xworm | 6ebd5512d5cede4fdf769c35a48727c5fd5acb8ac40ae4c5ea7e9ca37fc8747b

Analysis

max time kernel
145s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-05-2024 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LastActivityView.exe
Size

89KB
MD5

499e35df562563babfff6a1d2ee71743
SHA1

7bece5115d9df1fa43b6a7a69f9574a498388960
SHA256

6ebd5512d5cede4fdf769c35a48727c5fd5acb8ac40ae4c5ea7e9ca37fc8747b
SHA512

2df1934de1f45661ab929a7f7658478f5a3d8cacfbe682f1f6b8bee8a49ab2720141a1c0ea74608e14002ff5132cb0932c7fb5b3790575b5e23c5327adfdf377
SSDEEP

1536:XQol2xVvTS+KaYKvHUxErb2PPSUF2Q06yG2OklzG2OrSBR27KmhDWP:XQvVqaZsqrbeafQUmklzG2OrUyKdP

Score

10^/10

xworm execution persistence pyinstaller rat trojan

Malware Config

Extracted

Family

xworm

https://pastebin.com/raw/R8gFU5SX:123456789

Attributes

Install_directory
%ProgramData%
install_file
{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
pastebin_url
https://pastebin.com/raw/R8gFU5SX

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2084-1-0x0000000000BA0000-0x0000000000BBC000-memory.dmp	family_xworm
behavioral1/files/0x000f000000013a06-33.dat	family_xworm
behavioral1/memory/2152-35-0x0000000001270000-0x000000000128C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1604	powershell.exe
2512	powershell.exe
2900	powershell.exe
2460	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.lnk	LastActivityView.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.lnk	LastActivityView.exe

Executes dropped EXE 6 IoCs

pid	Process
2152	{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
768	{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
1440	qneggv.exe
3012	qneggv.exe
1144	Process not Found
2636	{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe

Loads dropped DLL 3 IoCs

pid	Process
2084	LastActivityView.exe
1440	qneggv.exe
3012	qneggv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052 = "C:\\ProgramData\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe"	LastActivityView.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
7	pastebin.com
8	4.tcp.eu.ngrok.io
10	4.tcp.eu.ngrok.io

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0004000000004ed7-42.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2376	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2084	LastActivityView.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2512	powershell.exe
2900	powershell.exe
2460	powershell.exe
1604	powershell.exe
2084	LastActivityView.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	LastActivityView.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2084	LastActivityView.exe
Token: SeDebugPrivilege	2152	{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
Token: SeDebugPrivilege	768	{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
Token: SeDebugPrivilege	2636	{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2084	LastActivityView.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2512	2084	LastActivityView.exe	29
PID 2084 wrote to memory of 2512	2084	LastActivityView.exe	29
PID 2084 wrote to memory of 2512	2084	LastActivityView.exe	29
PID 2084 wrote to memory of 2900	2084	LastActivityView.exe	31
PID 2084 wrote to memory of 2900	2084	LastActivityView.exe	31
PID 2084 wrote to memory of 2900	2084	LastActivityView.exe	31
PID 2084 wrote to memory of 2460	2084	LastActivityView.exe	33
PID 2084 wrote to memory of 2460	2084	LastActivityView.exe	33
PID 2084 wrote to memory of 2460	2084	LastActivityView.exe	33
PID 2084 wrote to memory of 1604	2084	LastActivityView.exe	35
PID 2084 wrote to memory of 1604	2084	LastActivityView.exe	35
PID 2084 wrote to memory of 1604	2084	LastActivityView.exe	35
PID 2084 wrote to memory of 2376	2084	LastActivityView.exe	37
PID 2084 wrote to memory of 2376	2084	LastActivityView.exe	37
PID 2084 wrote to memory of 2376	2084	LastActivityView.exe	37
PID 2148 wrote to memory of 2152	2148	taskeng.exe	40
PID 2148 wrote to memory of 2152	2148	taskeng.exe	40
PID 2148 wrote to memory of 2152	2148	taskeng.exe	40
PID 2148 wrote to memory of 768	2148	taskeng.exe	43
PID 2148 wrote to memory of 768	2148	taskeng.exe	43
PID 2148 wrote to memory of 768	2148	taskeng.exe	43
PID 2084 wrote to memory of 1440	2084	LastActivityView.exe	44
PID 2084 wrote to memory of 1440	2084	LastActivityView.exe	44
PID 2084 wrote to memory of 1440	2084	LastActivityView.exe	44
PID 1440 wrote to memory of 3012	1440	qneggv.exe	45
PID 1440 wrote to memory of 3012	1440	qneggv.exe	45
PID 1440 wrote to memory of 3012	1440	qneggv.exe	45
PID 2148 wrote to memory of 2636	2148	taskeng.exe	46
PID 2148 wrote to memory of 2636	2148	taskeng.exe	46
PID 2148 wrote to memory of 2636	2148	taskeng.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe
"C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LastActivityView.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052" /tr "C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\qneggv.exe
  "C:\Users\Admin\AppData\Local\Temp\qneggv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\qneggv.exe
    "C:\Users\Admin\AppData\Local\Temp\qneggv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3012

C:\Windows\system32\taskeng.exe
taskeng.exe {AE22FC2A-6F01-4DEB-8F59-FE8A31FED8AF} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2148
- C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
  C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
  C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:768
- C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
  C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe

Filesize
89KB

MD5
499e35df562563babfff6a1d2ee71743

SHA1
7bece5115d9df1fa43b6a7a69f9574a498388960

SHA256
6ebd5512d5cede4fdf769c35a48727c5fd5acb8ac40ae4c5ea7e9ca37fc8747b

SHA512
2df1934de1f45661ab929a7f7658478f5a3d8cacfbe682f1f6b8bee8a49ab2720141a1c0ea74608e14002ff5132cb0932c7fb5b3790575b5e23c5327adfdf377

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14402\python312.dll

Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2d0c4212d740a26c4d3fcd24c68fc0ea

SHA1
8bc346562dfb8496f739ae55ce798663d6bfa2f1

SHA256
50bb785beb483441ac1ba6a7e3645fa04aaa8c0a548ef46616a34f9ddaa0d32f

SHA512
142245e443785bcc720813a7caa723f55c5d3e6d05871ee899b7c6b8acc33f45767b83c90c54e0401c1cc8897d23c8320fbb6b47f468a0f8c0706610ddf6d17d

Download Submit
\Users\Admin\AppData\Local\Temp\qneggv.exe

Filesize
10.2MB

MD5
af38680351a15c428ec9a61c008e6104

SHA1
57781afb1a13c8168518acdb725a46963b70103b

SHA256
0db881c078ae2a62ef4178e098d1089cfe71de1e8b504d92f9d6c672adbcb225

SHA512
66ef68046dfc212a75420b12fe9f4769dbfbef27b0574c9673267be6031ab21e285ccf07936a64a8e6d5333ea5f6a01e8d945c702cde8237cb427db78ef09f6f

Download Submit
memory/2084-1-0x0000000000BA0000-0x0000000000BBC000-memory.dmp

Filesize
112KB

Download
memory/2084-2-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/2084-0-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

Filesize
4KB

Download
memory/2084-37-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/2084-36-0x0000000001FF0000-0x0000000001FFC000-memory.dmp

Filesize
48KB

Download
memory/2084-31-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

Filesize
4KB

Download
memory/2152-35-0x0000000001270000-0x000000000128C000-memory.dmp

Filesize
112KB

Download
memory/2512-8-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2512-9-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2512-7-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2900-16-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2900-15-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download