xworm | 61a40644545efe9ca21ab98829d613af37024cd779126ed55e7fd404912671f4

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xca.exe
Size

34KB
MD5

cddd357366899c16ac793a9c02a2bc91
SHA1

51b94c67865078445f18cd88a9094201925b43cf
SHA256

61a40644545efe9ca21ab98829d613af37024cd779126ed55e7fd404912671f4
SHA512

b6c0a5877cf6d42976819a8545a6f316b44938da10e2a2d383b389a7eeba3a12d4c14dd7198f4c77cf7e0ebf2507f5d66dac62e568a66a6f2622442a7fae0b16
SSDEEP

768:3teHgjgARFWlaPMDVMpXgdGlA9Fg9uNO/hrbj:9QERFaaUD+BgdeeFg9uNO/Vv

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

friends-analytical.gl.at.ply.gg:44471

Mutex

1AMdFhkQS1xb2SWs

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1876-1-0x0000000000F00000-0x0000000000F0E000-memory.dmp	family_xworm
C:\Users\Admin\svchost.exe	family_xworm
behavioral1/memory/2764-7-0x0000000000FC0000-0x0000000000FCE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Executes dropped EXE 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

2764 svchost.exe
2576 svchost.exe
1520 svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2924 schtasks.exe

pid	process
2764	svchost.exe
2576	svchost.exe
1520	svchost.exe

pid	process
2924	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

xca.exesvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1876	xca.exe
Token: SeDebugPrivilege	2764	svchost.exe
Token: SeDebugPrivilege	2576	svchost.exe
Token: SeDebugPrivilege	1520	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

xca.exetaskeng.exe

description	pid	process	target process
PID 1876 wrote to memory of 2924	1876	xca.exe	schtasks.exe
PID 1876 wrote to memory of 2924	1876	xca.exe	schtasks.exe
PID 1876 wrote to memory of 2924	1876	xca.exe	schtasks.exe
PID 2644 wrote to memory of 2764	2644	taskeng.exe	svchost.exe
PID 2644 wrote to memory of 2764	2644	taskeng.exe	svchost.exe
PID 2644 wrote to memory of 2764	2644	taskeng.exe	svchost.exe
PID 2644 wrote to memory of 2576	2644	taskeng.exe	svchost.exe
PID 2644 wrote to memory of 2576	2644	taskeng.exe	svchost.exe
PID 2644 wrote to memory of 2576	2644	taskeng.exe	svchost.exe
PID 2644 wrote to memory of 1520	2644	taskeng.exe	svchost.exe
PID 2644 wrote to memory of 1520	2644	taskeng.exe	svchost.exe
PID 2644 wrote to memory of 1520	2644	taskeng.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\xca.exe
"C:\Users\Admin\AppData\Local\Temp\xca.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\svchost.exe"
2⤵
- Creates scheduled task(s)
PID:2924

C:\Windows\system32\taskeng.exe
taskeng.exe {0E50D849-57E7-4F3B-8A69-E166B08159AB} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\svchost.exe
C:\Users\Admin\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Users\Admin\svchost.exe
C:\Users\Admin\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Users\Admin\svchost.exe
C:\Users\Admin\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1520

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\svchost.exe
Filesize
34KB

MD5
cddd357366899c16ac793a9c02a2bc91

SHA1
51b94c67865078445f18cd88a9094201925b43cf

SHA256
61a40644545efe9ca21ab98829d613af37024cd779126ed55e7fd404912671f4

SHA512
b6c0a5877cf6d42976819a8545a6f316b44938da10e2a2d383b389a7eeba3a12d4c14dd7198f4c77cf7e0ebf2507f5d66dac62e568a66a6f2622442a7fae0b16

Download Submit
memory/1876-0-0x000007FEF5C23000-0x000007FEF5C24000-memory.dmp

Filesize
4KB

Download
memory/1876-1-0x0000000000F00000-0x0000000000F0E000-memory.dmp

Filesize
56KB

Download
memory/1876-3-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

Filesize
9.9MB

Download
memory/1876-8-0x000007FEF5C23000-0x000007FEF5C24000-memory.dmp

Filesize
4KB

Download
memory/1876-9-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

Filesize
9.9MB

Download
memory/2764-7-0x0000000000FC0000-0x0000000000FCE000-memory.dmp

Filesize
56KB

Download