xworm | 16dab8d574832e8f2d6c7e301b5546982fa1290177e921611a252aa7ffa8ce96 | Triage

Analysis

max time kernel
19s
max time network
30s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 08:39

Sharing

Report Analysis Logs

General

Target

Aimware.exe
Size

16.3MB
MD5

5a72ded081c8c7c91b1d184373738090
SHA1

9896303af03baa31492cbbb69b6e56270f3f8788
SHA256

16dab8d574832e8f2d6c7e301b5546982fa1290177e921611a252aa7ffa8ce96
SHA512

9447b4adf3c00a652f4f7ab42fdaf05a10907cd0d4b2e55f0c0f450e668c6629b1ba72c0c5e7941018485855a8677284326e3b7b512c68099165b7c13dbd273e
SSDEEP

393216:G0OSkfUxwHprJEZx/efi8ddpARG2cNPZJJNp7w9XsR:REUxwJrJO/e68ddaRYNPZz7wcR

Score

10^/10

xworm persistence pyinstaller rat trojan

Malware Config

Extracted

Family

xworm

C2

student-grocery.gl.at.ply.gg:29486

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\XClient.exe	family_xworm
behavioral1/memory/3024-9-0x00000000011D0000-0x00000000011EA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Executes dropped EXE 3 IoCs

Processes:

XClient.execreal.execreal.exe

pid process

3024 XClient.exe
2672 creal.exe
2736 creal.exe
Loads dropped DLL 4 IoCs

Processes:

Aimware.execreal.execreal.exe

pid process

1296 Aimware.exe
1296 Aimware.exe
2672 creal.exe
2736 creal.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

XClient.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Хост-процесс Windows (Rundll64) = "C:\\Users\\Admin\\AppData\\Roaming\\Хост-процесс Windows (Rundll64)"	XClient.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

Detects Pyinstaller 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\creal.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeXClient.exe

pid process

1896 powershell.exe
2148 powershell.exe
2232 powershell.exe
688 powershell.exe
3024 XClient.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

XClient.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3024	XClient.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	3024	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

XClient.exe

pid process

3024 XClient.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

Aimware.execreal.exeXClient.exe

description	pid	process	target process
PID 1296 wrote to memory of 3024	1296	Aimware.exe	XClient.exe
PID 1296 wrote to memory of 3024	1296	Aimware.exe	XClient.exe
PID 1296 wrote to memory of 3024	1296	Aimware.exe	XClient.exe
PID 1296 wrote to memory of 3024	1296	Aimware.exe	XClient.exe
PID 1296 wrote to memory of 2672	1296	Aimware.exe	creal.exe
PID 1296 wrote to memory of 2672	1296	Aimware.exe	creal.exe
PID 1296 wrote to memory of 2672	1296	Aimware.exe	creal.exe
PID 1296 wrote to memory of 2672	1296	Aimware.exe	creal.exe
PID 2672 wrote to memory of 2736	2672	creal.exe	creal.exe
PID 2672 wrote to memory of 2736	2672	creal.exe	creal.exe
PID 2672 wrote to memory of 2736	2672	creal.exe	creal.exe
PID 3024 wrote to memory of 1896	3024	XClient.exe	powershell.exe
PID 3024 wrote to memory of 1896	3024	XClient.exe	powershell.exe
PID 3024 wrote to memory of 1896	3024	XClient.exe	powershell.exe
PID 3024 wrote to memory of 2148	3024	XClient.exe	powershell.exe
PID 3024 wrote to memory of 2148	3024	XClient.exe	powershell.exe
PID 3024 wrote to memory of 2148	3024	XClient.exe	powershell.exe
PID 3024 wrote to memory of 2232	3024	XClient.exe	powershell.exe
PID 3024 wrote to memory of 2232	3024	XClient.exe	powershell.exe
PID 3024 wrote to memory of 2232	3024	XClient.exe	powershell.exe
PID 3024 wrote to memory of 688	3024	XClient.exe	powershell.exe
PID 3024 wrote to memory of 688	3024	XClient.exe	powershell.exe
PID 3024 wrote to memory of 688	3024	XClient.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Aimware.exe
"C:\Users\Admin\AppData\Local\Temp\Aimware.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Хост-процесс Windows (Rundll64)'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Хост-процесс Windows (Rundll64)'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Users\Admin\AppData\Local\Temp\creal.exe
"C:\Users\Admin\AppData\Local\Temp\creal.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Local\Temp\creal.exe
"C:\Users\Admin\AppData\Local\Temp\creal.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI26722\python312.dll
Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VT71VGBHS2QAYIIF546C.temp
Filesize
7KB

MD5
7b3f034bac25cd01f62e69f41833c2ab

SHA1
559dc98552e1d192279d315241f825c738f6e47c

SHA256
117c80a566e0a89c476fb09d90d568d8bd8d264a54fba37564d7bee9f5079848

SHA512
c12cd5b54f387bc19f384a7781d69e4d859355d1a8da27978e57d766279a37b8d2117668ca0812baff57208e7d17702bf8ab1f09966c37cb2ada2c28c4888f43

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\XClient.exe
Filesize
81KB

MD5
7fd20d7541dc97df02299baa18b83d23

SHA1
6d0186e7917cb2aa9327557e2fd8d02e2db45c89

SHA256
88ea7cfec98e1c01792e35dca1927f7bf7e74689511a6405f1b7b730b9fddcfb

SHA512
cfff8ab63f5f9e68d75a12098bacc84b81aba7b7814be04af31b747fb1d126ac498a4bc270180b8849229f0765d6bda0f9d6875c2eaba6849c9106c7deaedb22

Download Submit
\Users\Admin\AppData\Local\Temp\creal.exe
Filesize
16.3MB

MD5
ee757109d1b22fd67780d38adcb2e49e

SHA1
efcaa24c1d6b6513323fce984fb71615b0630853

SHA256
f9fec7a528ac1c1ca0fb0a3ab1a1d2a2dbae14a4bda6888e6cadf69550381b47

SHA512
7662ddf131ed968a247f1c2a09df4142264f67f60661f4c02fb2ce8c59c27de2cb9886de771f6bd47a010e0a91310f49e26795d160320bc2e2b71e063ad57ae0

Download Submit
memory/688-153-0x0000000002DC0000-0x0000000002E40000-memory.dmp

Filesize
512KB

Download
memory/688-152-0x000007FEEDCF0000-0x000007FEEE68D000-memory.dmp

Filesize
9.6MB

Download
memory/688-157-0x000007FEEDCF0000-0x000007FEEE68D000-memory.dmp

Filesize
9.6MB

Download
memory/688-150-0x000007FEEDCF0000-0x000007FEEE68D000-memory.dmp

Filesize
9.6MB

Download
memory/688-151-0x0000000002DC0000-0x0000000002E40000-memory.dmp

Filesize
512KB

Download
memory/688-156-0x0000000002DC0000-0x0000000002E40000-memory.dmp

Filesize
512KB

Download
memory/688-154-0x0000000002DC0000-0x0000000002E40000-memory.dmp

Filesize
512KB

Download
memory/1896-112-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/1896-116-0x0000000002CE0000-0x0000000002D60000-memory.dmp

Filesize
512KB

Download
memory/1896-117-0x000007FEEE690000-0x000007FEEF02D000-memory.dmp

Filesize
9.6MB

Download
memory/1896-115-0x0000000002CE0000-0x0000000002D60000-memory.dmp

Filesize
512KB

Download
memory/1896-114-0x0000000002CE0000-0x0000000002D60000-memory.dmp

Filesize
512KB

Download
memory/1896-113-0x000007FEEE690000-0x000007FEEF02D000-memory.dmp

Filesize
9.6MB

Download
memory/1896-109-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/1896-110-0x000007FEEE690000-0x000007FEEF02D000-memory.dmp

Filesize
9.6MB

Download
memory/1896-111-0x0000000002CE0000-0x0000000002D60000-memory.dmp

Filesize
512KB

Download
memory/2148-129-0x0000000002C60000-0x0000000002CE0000-memory.dmp

Filesize
512KB

Download
memory/2148-126-0x0000000002C60000-0x0000000002CE0000-memory.dmp

Filesize
512KB

Download
memory/2148-123-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2148-131-0x000007FEEDCF0000-0x000007FEEE68D000-memory.dmp

Filesize
9.6MB

Download
memory/2148-128-0x0000000002C60000-0x0000000002CE0000-memory.dmp

Filesize
512KB

Download
memory/2148-127-0x000007FEEDCF0000-0x000007FEEE68D000-memory.dmp

Filesize
9.6MB

Download
memory/2148-124-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2148-125-0x000007FEEDCF0000-0x000007FEEE68D000-memory.dmp

Filesize
9.6MB

Download
memory/2232-138-0x000007FEEE690000-0x000007FEEF02D000-memory.dmp

Filesize
9.6MB

Download
memory/2232-141-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2232-140-0x000007FEEE690000-0x000007FEEF02D000-memory.dmp

Filesize
9.6MB

Download
memory/2232-144-0x000007FEEE690000-0x000007FEEF02D000-memory.dmp

Filesize
9.6MB

Download
memory/2232-142-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2232-143-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2232-139-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/3024-155-0x000000001B280000-0x000000001B300000-memory.dmp

Filesize
512KB

Download
memory/3024-130-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/3024-104-0x000000001B280000-0x000000001B300000-memory.dmp

Filesize
512KB

Download
memory/3024-13-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/3024-9-0x00000000011D0000-0x00000000011EA000-memory.dmp

Filesize
104KB

Download