xworm | 16dab8d574832e8f2d6c7e301b5546982fa1290177e921611a252aa7ffa8ce96

Analysis

max time kernel
1s
max time network
32s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aimware.exe
Size

16.3MB
MD5

5a72ded081c8c7c91b1d184373738090
SHA1

9896303af03baa31492cbbb69b6e56270f3f8788
SHA256

16dab8d574832e8f2d6c7e301b5546982fa1290177e921611a252aa7ffa8ce96
SHA512

9447b4adf3c00a652f4f7ab42fdaf05a10907cd0d4b2e55f0c0f450e668c6629b1ba72c0c5e7941018485855a8677284326e3b7b512c68099165b7c13dbd273e
SSDEEP

393216:G0OSkfUxwHprJEZx/efi8ddpARG2cNPZJJNp7w9XsR:REUxwJrJO/e68ddaRYNPZz7wcR

Score

10^/10

xworm pyinstaller rat trojan

Malware Config

Extracted

Family

xworm

student-grocery.gl.at.ply.gg:29486

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\XClient.exe	family_xworm
behavioral2/memory/1612-12-0x0000000000B40000-0x0000000000B5A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Executes dropped EXE 1 IoCs

Processes:

XClient.exe

pid process

1612 XClient.exe
Loads dropped DLL 1 IoCs

Processes:

Aimware.exe

pid process

2772 Aimware.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

pid	process
1612	XClient.exe

pid	process
2772	Aimware.exe

flow	ioc
4	ip-api.com

Detects Pyinstaller 7 IoCs

pyinstaller

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\creal.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\creal.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\creal.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\creal.exe	pyinstaller
\Users\Admin\AppData\Local\Temp\creal.exe	pyinstaller
\Users\Admin\AppData\Local\Temp\creal.exe	pyinstaller
\Users\Admin\AppData\Local\Temp\creal.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Aimware.exe

description	pid	process	target process
PID 2772 wrote to memory of 1612	2772	Aimware.exe	XClient.exe
PID 2772 wrote to memory of 1612	2772	Aimware.exe	XClient.exe
PID 2772 wrote to memory of 1612	2772	Aimware.exe	XClient.exe
PID 2772 wrote to memory of 1612	2772	Aimware.exe	XClient.exe

C:\Users\Admin\AppData\Local\Temp\Aimware.exe
"C:\Users\Admin\AppData\Local\Temp\Aimware.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
2⤵
- Executes dropped EXE
PID:1612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
3⤵
PID:1928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
3⤵
PID:1988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Хост-процесс Windows (Rundll64)'
3⤵
PID:648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Хост-процесс Windows (Rundll64)'
3⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\creal.exe
"C:\Users\Admin\AppData\Local\Temp\creal.exe"
2⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\creal.exe
"C:\Users\Admin\AppData\Local\Temp\creal.exe"
3⤵
PID:1464

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI29562\python312.dll
Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\creal.exe
Filesize
8.9MB

MD5
9fbae8e41b907bf74cd3a10c80832e6d

SHA1
99ffe583a0e12a2aba225e396e199bb043ec3e96

SHA256
356b008bb793ba7041183b4cab9306e548f6a61c4c6b933cfd01d4d15b4a1daf

SHA512
d8da945e09ac507de9666dafbe24e029673b7f9288859e6a4fd129023fcaa6e4150c3a0b70331f5da0e2816b4adbab0a55167a09c64c475bfb4635617f5e2917

Download Submit
C:\Users\Admin\AppData\Local\Temp\creal.exe
Filesize
9.1MB

MD5
79f94f05a806931ac3190f90351c9c69

SHA1
0ceb4b6ec3ae83e89ec662eabd936ccb83388075

SHA256
4067f43c51bf3f0279db60cdbe78a4f593c7c09aba1ce3a66d02339b8ff679bd

SHA512
76f2ebb4e07cd0cc286f023a1df48370c1007388a06b782524fc41f3731b6b0c5e10ab724b58dfb0aeeefa1f2b1068795cc0d3e8575d2f4ce34a9fc45d69f203

Download Submit
C:\Users\Admin\AppData\Local\Temp\creal.exe
Filesize
9.0MB

MD5
939cfbd53fe1eab166934d5048e1a326

SHA1
3ed484c4b875a11de1cd686e56b5031b5f7d120e

SHA256
03d6db4c4cc9257d7246c858d77086b79f9eb055d8ad64b2214db08916c1134e

SHA512
612f1a5f4fee8b9dc8ee078e8549fb45549173c7828516d0a59aa06895c111dc6da0eaabbba415ab8430ed5464365d249230fe545903917cfdfbdc7f8f4221a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HZ5M5E9M4VEFB883P8JE.temp
Filesize
7KB

MD5
11c32806bead3ae2b26b2736667fc87d

SHA1
9897938516b93532a7cf6b45cfd783e9be43852c

SHA256
e9959ce84b444aae20aec36c0264804965bd4b1847341573b3b129cac0061afd

SHA512
4adceb243d0cc8fd80def0e1f6e8b6c323badeb5ce78bdaf3f65303c9a3136c3a23b8bbfe0a0f51c51ca1ebc7e2d6b3d12e2c8c07eb18892e0f49648683fd726

Download Submit
\Users\Admin\AppData\Local\Temp\XClient.exe
Filesize
81KB

MD5
7fd20d7541dc97df02299baa18b83d23

SHA1
6d0186e7917cb2aa9327557e2fd8d02e2db45c89

SHA256
88ea7cfec98e1c01792e35dca1927f7bf7e74689511a6405f1b7b730b9fddcfb

SHA512
cfff8ab63f5f9e68d75a12098bacc84b81aba7b7814be04af31b747fb1d126ac498a4bc270180b8849229f0765d6bda0f9d6875c2eaba6849c9106c7deaedb22

Download Submit
\Users\Admin\AppData\Local\Temp\creal.exe
Filesize
8.8MB

MD5
7d5cb156b9c001dbcf846003716c70de

SHA1
30e15bc9fc487392b7603382266df4f3abf6d3bc

SHA256
4c6827079a8cc74db1d1632a49105d2efb4b414fb8ea2d648f57894f9c6843cd

SHA512
c569b4cd77e79fbc8778a3c4f3b2268b79e483e17a384d878ebbcb015eda125bc34a2a0575b7dca61d7036346d9e38b0590aad7b3158050e89192fe5dc8e4d04

Download Submit
\Users\Admin\AppData\Local\Temp\creal.exe
Filesize
5.8MB

MD5
ae16ba26a0f40a87abb61808d298888c

SHA1
cab212fccf68ca33417f1c44294f64f451d597aa

SHA256
7ff2762d07f3e855bd61ce600dc14cb06cd93149b4323a0653cf2a7a9739ae76

SHA512
a65734987250a5649e8dee8decea5f5edafcd1265e9bc5dc48a2fdf466e90bd93913cfd868ea156996c9904cb3e38dfdccb8335e98b9aad3243c2b5b067d7a57

Download Submit
\Users\Admin\AppData\Local\Temp\creal.exe
Filesize
6.1MB

MD5
48be05d24b2d67fa69a42c92ef61d2c6

SHA1
ddc082491356ae0b5acd2a6db9218e5edbd88a5e

SHA256
481ee78ace132d1ca62228b610fe4427a7aaf735e8fe3a7a1c78111475f8ba3e

SHA512
083959bfe1f7f0b22593c944c1925e942aebb7116092ccc9162959ee37da46b2f3ab45e5d9f975857ea8f7a05462a5de8693d737f1e87aa53770500057409cc5

Download Submit
\Users\Admin\AppData\Local\Temp\creal.exe
Filesize
10.5MB

MD5
a83d353a0e962fef66109256f16ca66c

SHA1
7a22890e81235689f8ea541e6053087a639262f7

SHA256
8169acc7f79a5f9c156bc520e485f4ba5acb6ab159ba7ad2c0a3c143b6f42fca

SHA512
672e37523d40cb35182585855467f96fbef2d30c1a0e188946d68f5785f61c23b0068c2ec7027ca9f15ce7a8127db9ab65676a1e484d7540281bfff6c58b5d04

Download Submit
memory/648-222-0x000007FEEE7C0000-0x000007FEEF15D000-memory.dmp

Filesize
9.6MB

Download
memory/648-227-0x000007FEEE7C0000-0x000007FEEF15D000-memory.dmp

Filesize
9.6MB

Download
memory/648-221-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/648-223-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/648-225-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/648-220-0x000007FEEE7C0000-0x000007FEEF15D000-memory.dmp

Filesize
9.6MB

Download
memory/648-226-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/1504-236-0x000007FEEDE20000-0x000007FEEE7BD000-memory.dmp

Filesize
9.6MB

Download
memory/1504-235-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1504-233-0x000007FEEDE20000-0x000007FEEE7BD000-memory.dmp

Filesize
9.6MB

Download
memory/1504-237-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1504-238-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1504-239-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1504-240-0x000007FEEDE20000-0x000007FEEE7BD000-memory.dmp

Filesize
9.6MB

Download
memory/1612-104-0x000000001B380000-0x000000001B400000-memory.dmp

Filesize
512KB

Download
memory/1612-88-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/1612-234-0x000000001B380000-0x000000001B400000-memory.dmp

Filesize
512KB

Download
memory/1612-224-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/1612-12-0x0000000000B40000-0x0000000000B5A000-memory.dmp

Filesize
104KB

Download
memory/1928-119-0x000007FEEE7C0000-0x000007FEEF15D000-memory.dmp

Filesize
9.6MB

Download
memory/1928-117-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/1928-111-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download
memory/1928-112-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/1928-113-0x000007FEEE7C0000-0x000007FEEF15D000-memory.dmp

Filesize
9.6MB

Download
memory/1928-114-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/1928-115-0x000007FEEE7C0000-0x000007FEEF15D000-memory.dmp

Filesize
9.6MB

Download
memory/1928-116-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/1928-118-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/1988-130-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1988-125-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/1988-126-0x0000000002470000-0x0000000002478000-memory.dmp

Filesize
32KB

Download
memory/1988-128-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1988-127-0x000007FEEDE20000-0x000007FEEE7BD000-memory.dmp

Filesize
9.6MB

Download
memory/1988-133-0x000007FEEDE20000-0x000007FEEE7BD000-memory.dmp

Filesize
9.6MB

Download
memory/1988-129-0x000007FEEDE20000-0x000007FEEE7BD000-memory.dmp

Filesize
9.6MB

Download
memory/1988-132-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1988-131-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download