xworm | 7bd2fa279b432eb8afc962e951ae03d9036adc8f381d315c8a846f4c5877c215

Analysis

max time kernel
19s
max time network
21s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BRATS V4.2‌‌.exe
Size

9.7MB
MD5

d7c805799b6b0b1a16223e4953d7d3d6
SHA1

84b9208b01fbbbec5995328945ffee4205a31fcf
SHA256

7bd2fa279b432eb8afc962e951ae03d9036adc8f381d315c8a846f4c5877c215
SHA512

0b0e054f337064d8d0c7b2ccb03bba8f2e3e6c4ab809261747082e380cc309980c6e4e8b19095e5ef1885beb5bcf17a556c08b7ee9ec9691a05fddd1cd5c9951
SSDEEP

196608:fxma6TVvueQBN7l6zrGgRYcZNWnmr2+EzXWLLYPm5ww87XUbmOVsXz/G:jzf78ZacZNW82+spwvsNXy

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

dsasinject-58214.portmap.io:3389

Attributes

Install_directory
%AppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000002357f-15.dat	family_xworm
behavioral1/memory/3260-26-0x0000000000BF0000-0x0000000000C0A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
888	powershell.exe
4528	powershell.exe
2240	powershell.exe
4360	powershell.exe
4108	powershell.exe
2264	powershell.exe
1532	powershell.exe
2020	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	BRATS V4.2‌‌.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	csrss.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk	csrss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk	csrss.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
3096	BRATS V4.2.exe
3260	svchost.exe
3964	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3964	csrss.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
3096	BRATS V4.2.exe
3096	BRATS V4.2.exe
1532	powershell.exe
1532	powershell.exe
2020	powershell.exe
2020	powershell.exe
888	powershell.exe
888	powershell.exe
4528	powershell.exe
4528	powershell.exe
2240	powershell.exe
4360	powershell.exe
2240	powershell.exe
4360	powershell.exe
2264	powershell.exe
2264	powershell.exe
4108	powershell.exe
4108	powershell.exe
3260	svchost.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	3260	svchost.exe
Token: SeDebugPrivilege	3964	csrss.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	4108	powershell.exe
Token: SeBackupPrivilege	2580	vssvc.exe
Token: SeRestorePrivilege	2580	vssvc.exe
Token: SeAuditPrivilege	2580	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3260	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 3096	4744	BRATS V4.2‌‌.exe	88
PID 4744 wrote to memory of 3096	4744	BRATS V4.2‌‌.exe	88
PID 4744 wrote to memory of 3096	4744	BRATS V4.2‌‌.exe	88
PID 4744 wrote to memory of 3260	4744	BRATS V4.2‌‌.exe	89
PID 4744 wrote to memory of 3260	4744	BRATS V4.2‌‌.exe	89
PID 4744 wrote to memory of 3964	4744	BRATS V4.2‌‌.exe	90
PID 4744 wrote to memory of 3964	4744	BRATS V4.2‌‌.exe	90
PID 3260 wrote to memory of 1532	3260	svchost.exe	93
PID 3260 wrote to memory of 1532	3260	svchost.exe	93
PID 3964 wrote to memory of 2020	3964	csrss.exe	95
PID 3964 wrote to memory of 2020	3964	csrss.exe	95
PID 3260 wrote to memory of 888	3260	svchost.exe	97
PID 3260 wrote to memory of 888	3260	svchost.exe	97
PID 3964 wrote to memory of 4528	3964	csrss.exe	99
PID 3964 wrote to memory of 4528	3964	csrss.exe	99
PID 3260 wrote to memory of 2240	3260	svchost.exe	101
PID 3260 wrote to memory of 2240	3260	svchost.exe	101
PID 3964 wrote to memory of 4360	3964	csrss.exe	103
PID 3964 wrote to memory of 4360	3964	csrss.exe	103
PID 3964 wrote to memory of 4108	3964	csrss.exe	105
PID 3964 wrote to memory of 4108	3964	csrss.exe	105
PID 3260 wrote to memory of 2264	3260	svchost.exe	106
PID 3260 wrote to memory of 2264	3260	svchost.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\BRATS V4.2‌‌.exe
"C:\Users\Admin\AppData\Local\Temp\BRATS V4.2‌‌.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\BRATS V4.2.exe
  "C:\Users\Admin\AppData\Local\Temp\BRATS V4.2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3096
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- C:\ProgramData\csrss.exe
  "C:\ProgramData\csrss.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\csrss.exe

Filesize
28KB

MD5
4d250bcbc14b9b2076b4c651ee3b7deb

SHA1
f5cd7173e1797f085b2da82cfa3729e0144bc16b

SHA256
41a2f2ca1bdf22fcef635dba5bfd267d32c432aa2f9f00c1574465712d7a5260

SHA512
3c3ef5bf7ce6490864256c779493275710645b8cd6087e982b9f49cf1b76f35d1f38799e2641ba5bad00d616aac1eead7b922630795eb88d4a398964365007a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae60f0ddddac635da71bba775a2c5b4

SHA1
386f1a036af61345a7d303d45f5230e2df817477

SHA256
b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

SHA512
28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47605a4dda32c9dff09a9ca441417339

SHA1
4f68c895c35b0dc36257fc8251e70b968c560b62

SHA256
e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a

SHA512
b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
54522d22658e4f8f87ecb947b71b8feb

SHA1
6a6144bdf9c445099f52211b6122a2ecf72b77e9

SHA256
af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a

SHA512
55f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRATS V4.2.exe

Filesize
9.9MB

MD5
aa8c4f53eb0b74b766271e6c241fa104

SHA1
406089a0fbb3b53267158b4a20f4b2d519d6fe59

SHA256
7d6c33ea84649c9a85a406ee059bf6b3262dd73f7423aa42dcb4882465900157

SHA512
995e117350853713bd3791f5db424c5d86af26ffb1d93b0018492ec41cdf8963032bb5077d46e248aa408579a3efdf32375733753400d647a784ded367d4895c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xxdvlhdk.ojo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
76KB

MD5
7c1243aac3248ae75cc2bab7bf4dfaba

SHA1
3dd055ef06380e5886f59b76761132c36e8b3e8f

SHA256
dbf81c18b8fa71de185da60a70e41f5799405e5a8331e759b399cab5353a1eda

SHA512
3f643f2ec6ca210247eab13abfb2e7e73e0f8621e137c9c1fedc3390fbd5129d78dba438988fa6cf70800def4f60cc2a320e8f269b2bfeaa63bade64c5a2bcbf

Download Submit
memory/1532-59-0x00000269F2BD0000-0x00000269F2BF2000-memory.dmp

Filesize
136KB

Download
memory/3096-47-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/3096-48-0x0000000000400000-0x0000000001403000-memory.dmp

Filesize
16.0MB

Download
memory/3096-41-0x0000000001670000-0x0000000001671000-memory.dmp

Filesize
4KB

Download
memory/3096-46-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/3096-45-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3096-44-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/3096-43-0x0000000003050000-0x0000000003051000-memory.dmp

Filesize
4KB

Download
memory/3096-42-0x00000000017A0000-0x00000000017A1000-memory.dmp

Filesize
4KB

Download
memory/3260-34-0x00007FFAAF440000-0x00007FFAAFF01000-memory.dmp

Filesize
10.8MB

Download
memory/3260-26-0x0000000000BF0000-0x0000000000C0A000-memory.dmp

Filesize
104KB

Download
memory/3964-40-0x0000000000670000-0x000000000067E000-memory.dmp

Filesize
56KB

Download
memory/4744-0-0x00007FFAAF443000-0x00007FFAAF445000-memory.dmp

Filesize
8KB

Download
memory/4744-39-0x00007FFAAF440000-0x00007FFAAFF01000-memory.dmp

Filesize
10.8MB

Download
memory/4744-2-0x00007FFAAF440000-0x00007FFAAFF01000-memory.dmp

Filesize
10.8MB

Download
memory/4744-1-0x0000000000CA0000-0x000000000164E000-memory.dmp

Filesize
9.7MB

Download