300	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 1300	4736	payload2.exe	88
PID 4736 wrote to memory of 1300	4736	payload2.exe	88
PID 4736 wrote to memory of 5024	4736	payload2.exe	94
PID 4736 wrote to memory of 5024	4736	payload2.exe	94
PID 5024 wrote to memory of 432	5024	WScript.exe	95
PID 5024 wrote to memory of 432	5024	WScript.exe	95

C:\Users\Admin\AppData\Local\Temp\payload2.exe
"C:\Users\Admin\AppData\Local\Temp\payload2.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_678_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_678.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_678.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Users\Admin\AppData\Roaming\Windows_Log_678.bat
    "C:\Users\Admin\AppData\Roaming\Windows_Log_678.bat"
    3⤵
    - Executes dropped EXE
    PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ydu5pvr.tvw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_678.bat

Filesize
25KB

MD5
76e0195853f99115849ba1b15a3e92a7

SHA1
c252c38e6eded76ac998a77e3bc3da60bafce45e

SHA256
7042893a76a71554dd5a47a61bf2c58b740969384a49abd4fc298d2f94271820

SHA512
e65dc242de64880822f4c7b15260e67a514b15868990400467a0b36b9094e9ca71a7bdd7845647e97421e05a649b3a3451686205db962db3644068b2421f520f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_678.vbs

Filesize
115B

MD5
79b8823af95cc15b467362de5be4e826

SHA1
1327274183d64ae987af4f2ff9ffd5635023c6ef

SHA256
fc215d6817ad7cfa2a83cf82bbb10524911804984dc1bb1f090a7a7fe3860eda

SHA512
701a0b779f3875690b598184371c7400ecf656e467e8368d63869a97a9ab44ce62944d32f7ad3dd2d4d052cc982213259190e25842209feb62bff80c60e71129

Download Submit
memory/432-33-0x000000001B470000-0x000000001B480000-memory.dmp

Filesize
64KB

Download
memory/432-32-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

Filesize
10.8MB

Download
memory/432-31-0x000000001B470000-0x000000001B480000-memory.dmp

Filesize
64KB

Download
memory/432-29-0x0000000002930000-0x000000000293E000-memory.dmp

Filesize
56KB

Download
memory/432-30-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

Filesize
10.8MB

Download
memory/1300-14-0x000001BC31810000-0x000001BC31820000-memory.dmp

Filesize
64KB

Download
memory/1300-20-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

Filesize
10.8MB

Download
memory/1300-17-0x000001BC31810000-0x000001BC31820000-memory.dmp

Filesize
64KB

Download
memory/1300-16-0x000001BC31810000-0x000001BC31820000-memory.dmp

Filesize
64KB

Download
memory/1300-15-0x000001BC31810000-0x000001BC31820000-memory.dmp

Filesize
64KB

Download
memory/1300-13-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

Filesize
10.8MB

Download
memory/1300-12-0x000001BC4A020000-0x000001BC4A042000-memory.dmp

Filesize
136KB

Download
memory/4736-26-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

Filesize
10.8MB

Download
memory/4736-0-0x0000000000720000-0x000000000072C000-memory.dmp

Filesize
48KB

Download
memory/4736-2-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

Filesize
10.8MB

Download