xworm | 6f4fbb8059780db756519fae97b7f00148f1df2b96ddaf9752d9409d45c1a37e

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/05/2024, 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ISF (10+2) Form 格福-3019 NASHVILLE.xls.scr.exe
Size

943KB
MD5

40a1bbdd302c9737d10df6648e6db7dc
SHA1

5f9d1d4d3aea4a82542b54a84d0fa7822bd24d2c
SHA256

6f4fbb8059780db756519fae97b7f00148f1df2b96ddaf9752d9409d45c1a37e
SHA512

98fa809cb8b7fe598f07bc61658f39379cddbfbb44ebe4e1ae8882a9ead4406820585d51a0ce836d7f2e40e532acfde61c7ba7868175871f771503a813bd0f8b
SSDEEP

12288:XVTGAlfBpSGC9Ed/Ff6qVn60dP185uk+mzA0pRELuvg8IQjzek:XVT7rhCqd/N6qVlyug8IEaY81Pek

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

104.250.180.178:7061

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/2728-10-0x0000000000400000-0x0000000000414000-memory.dmp	family_xworm
behavioral1/memory/2728-12-0x0000000000400000-0x0000000000414000-memory.dmp	family_xworm
behavioral1/memory/2728-18-0x0000000000400000-0x0000000000414000-memory.dmp	family_xworm
behavioral1/memory/2728-20-0x0000000000400000-0x0000000000414000-memory.dmp	family_xworm
behavioral1/memory/2728-19-0x0000000000400000-0x0000000000414000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1844	powershell.exe
816	powershell.exe
2468	powershell.exe
1664	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	InstallUtil.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	InstallUtil.exe

Loads dropped DLL 1 IoCs

pid	Process
2728	InstallUtil.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1960 set thread context of 2728	1960	ISF (10+2) Form 格福-3019 NASHVILLE.xls.scr.exe	28

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1960	ISF (10+2) Form 格福-3019 NASHVILLE.xls.scr.exe
1960	ISF (10+2) Form 格福-3019 NASHVILLE.xls.scr.exe
1664	powershell.exe
1844	powershell.exe
816	powershell.exe
2468	powershell.exe
2728	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	ISF (10+2) Form 格福-3019 NASHVILLE.xls.scr.exe
Token: SeDebugPrivilege	2728	InstallUtil.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2728	InstallUtil.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2728	1960	ISF (10+2) Form 格福-3019 NASHVILLE.xls.scr.exe	28
PID 1960 wrote to memory of 2728	1960	ISF (10+2) Form 格福-3019 NASHVILLE.xls.scr.exe	28
PID 1960 wrote to memory of 2728	1960	ISF (10+2) Form 格福-3019 NASHVILLE.xls.scr.exe	28
PID 1960 wrote to memory of 2728	1960	ISF (10+2) Form 格福-3019 NASHVILLE.xls.scr.exe	28
PID 1960 wrote to memory of 2728	1960	ISF (10+2) Form 格福-3019 NASHVILLE.xls.scr.exe	28
PID 1960 wrote to memory of 2728	1960	ISF (10+2) Form 格福-3019 NASHVILLE.xls.scr.exe	28
PID 1960 wrote to memory of 2728	1960	ISF (10+2) Form 格福-3019 NASHVILLE.xls.scr.exe	28
PID 1960 wrote to memory of 2728	1960	ISF (10+2) Form 格福-3019 NASHVILLE.xls.scr.exe	28
PID 1960 wrote to memory of 2728	1960	ISF (10+2) Form 格福-3019 NASHVILLE.xls.scr.exe	28
PID 1960 wrote to memory of 2728	1960	ISF (10+2) Form 格福-3019 NASHVILLE.xls.scr.exe	28
PID 1960 wrote to memory of 2728	1960	ISF (10+2) Form 格福-3019 NASHVILLE.xls.scr.exe	28
PID 1960 wrote to memory of 2728	1960	ISF (10+2) Form 格福-3019 NASHVILLE.xls.scr.exe	28
PID 2728 wrote to memory of 1664	2728	InstallUtil.exe	31
PID 2728 wrote to memory of 1664	2728	InstallUtil.exe	31
PID 2728 wrote to memory of 1664	2728	InstallUtil.exe	31
PID 2728 wrote to memory of 1664	2728	InstallUtil.exe	31
PID 2728 wrote to memory of 1844	2728	InstallUtil.exe	33
PID 2728 wrote to memory of 1844	2728	InstallUtil.exe	33
PID 2728 wrote to memory of 1844	2728	InstallUtil.exe	33
PID 2728 wrote to memory of 1844	2728	InstallUtil.exe	33
PID 2728 wrote to memory of 816	2728	InstallUtil.exe	35
PID 2728 wrote to memory of 816	2728	InstallUtil.exe	35
PID 2728 wrote to memory of 816	2728	InstallUtil.exe	35
PID 2728 wrote to memory of 816	2728	InstallUtil.exe	35
PID 2728 wrote to memory of 2468	2728	InstallUtil.exe	37
PID 2728 wrote to memory of 2468	2728	InstallUtil.exe	37
PID 2728 wrote to memory of 2468	2728	InstallUtil.exe	37
PID 2728 wrote to memory of 2468	2728	InstallUtil.exe	37

C:\Users\Admin\AppData\Local\Temp\ISF (10+2) Form 格福-3019 NASHVILLE.xls.scr.exe
"C:\Users\Admin\AppData\Local\Temp\ISF (10+2) Form 格福-3019 NASHVILLE.xls.scr.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1844
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:816
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1fa27b13987234c8945f12d8578da8ae

SHA1
8ba21ee33ae5d036c8d564ddef799e562bd890f0

SHA256
8385345203b8e3da2d25edbe18623fae1d611353553a4472b6af5941353a1692

SHA512
2099f656b9abd658fb1f5a9370ca13a4ce24a529cdb71aa46ce7b32fc740ab5a2c2eb4bd202f67deadd0cf2cfbdbf8730aa7adbb7322240d26e9e8c0860ad020

Download Submit
\Users\Admin\AppData\Roaming\XClient.exe

Filesize
40KB

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
memory/1960-15-0x000000007476E000-0x000000007476F000-memory.dmp

Filesize
4KB

Download
memory/1960-17-0x0000000074760000-0x0000000074E4E000-memory.dmp

Filesize
6.9MB

Download
memory/1960-5-0x0000000000620000-0x0000000000626000-memory.dmp

Filesize
24KB

Download
memory/1960-6-0x0000000074760000-0x0000000074E4E000-memory.dmp

Filesize
6.9MB

Download
memory/1960-1-0x00000000012B0000-0x00000000013A2000-memory.dmp

Filesize
968KB

Download
memory/1960-2-0x0000000074760000-0x0000000074E4E000-memory.dmp

Filesize
6.9MB

Download
memory/1960-4-0x0000000000BD0000-0x0000000000BEA000-memory.dmp

Filesize
104KB

Download
memory/1960-3-0x0000000000EF0000-0x0000000000F34000-memory.dmp

Filesize
272KB

Download
memory/1960-21-0x0000000074760000-0x0000000074E4E000-memory.dmp

Filesize
6.9MB

Download
memory/1960-0-0x000000007476E000-0x000000007476F000-memory.dmp

Filesize
4KB

Download
memory/1960-16-0x0000000074760000-0x0000000074E4E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-10-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2728-18-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2728-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2728-20-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2728-22-0x0000000074760000-0x0000000074E4E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2728-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2728-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2728-7-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2728-47-0x0000000074760000-0x0000000074E4E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-48-0x0000000074760000-0x0000000074E4E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-49-0x0000000074760000-0x0000000074E4E000-memory.dmp

Filesize
6.9MB

Download