Analysis
-
max time kernel
300s -
max time network
301s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
-
submitted
02-05-2024 16:54
General
-
Target
XWorm-RAT-V2.1-main.zip
-
Size
34.0MB
-
MD5
88dfc456336a95ffeac16d9276083b7b
-
SHA1
8949c8c8778bd6412a456212d4ba2707f12e9d7a
-
SHA256
edbdc2e1bed353b533761a069b2d9a563683318fd1657ce09f9be2fa8ccd497a
-
SHA512
988ec72613d155bc362b1c0e0f1ee731f9653947328084e96eb436e7576b8e9c5114e59488216ea4f05d48126c5dbd7e983a02a412755b59b961f15c3ceea5f5
-
SSDEEP
786432:jiIKRjrYlNTspDclWQUF4DQXzTnHB35mjVjYX/BbmLqIZW:efApsGAX0Wh35mj+bY8
Malware Config
Extracted
xworm
127.0.0.1:7000
duOqxoZJn4KwRoB3
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 6 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Drops startup file 4 IoCs
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Modifies registry class 55 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-V2.1-main.zip1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Documents\XWorm-RAT-V2.1-main\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XWorm RAT V2.1.exe"C:\Users\Admin\Documents\XWorm-RAT-V2.1-main\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XWorm RAT V2.1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\XWorm-RAT-V2.1-main\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe"C:\Users\Admin\Documents\XWorm-RAT-V2.1-main\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qpclfxnk\qpclfxnk.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEE4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4320FF6369B84779B041E19BCE842EF.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pko2udc3\pko2udc3.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DBD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3DA42408C96647C79C3E94D2C45EF8F.TMP"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7E14.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7E14.tmp.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 4388"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind ":"4⤵
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak4⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdater /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe /f5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdater /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe /f6⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Users\Admin\Downloads\XWorm.exe"C:\Users\Admin\Downloads\XWorm.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "XWorm" /tr "C:\Users\Admin\AppData\Roaming\XWorm.exe"2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "XWorm"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp44EA.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\XWorm.exeC:\Users\Admin\AppData\Roaming\XWorm.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\YoutubeSimulator.exe"C:\Users\Admin\Downloads\YoutubeSimulator.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "YoutubeSimulator" /tr "C:\Users\Admin\AppData\Roaming\YoutubeSimulator.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Downloads\YoutubeSimulator.exe"C:\Users\Admin\Downloads\YoutubeSimulator.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\YoutubeSimulator.exeC:\Users\Admin\AppData\Roaming\YoutubeSimulator.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XWorm.exe.logFilesize
1KB
MD5e7edf56d23e3eddab9453776bd1cc9ed
SHA136c5a79710d6810871de84443bc4f42c404504bc
SHA256b115c8bd4e8c80eedb64322046695b1bb6783ddfebf7bf93a0562a12bb4de95a
SHA512ab2c905ff55d9a202469218f65d6df63eac131c06886316ae4e8cd05dffaa42541d11df774d89629d0cc6df067ed9d0c2b44811952e4f3668c3e9d4fb84f57a1
-
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exeFilesize
5.6MB
MD5b8703418e6c3d1ccd83b8d178ab9f4c9
SHA16fb0e1e0ee5bc745f52a1c29e3cf4b88a2298dd6
SHA256d6e9972976881d3dad7ac2a0c66cd7dd81420908aae8b00195a02fdf756cfc5e
SHA51275ff6e911691e3d0d32c25d4b6d275a2b6157dae418ce5507f3e3f1b321c3f0dee516b7db0fd6588860019a19862f43c5335c465829de7a418a71999b71cfc3f
-
C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dllFilesize
1.7MB
MD565ccd6ecb99899083d43f7c24eb8f869
SHA127037a9470cc5ed177c0b6688495f3a51996a023
SHA256aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d
-
C:\Users\Admin\AppData\Local\Temp\RES7DBD.tmpFilesize
1KB
MD5fc4d4d39cc055bd34a997dbee23461fa
SHA1c1c61c6df42be4edf2f659cf6556db43bebef3eb
SHA2567ed2a08fe16f77d0dae93e4757a2cbca6f0370d9b1ea4a8bacaa84ab36549fe2
SHA51216ecd1e09e76d6de6d560a9c4cd6b9b3bf645cd6735b78965cd798cfc8075eeb3d9ebb3e697489f0dc98f8dc10417c74cec8148b2e5dae5bd0ea6b62d21ed46d
-
C:\Users\Admin\AppData\Local\Temp\RESCEE4.tmpFilesize
1KB
MD55ea10fdebc102b33439620ee7e844d57
SHA19f6a5bbe2a3dcc92bb8a73b10883f8d2ee143ef9
SHA2563ab629b882a716e62a25233ed5605bf3ab07f28b204e7f54841a725c45299bf9
SHA512b48d35273d9aab65ecfa4c0a5ee2c9d73638d5e8b2cb97710e9af91792a89510cf3a14bc1e0d7f1ac73a3eb45fa39222be7deaab5b7b55d5cc101d5d36ddac2a
-
C:\Users\Admin\AppData\Local\Temp\pko2udc3\pko2udc3.0.vbFilesize
60KB
MD545e830467adabde5df3c45c7e4631f96
SHA13f58ff7f59eab9cb0d881e9b32d8ebe333373d77
SHA25645cb9e98bbd904b26780478c59d00d8fdba0e1a1f8185629dc87eb3ef435416a
SHA51242cdccb8ee9587e8603535e973d9a050b2b989d0414c071ca2a401fa1bfc3c349dc75eb84278175fde0a1dee3032b632816a938c02eada63ba4d6f4b92b4be63
-
C:\Users\Admin\AppData\Local\Temp\pko2udc3\pko2udc3.cmdlineFilesize
269B
MD5d3a391855037c77e7e0e1df5a6091151
SHA1d3f0dfcb5be2fa2b1b9a776cabc0ced499311f44
SHA2562eb5461149fddc072d8313d0d01a3234d9948ae19da2bff5cffb33cdaeb3ae0a
SHA5127cab7afef6234d77d1cf375a79dc8fd146d3abd14dd7648b43aecb71d425de3aaaaa87b371d2c88d1c6c90b046cefaaec3fe8dbb5971b5698441d264b14f4c0c
-
C:\Users\Admin\AppData\Local\Temp\qpclfxnk\qpclfxnk.0.vbFilesize
60KB
MD5e97caf82ffa66d812910c80b4b2820ce
SHA1f158894a089aa09f97fe486888bde206a5ec0fc0
SHA2568dccf5a7131ea40afdfacefd94cdacb90a123c7390ee279a7c74ba903058a9ee
SHA5129624b48093b7537d26d771e34f6e689c252cad9a1b9d67d42a24a5136062e5ac4ae95b0a7da40a67196a8e8b18f05ccbb68ef54f16d1d26347c9b5a63b387006
-
C:\Users\Admin\AppData\Local\Temp\qpclfxnk\qpclfxnk.cmdlineFilesize
269B
MD59ba143b45590ce6eca1dd9c99d540752
SHA13eb4a214e1479b29d645938bfbfc7d6cfad23433
SHA25646e13ed991c1ebcc91bf1c119a9ef3984a2e0de8b3e7e30775c28afc24d7ada5
SHA512b85c3f3fa6de4dcefafd6e2a2456418fa6a0437e6e0a19bb697bad8796a44a040ac36edf9ad3d32ffc767a38b2a0e38678ceb945dc85c696fb7bd57aa2204bf8
-
C:\Users\Admin\AppData\Local\Temp\tmp44EA.tmp.batFilesize
148B
MD5bb2ed461b8e7dbefe63163315ac92ee7
SHA1bc51f3b0127f2ef85a20778de3177a3136465b73
SHA256b1f9c0e9ac2e0ca098c750382350682c2b58f7ade9b3d208d983e61627f8a91d
SHA51258b31ad3e0b715d296baf01e0f78814328e7de3566041dc79b4b67bf2b2df66387c6cb154e7ee58332ee664fa30ba596d58e11ce0ccef41cacefb63b4738e157
-
C:\Users\Admin\AppData\Local\Temp\tmp7E14.tmp.batFilesize
290B
MD58e44845eec66f1d61daee75c19f9a497
SHA191a3ce4de1e199d7ac8e0ce65636a59e4158f510
SHA25695c3d8245d72df84a1b4fb9879b241885a122f3ceb060110b478ed331d289050
SHA5120449914d6e9177d11a5b16e603f29a8ab962935f34a0828369c651c7929d9c38590ead03fbad252d724e9c1353ab3789e0b0a4276db1a2bec3467306de121948
-
C:\Users\Admin\AppData\Local\Temp\vbc4320FF6369B84779B041E19BCE842EF.TMPFilesize
1KB
MD5b70192bdfa82953d23893557b94122f2
SHA14fd73efd6a6b28f57df1dde6a4241526c5b0fb60
SHA2566443d3bc34cc48e858c4fdb3ab0ad9a433705f266cb70f92886e90cbf589eab4
SHA5126dcb0273ffe6675af850d0a5e1976d9e8f8e9d6306a21856b1df4d8c0fef38fb8ff28f113e8c8b923c6451e32e734c514a15f79efe6316f180874f78608928da
-
C:\Users\Admin\Downloads\XWorm.exeFilesize
42KB
MD56e602ed5492e0258294ea5cc8e3ea74a
SHA137d44ed96a6ad0aa2e2d75e376295267fdc75622
SHA256ea4c32d7aa3ad51c6890d3c18a1a8db963ac4bd6425608ec9e1fc48fc9ef8361
SHA5124bbeaf620465b7353027dba9ae362dfa1b3ba0dcc5978264637a800f6e2f378c7c0ed45f174bd9cc21d40b3ef041c1e58eb05a6a1b063fb9da7d4e8ef8348d61
-
C:\Users\Admin\Downloads\YoutubeSimulator.exeFilesize
42KB
MD579651f83b93c25ae9f99cf23fc3435bb
SHA1537ebb24e9b1c6b42fcb0d35690a61f74e53dfd4
SHA2565e2002f4618817d4f59cd948a66749e6778e116b39cdfc2991bf69d174a2ffce
SHA5128193aede9f3c0c3c93ccc8e4f8b0c6ad874483bcbfd5dcc29c39bb9ccc6662fd30ec492d571ac52e3c42b78e88acfb35d4d6cb5917bccc278c7fa7fb9a7eff10
-
memory/760-143-0x0000000000750000-0x0000000000760000-memory.dmpFilesize
64KB
-
memory/1148-0-0x0000000074ADE000-0x0000000074ADF000-memory.dmpFilesize
4KB
-
memory/1148-2-0x0000000005730000-0x0000000005CD6000-memory.dmpFilesize
5.6MB
-
memory/1148-1-0x0000000000540000-0x0000000000782000-memory.dmpFilesize
2.3MB
-
memory/1992-39-0x000002C574DA0000-0x000002C574E0A000-memory.dmpFilesize
424KB
-
memory/1992-41-0x000002C574EF0000-0x000002C574FA2000-memory.dmpFilesize
712KB
-
memory/1992-42-0x000002C574FF0000-0x000002C575040000-memory.dmpFilesize
320KB
-
memory/1992-43-0x000002C575240000-0x000002C575262000-memory.dmpFilesize
136KB
-
memory/1992-45-0x000002C5752B0000-0x000002C5752EA000-memory.dmpFilesize
232KB
-
memory/1992-46-0x000002C574B30000-0x000002C574B56000-memory.dmpFilesize
152KB
-
memory/1992-64-0x000002C5752F0000-0x000002C575302000-memory.dmpFilesize
72KB
-
memory/1992-38-0x000002C574D20000-0x000002C574D2A000-memory.dmpFilesize
40KB
-
memory/3140-94-0x0000000000970000-0x000000000097A000-memory.dmpFilesize
40KB
-
memory/3140-95-0x0000000000A30000-0x0000000000A3A000-memory.dmpFilesize
40KB
-
memory/3140-84-0x00000000001B0000-0x00000000001C0000-memory.dmpFilesize
64KB
-
memory/3140-97-0x0000000000A50000-0x0000000000A5A000-memory.dmpFilesize
40KB
-
memory/3140-96-0x000000001D740000-0x000000001DC68000-memory.dmpFilesize
5.2MB
-
memory/4056-25-0x0000000005580000-0x000000000558A000-memory.dmpFilesize
40KB
-
memory/4056-88-0x0000000010170000-0x00000000101F2000-memory.dmpFilesize
520KB
-
memory/4056-26-0x00000000056B0000-0x0000000005706000-memory.dmpFilesize
344KB
-
memory/4056-28-0x00000000089B0000-0x0000000008A16000-memory.dmpFilesize
408KB
-
memory/4056-17-0x0000000005610000-0x00000000056A2000-memory.dmpFilesize
584KB
-
memory/4056-15-0x00000000054D0000-0x000000000556C000-memory.dmpFilesize
624KB
-
memory/4056-11-0x00000000004E0000-0x0000000000B72000-memory.dmpFilesize
6.6MB
-
memory/4388-27-0x0000021159220000-0x000002115923E000-memory.dmpFilesize
120KB
-
memory/4388-18-0x0000021156F10000-0x00000211574B0000-memory.dmpFilesize
5.6MB
-
memory/4388-24-0x0000021159270000-0x00000211592E6000-memory.dmpFilesize
472KB