Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 20:29
Static task
static1
Behavioral task
behavioral1
Sample
XwormLoader.exe
Resource
win7-20231129-en
General
-
Target
XwormLoader.exe
-
Size
7.8MB
-
MD5
f194b7e7fdbfe0fbf70673937337dc05
-
SHA1
ca1fb45e83d267ce039a4639181b5f790f5b3241
-
SHA256
3e4cbe1810496aff2ef544d0aa0b5f8d1c69e2a4e86c21921348ede7a9db3967
-
SHA512
d63a5d2c84b42944820622fae2bc1cb681ea1e709b9972c35bfca28e198bc18f86f63718b62e50aafa59005df13f2d0f6edd017947133a2cd53688a7cd5844e2
-
SSDEEP
196608:W7b4C6XrL5HfZBEhl3xZi5OslC9+PWbXooVl41u1mMFsr5:W7yvRZBEP3xZi5Oso+PWbXooL4Sa
Malware Config
Signatures
-
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\svchost.exe family_xworm behavioral1/memory/1268-9-0x0000000000290000-0x00000000002BA000-memory.dmp family_xworm behavioral1/memory/1744-52-0x0000000000BF0000-0x0000000000C1A000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2444 powershell.exe 2696 powershell.exe 2940 powershell.exe 3040 powershell.exe -
.NET Reactor proctector 3 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\svchost.exe net_reactor behavioral1/memory/1268-9-0x0000000000290000-0x00000000002BA000-memory.dmp net_reactor behavioral1/memory/1744-52-0x0000000000BF0000-0x0000000000C1A000-memory.dmp net_reactor -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2528 cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exeXworm V5.6.exesvchost.exepid process 1268 svchost.exe 3020 Xworm V5.6.exe 1744 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2676 timeout.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
svchost.exepid process 1268 svchost.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exesvchost.exepid process 2444 powershell.exe 2696 powershell.exe 2940 powershell.exe 3040 powershell.exe 1268 svchost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exedescription pid process Token: SeDebugPrivilege 1268 svchost.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 3040 powershell.exe Token: SeDebugPrivilege 1744 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 1268 svchost.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
XwormLoader.execmd.exesvchost.exeXworm V5.6.exetaskeng.exedescription pid process target process PID 1908 wrote to memory of 1268 1908 XwormLoader.exe svchost.exe PID 1908 wrote to memory of 1268 1908 XwormLoader.exe svchost.exe PID 1908 wrote to memory of 1268 1908 XwormLoader.exe svchost.exe PID 1908 wrote to memory of 3020 1908 XwormLoader.exe Xworm V5.6.exe PID 1908 wrote to memory of 3020 1908 XwormLoader.exe Xworm V5.6.exe PID 1908 wrote to memory of 3020 1908 XwormLoader.exe Xworm V5.6.exe PID 1908 wrote to memory of 2528 1908 XwormLoader.exe cmd.exe PID 1908 wrote to memory of 2528 1908 XwormLoader.exe cmd.exe PID 1908 wrote to memory of 2528 1908 XwormLoader.exe cmd.exe PID 2528 wrote to memory of 2676 2528 cmd.exe timeout.exe PID 2528 wrote to memory of 2676 2528 cmd.exe timeout.exe PID 2528 wrote to memory of 2676 2528 cmd.exe timeout.exe PID 1268 wrote to memory of 2444 1268 svchost.exe powershell.exe PID 1268 wrote to memory of 2444 1268 svchost.exe powershell.exe PID 1268 wrote to memory of 2444 1268 svchost.exe powershell.exe PID 1268 wrote to memory of 2696 1268 svchost.exe powershell.exe PID 1268 wrote to memory of 2696 1268 svchost.exe powershell.exe PID 1268 wrote to memory of 2696 1268 svchost.exe powershell.exe PID 1268 wrote to memory of 2940 1268 svchost.exe powershell.exe PID 1268 wrote to memory of 2940 1268 svchost.exe powershell.exe PID 1268 wrote to memory of 2940 1268 svchost.exe powershell.exe PID 1268 wrote to memory of 3040 1268 svchost.exe powershell.exe PID 1268 wrote to memory of 3040 1268 svchost.exe powershell.exe PID 1268 wrote to memory of 3040 1268 svchost.exe powershell.exe PID 1268 wrote to memory of 2620 1268 svchost.exe schtasks.exe PID 1268 wrote to memory of 2620 1268 svchost.exe schtasks.exe PID 1268 wrote to memory of 2620 1268 svchost.exe schtasks.exe PID 3020 wrote to memory of 2820 3020 Xworm V5.6.exe WerFault.exe PID 3020 wrote to memory of 2820 3020 Xworm V5.6.exe WerFault.exe PID 3020 wrote to memory of 2820 3020 Xworm V5.6.exe WerFault.exe PID 1756 wrote to memory of 1744 1756 taskeng.exe svchost.exe PID 1756 wrote to memory of 1744 1756 taskeng.exe svchost.exe PID 1756 wrote to memory of 1744 1756 taskeng.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"3⤵
- Creates scheduled task(s)
PID:2620
-
-
-
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3020 -s 7283⤵PID:2820
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.bat""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2676
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {E5FD336B-3A23-4064-AD2D-46EE07BA4E6F} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\ProgramData\svchost.exeC:\ProgramData\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.9MB
MD5db51a102eab752762748a2dec8f7f67a
SHA1194688ec1511b83063f7b0167ae250764b7591d1
SHA25693e5e7f018053c445c521b010caff89e61f61743635db3500aad32d6e495abb2
SHA512fb2fb6605a17fedb65e636cf3716568e85b8ea423c23e0513eb87f3a3441e2cabc4c3e6346225a9bf7b81e97470f3ab516feea649a7afb5cdf02faff8d7f09a5
-
Filesize
144KB
MD54b90399888a12fb85ccc3d0190d5a1d3
SHA13326c027bac28b9480b0c7f621481a6cc033db4e
SHA256cede03d0ef98d200bd5b68f6ca4e0d74e2a62fc430a38083663c3031dbb1c77f
SHA512899ec2df2f5d70716ad5d0686bfe0a6c66ccbcf7f0485efbdfc0615f90b3526cd3d31069fa66c7c6ae8bba6ce92200836c50da40a3731888b7326b970d93216a
-
Filesize
163B
MD5afd7620733ed759fadd6618f722dde65
SHA142663a10343bfb6cabb8002e129ac3a717da3073
SHA256d5d6675ff6741a2c858aeb9b1e466782a9e7ad62747d835b2dff706b78a850ce
SHA512f983802f2551a33d84a3a27e5f6d1b548b364edce41f0c10d4fa606f21974715acd95b48fba7abfabf4b565fc284bf574d6e117cffcdc925e5d2e6fb1cb15525
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P347I2CITJ0PIY6AWL9X.temp
Filesize7KB
MD5a25caedd2cb08b57f5a4758ad27b8cf9
SHA124559de6b9d2604160fc760913f6ffb87119bb51
SHA256988b1fc65fd73e0d795030e4637fc15ac4eff3e346c884165143d4b53b0c656c
SHA51214f0d1355d0bca7267ac4fc07bbe6ba8de1c1abc78ea96bb75da5e52b600d33169ae43a1e2f7ddcd867282d234099e33e6ecc0d22b75e2ea813c907c2c2e5191