c2f1a7dd2775fa49204b83ab9fafdeb4d1d9b6706072f9a45ce4ae32e7dc998d

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm-RAT-V2.1-main/XWorm RAT V2.1/Command Reciever.exe
Size

6.5MB
MD5

a21db5b6e09c3ec82f048fd7f1c4bb3a
SHA1

e7ffb13176d60b79d0b3f60eaea641827f30df64
SHA256

67d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5
SHA512

7caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c
SSDEEP

98304:KAc94bqa9niwFYWLqDuTTTTTTdfPPpWLq+Guf2W2b6F72q0:KAcC9iwFYWuDCPPpWu+GduZ2L

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Command Reciever.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Command Reciever.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Command Reciever.exe

Modifies registry class 20 IoCs

Processes:

Command Reciever.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Command Reciever.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Command Reciever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Command Reciever.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Command Reciever.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Command Reciever.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	Command Reciever.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Command Reciever.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Command Reciever.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Command Reciever.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Command Reciever.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Command Reciever.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Command Reciever.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

Command Reciever.exe

pid	process
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Command Reciever.exe

pid process

4068 Command Reciever.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

Command Reciever.exe

pid	process
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe
4068	Command Reciever.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Command Reciever.exe

pid process

4068 Command Reciever.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Command Reciever.exe

pid process

4068 Command Reciever.exe

C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe"
1⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4068

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4068-0-0x000000007481E000-0x000000007481F000-memory.dmp

Filesize
4KB

Download
memory/4068-1-0x0000000000DF0000-0x0000000001482000-memory.dmp

Filesize
6.6MB

Download
memory/4068-2-0x0000000005E70000-0x0000000005F0C000-memory.dmp

Filesize
624KB

Download
memory/4068-3-0x00000000064C0000-0x0000000006A64000-memory.dmp

Filesize
5.6MB

Download
memory/4068-4-0x0000000005F10000-0x0000000005FA2000-memory.dmp

Filesize
584KB

Download
memory/4068-5-0x0000000005E40000-0x0000000005E4A000-memory.dmp

Filesize
40KB

Download
memory/4068-6-0x0000000006070000-0x00000000060C6000-memory.dmp

Filesize
344KB

Download
memory/4068-7-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4068-8-0x00000000072E0000-0x0000000007346000-memory.dmp

Filesize
408KB

Download
memory/4068-9-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4068-10-0x000000007481E000-0x000000007481F000-memory.dmp

Filesize
4KB

Download
memory/4068-11-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download