xworm | 2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe
Size

724KB
MD5

6e1e63e97c09758e3db18ea31bd95284
SHA1

6f4a188d43122d22a14459123764a094ed56b37c
SHA256

2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1
SHA512

0708ebbc263c5f16fddb0e1e76abf30b3ff5842207f450e0892e0879f828ecf165a203f156f460ed3cb97dd85691c0f3dc2233160b98e7daf34057872c70ba23
SSDEEP

12288:7DeaBr2968/mPSxX7UydfxMApCPuiRMfOzzH3t2zrNkjovC7Qe1RwUdaZkgsZyL:3Pp8/2Sx/xMA8miRSO3H3t8aDaXs8

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

45.141.27.41:7000

Mutex

9ZF9ZsOZGh1T1r1n

Attributes

Install_directory
%Public%
install_file
csrss.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0028000000016b5e-11.dat	family_xworm
behavioral1/memory/2612-12-0x0000000001270000-0x0000000001280000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Detects Windows executables referencing non-Windows User-Agents 2 IoCs

resource	yara_rule
behavioral1/files/0x0028000000016b5e-11.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2612-12-0x0000000001270000-0x0000000001280000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables (downlaoders) containing URLs to raw contents of a paste 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016332-6.dat	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2856	powershell.exe
1532	powershell.exe
2848	powershell.exe
1204	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk	XClient.exe

Executes dropped EXE 2 IoCs

pid	Process
2904	example.exe
2612	XClient.exe

Loads dropped DLL 1 IoCs

pid	Process
2224	2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2904	example.exe
2904	example.exe
2904	example.exe
2904	example.exe
2904	example.exe
2856	powershell.exe
1532	powershell.exe
2848	powershell.exe
1204	powershell.exe
2612	XClient.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	XClient.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	2612	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2612	XClient.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2904	2224	2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe	28
PID 2224 wrote to memory of 2904	2224	2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe	28
PID 2224 wrote to memory of 2904	2224	2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe	28
PID 2224 wrote to memory of 2612	2224	2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe	30
PID 2224 wrote to memory of 2612	2224	2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe	30
PID 2224 wrote to memory of 2612	2224	2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe	30
PID 2904 wrote to memory of 2636	2904	example.exe	31
PID 2904 wrote to memory of 2636	2904	example.exe	31
PID 2904 wrote to memory of 2636	2904	example.exe	31
PID 2636 wrote to memory of 2652	2636	cmd.exe	32
PID 2636 wrote to memory of 2652	2636	cmd.exe	32
PID 2636 wrote to memory of 2652	2636	cmd.exe	32
PID 2636 wrote to memory of 2656	2636	cmd.exe	33
PID 2636 wrote to memory of 2656	2636	cmd.exe	33
PID 2636 wrote to memory of 2656	2636	cmd.exe	33
PID 2636 wrote to memory of 2716	2636	cmd.exe	34
PID 2636 wrote to memory of 2716	2636	cmd.exe	34
PID 2636 wrote to memory of 2716	2636	cmd.exe	34
PID 2612 wrote to memory of 2856	2612	XClient.exe	36
PID 2612 wrote to memory of 2856	2612	XClient.exe	36
PID 2612 wrote to memory of 2856	2612	XClient.exe	36
PID 2612 wrote to memory of 1532	2612	XClient.exe	38
PID 2612 wrote to memory of 1532	2612	XClient.exe	38
PID 2612 wrote to memory of 1532	2612	XClient.exe	38
PID 2612 wrote to memory of 2848	2612	XClient.exe	40
PID 2612 wrote to memory of 2848	2612	XClient.exe	40
PID 2612 wrote to memory of 2848	2612	XClient.exe	40
PID 2612 wrote to memory of 1204	2612	XClient.exe	42
PID 2612 wrote to memory of 1204	2612	XClient.exe	42
PID 2612 wrote to memory of 1204	2612	XClient.exe	42

C:\Users\Admin\AppData\Local\Temp\2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe
"C:\Users\Admin\AppData\Local\Temp\2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\example.exe
  "C:\Users\Admin\example.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\example.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\example.exe" MD5
      4⤵
      PID:2652
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:2656
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:2716
- C:\Users\Admin\XClient.exe
  "C:\Users\Admin\XClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
91fe4edb40f8ad1b9c143dc5ecd6d048

SHA1
107c484fca49226b9f50b038d8a86448fd732a2f

SHA256
d07e51a90e16f27a9cb4c811e1c8c8e7153040ea8ce7dd96755a9b6292d95454

SHA512
6b4cd186511c8cf27716235231806eafc422501f0962170424a3ee1a456589738ab7d9de282b9a715c7e2b50379e7bae5ff8afc2551a17d859ed27c7b0744c22

Download Submit
C:\Users\Admin\XClient.exe

Filesize
40KB

MD5
7ea387ab126b2ecf3365d448a318a433

SHA1
71b6e05898b68ed72ca95266d6293b225c40b612

SHA256
573f3d316ed68ea2d4762a657dcc62416b763a8fcd1f99017f02d3ef5c215015

SHA512
68830f84bf9f0a9e75a999907f7e7d816f89aa745e92078f56f303edadb236e14957e0594290f297fd4c0175ae72be02542cabe974a404fe961b7ab4bf945825

Download Submit
C:\Users\Admin\example.exe

Filesize
673KB

MD5
56a9b5d3e447355a8d29a2d02a00b70c

SHA1
af802aab037d6ae208b040e4e0b629665f208394

SHA256
8d33c98d8aa62cbcc5d9096aa93fe073f0ee012af6cea9f19daad0d8e08d0ff1

SHA512
c9d4de01e7c472d48ecee70777cac1f3ab3959fdb863c27096898b339e5f53e319489080ca08d3b18659ab396a16a18638fbebe06e58546ddeb2b5b5ca593081

Download Submit
memory/1532-28-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/1532-27-0x000000001B2A0000-0x000000001B582000-memory.dmp

Filesize
2.9MB

Download
memory/2224-1-0x00000000003B0000-0x000000000046C000-memory.dmp

Filesize
752KB

Download
memory/2224-0-0x000007FEF50C3000-0x000007FEF50C4000-memory.dmp

Filesize
4KB

Download
memory/2612-14-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/2612-15-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/2612-12-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/2612-45-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/2612-46-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/2856-21-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2856-20-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download