Malware Analysis Report

2024-11-16 13:42

Sample ID 240531-ybmh1aag5w
Target 1_protected.exe
SHA256 82702da0dadc378e1995679ed5cab6ae3d3c3e189ca7f3401c9b047e53b4648f
Tags
xworm execution rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

82702da0dadc378e1995679ed5cab6ae3d3c3e189ca7f3401c9b047e53b4648f

Threat Level: Known bad

The file 1_protected.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution rat trojan

Detect Xworm Payload

Xworm

Command and Scripting Interpreter: PowerShell

Drops startup file

Uses the VBS compiler for execution

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Gathers network information

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 19:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 19:36

Reported

2024-05-31 19:42

Platform

win7-20240221-en

Max time kernel

321s

Max time network

336s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1_protected.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A

Uses the VBS compiler for execution

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 7.tcp.eu.ngrok.io N/A N/A
N/A 7.tcp.eu.ngrok.io N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A 7.tcp.eu.ngrok.io N/A N/A
N/A 7.tcp.eu.ngrok.io N/A N/A
N/A 7.tcp.eu.ngrok.io N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\SndVol.exe N/A
N/A N/A C:\Windows\system32\SndVol.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\SndVol.exe N/A
N/A N/A C:\Windows\system32\SndVol.exe N/A
N/A N/A C:\Windows\system32\SndVol.exe N/A
N/A N/A C:\Windows\system32\SndVol.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2216 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2216 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2216 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2252 wrote to memory of 1492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2252 wrote to memory of 1492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2252 wrote to memory of 1492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2252 wrote to memory of 1492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2216 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\CMD.EXE
PID 2216 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\CMD.EXE
PID 2216 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\CMD.EXE
PID 2216 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\CMD.EXE
PID 1852 wrote to memory of 2716 N/A C:\Windows\SysWOW64\CMD.EXE C:\Windows\SysWOW64\ipconfig.exe
PID 1852 wrote to memory of 2716 N/A C:\Windows\SysWOW64\CMD.EXE C:\Windows\SysWOW64\ipconfig.exe
PID 1852 wrote to memory of 2716 N/A C:\Windows\SysWOW64\CMD.EXE C:\Windows\SysWOW64\ipconfig.exe
PID 1852 wrote to memory of 2716 N/A C:\Windows\SysWOW64\CMD.EXE C:\Windows\SysWOW64\ipconfig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1_protected.exe

"C:\Users\Admin\AppData\Local\Temp\1_protected.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1_protected.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1_protected.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\buex4sba\buex4sba.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES144C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc98F0AC178B014D908F42406DECEBB86D.TMP"

C:\Windows\SysWOW64\CMD.EXE

"CMD.EXE"

C:\Windows\SysWOW64\ipconfig.exe

ipconfig

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x5a4

C:\Windows\system32\SndVol.exe

SndVol.exe -f 45548697 26098

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.67.15.169:10589 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:10589 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:10589 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:10589 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:10589 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.67.15.169:10589 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:10589 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.125.188.168:10589 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.67.15.169:10589 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:10589 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:10589 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.67.15.169:10589 7.tcp.eu.ngrok.io tcp

Files

memory/2216-0-0x00000000002D0000-0x000000000064C000-memory.dmp

memory/2216-1-0x000000007433E000-0x000000007433F000-memory.dmp

memory/2216-2-0x00000000002D0000-0x000000000064C000-memory.dmp

memory/2216-3-0x0000000074330000-0x0000000074A1E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 0d8eb4de34b3dec0cbfb3c3e075a1e8a
SHA1 9042f65a45cd3c5eec8de84b3a20646d87294b93
SHA256 012e9fa2ce6b9f74d656959f684a8ee4547179c8f3917f9913e3b746147c7899
SHA512 6f0e5d19736900af32685b9dee8c5d0abd7fb318e7ddabf5979307f2fd57c4cc14b864f9eb8afd2da0900517ba429790dfcb9dbd563de9b6f593debd1fb17184

\Users\Admin\AppData\Roaming\svchost.exe

MD5 0bb46f1aa0f9ec8b6ce4a718a6ffe8a4
SHA1 621449aa1d94f91b30ff7984a7457d6aed2d0075
SHA256 82702da0dadc378e1995679ed5cab6ae3d3c3e189ca7f3401c9b047e53b4648f
SHA512 5cd89e242d980aedc9fb0f0eb28b0202a6a6c5db6c1146d8d7ecebc72235982d9585086e4c9f62c9b0af8d7082c72b7397de468280050da0b438bd6ebbd5d443

memory/2216-27-0x0000000002270000-0x0000000002280000-memory.dmp

memory/2216-29-0x000000007433E000-0x000000007433F000-memory.dmp

memory/2216-30-0x0000000074330000-0x0000000074A1E000-memory.dmp

memory/2216-32-0x0000000002270000-0x0000000002280000-memory.dmp

memory/2216-39-0x0000000002290000-0x000000000229C000-memory.dmp

memory/2216-43-0x0000000005E00000-0x0000000005EB0000-memory.dmp

memory/2216-49-0x00000000022E0000-0x00000000022EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\buex4sba\buex4sba.cmdline

MD5 35373c4c4616ddc09ae128dae9762663
SHA1 03b4ceeb6276c9ae31bc1a8139d4b7300b1df9f5
SHA256 ab65fecd32fc5b83279c377b6806c3b20f7ab38f029af631abc7eb83f913434a
SHA512 e4a81f35489074d3ca3f2df638ad54ca0ce0a67c5a1dae16866aa8ba01be3f01a4adc823bd1331869320fa08762ba2283bb47eb8473650362da1f18d219bf62c

C:\Users\Admin\AppData\Local\Temp\buex4sba\buex4sba.0.vb

MD5 156a4b3e570d9c7efc0f0094dbceb24e
SHA1 ccd7e470b9114884d6e958ab4d8b4c451f493c66
SHA256 7443a1bcd15924a389e5da2a0530b6703a35aed61e63cd1a1d7d0699d49a5a77
SHA512 90123975819cc2fc3030f94cc8bfce587e8c7efcca8c7ac8a1e99c5f3211c0a50fe16994836fb46fcb3a68b2157259a59f7a5928c19bba2fc3cb4059ecc8efa2

C:\Users\Admin\AppData\Local\Temp\RES144C.tmp

MD5 c3fc57e6fe3ca236b61eb644cc20edc7
SHA1 fc4bbf10c431f636d12bb31511de9302cab445e1
SHA256 2d5951f72a3afec92d951110da8ebb84c070a7eb18564ec953bd419d8050fe1d
SHA512 b9c981c941edf21f62ec7926adfdcbfc6909c2ffa82cc46d0db7627f913657282351288d6484f52188854b6b683fe8ce9a7ffd532ef3e95c0b16902063a28a72

C:\Users\Admin\AppData\Local\Temp\vbc98F0AC178B014D908F42406DECEBB86D.TMP

MD5 710d3e541335aeb7f7cd952aa48670a0
SHA1 32f8229f3699983e612cbcafe9999e3ffc361905
SHA256 264d580bf89ae8761e7aee9363d547c1e0c3f08063d1ec5c1dcafc72385dd8e3
SHA512 1e11fb7aab8314ec8ae8e1e9dec1d94d8b518ad363aa9b4117dbeb239046b7bf13a800eaf45fa5e149c2b4cae32f43edcda763a9f25dcf41e8e2372a5c4cad8e

memory/2216-65-0x00000000022F0000-0x00000000022F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\buex4sba\buex4sba.exe

MD5 43b54dea13182fc9bda33052e6862d0c
SHA1 9dbf487ea8f16961f5acaf16b86813df386e5f6c
SHA256 181e4da8d69ee6d9315613ba430cda2a2413a710f10739c85013c61089014d68
SHA512 20a2818ade17f8b8f574db91cffd7c419e659401dc57fbd2e95c0729507807eb7ea35beeba1974122f5a38f666d7a232d1bb3558869515217ee6ca0e9c267d68

memory/2216-73-0x0000000002EC0000-0x0000000002ECA000-memory.dmp

memory/2216-78-0x0000000002BF0000-0x0000000002BFA000-memory.dmp

memory/2216-80-0x0000000002C00000-0x0000000002C0A000-memory.dmp

memory/2216-82-0x0000000005A20000-0x0000000005AAE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 19:36

Reported

2024-05-31 19:39

Platform

win10v2004-20240226-en

Max time kernel

154s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1_protected.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A 7.tcp.eu.ngrok.io N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3488 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3488 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3488 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3488 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3488 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3488 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3488 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3488 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3488 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3488 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3488 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3488 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\1_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1_protected.exe

"C:\Users\Admin\AppData\Local\Temp\1_protected.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1_protected.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1_protected.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.180.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
GB 142.250.180.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 130.109.69.13.in-addr.arpa udp
DE 3.126.224.214:10589 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 214.224.126.3.in-addr.arpa udp

Files

memory/3488-0-0x0000000000E20000-0x000000000119C000-memory.dmp

memory/3488-3-0x0000000000E20000-0x000000000119C000-memory.dmp

memory/3488-5-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

memory/3488-8-0x0000000000E20000-0x000000000119C000-memory.dmp

memory/3488-9-0x0000000005960000-0x00000000059FC000-memory.dmp

memory/3488-11-0x00000000058C0000-0x0000000005926000-memory.dmp

memory/3488-12-0x0000000074A30000-0x00000000751E0000-memory.dmp

memory/3488-13-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

memory/544-15-0x0000000074A30000-0x00000000751E0000-memory.dmp

memory/544-16-0x0000000000D80000-0x0000000000DB6000-memory.dmp

memory/544-17-0x0000000074A30000-0x00000000751E0000-memory.dmp

memory/544-18-0x0000000074A30000-0x00000000751E0000-memory.dmp

memory/544-19-0x0000000004C80000-0x00000000052A8000-memory.dmp

memory/544-20-0x00000000052B0000-0x00000000052D2000-memory.dmp

memory/544-21-0x0000000005350000-0x00000000053B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vgzhszdw.h0z.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/544-31-0x00000000056A0000-0x00000000059F4000-memory.dmp

memory/3488-33-0x0000000074A30000-0x00000000751E0000-memory.dmp

memory/544-34-0x0000000005B30000-0x0000000005B4E000-memory.dmp

memory/544-35-0x0000000005C10000-0x0000000005C5C000-memory.dmp

memory/544-37-0x0000000074A30000-0x00000000751E0000-memory.dmp

memory/544-38-0x0000000074A30000-0x00000000751E0000-memory.dmp

memory/544-39-0x00000000060D0000-0x0000000006102000-memory.dmp

memory/544-40-0x0000000070120000-0x000000007016C000-memory.dmp

memory/544-50-0x0000000005F60000-0x0000000005F7E000-memory.dmp

memory/544-51-0x0000000006DC0000-0x0000000006E63000-memory.dmp

memory/544-52-0x0000000007570000-0x0000000007BEA000-memory.dmp

memory/544-53-0x0000000006EF0000-0x0000000006F0A000-memory.dmp

memory/544-54-0x0000000074A30000-0x00000000751E0000-memory.dmp

memory/544-55-0x0000000006F50000-0x0000000006F5A000-memory.dmp

memory/544-56-0x0000000007180000-0x0000000007216000-memory.dmp

memory/544-57-0x00000000070E0000-0x00000000070F1000-memory.dmp

memory/544-59-0x0000000007110000-0x000000000711E000-memory.dmp

memory/544-60-0x0000000007120000-0x0000000007134000-memory.dmp

memory/544-61-0x0000000074A30000-0x00000000751E0000-memory.dmp

memory/544-62-0x0000000007220000-0x000000000723A000-memory.dmp

memory/544-63-0x0000000007160000-0x0000000007168000-memory.dmp

memory/544-66-0x0000000074A30000-0x00000000751E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2188-68-0x0000000074A30000-0x00000000751E0000-memory.dmp

memory/2188-69-0x0000000074A30000-0x00000000751E0000-memory.dmp

memory/2188-70-0x0000000074A30000-0x00000000751E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 60a4271f6349311f866219ec952ac2e0
SHA1 c524344b667721b38c2b915297763190e83b300c
SHA256 c0b8bc3f962282e2959606959010c7f25ed7726b4148ce86edfb7ca4a70d0765
SHA512 351a50ef33a6ecbdd0f62803611d1e17f110f454939f977cd2ee3d3bea15dad4470ccc0c6c7264709deab8b4f1d5912568206bb5c73b7639bb71a8a9a8546461

memory/2188-81-0x0000000070120000-0x000000007016C000-memory.dmp

memory/2188-93-0x0000000074A30000-0x00000000751E0000-memory.dmp

memory/3088-103-0x00000000063B0000-0x0000000006704000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b022b4ae4d72476f229ddd4cf72d9e48
SHA1 ea6b0f157fb4270afebce5c5cc15385333b565e8
SHA256 e762bb6530a284e4b07bccbb4f3297febd11c9836a6bcf6d455e232a2ba83b9c
SHA512 ef2efed8734e7553e7d1442cacec46d668658161cbfa4b6fc803bf91f7595ed1cd3a1ead211f50bcd98a30a091fdd6825be09d890f7d164c8a42a5b1d5d66267

memory/3088-105-0x0000000070120000-0x000000007016C000-memory.dmp

memory/3128-124-0x0000000005510000-0x0000000005864000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 efe318804f86a61f16b00757432d8ed3
SHA1 6dcadc84115d3d3c67c4d8ee49cedfef25d166ae
SHA256 48d1133243c5e6bec896191e86066da7ecff3efa528e82b136f5711279b65cd5
SHA512 850985663baff59ff9cdc0e9052d100a9ff22b08197041009299a9cecee22833e80c1ebad88f87f829e1be2bddd79e49fa4ed36f8bde742da0c61c65c682651b

memory/3128-127-0x0000000070120000-0x000000007016C000-memory.dmp

memory/3488-145-0x0000000006A90000-0x0000000006B22000-memory.dmp

memory/3488-146-0x0000000007A70000-0x0000000008014000-memory.dmp