xworm | 7bd2fa279b432eb8afc962e951ae03d9036adc8f381d315c8a846f4c5877c215

Analysis

max time kernel
146s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
24/06/2024, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BRATS V4.2‌‌.exe
Size

9.7MB
MD5

d7c805799b6b0b1a16223e4953d7d3d6
SHA1

84b9208b01fbbbec5995328945ffee4205a31fcf
SHA256

7bd2fa279b432eb8afc962e951ae03d9036adc8f381d315c8a846f4c5877c215
SHA512

0b0e054f337064d8d0c7b2ccb03bba8f2e3e6c4ab809261747082e380cc309980c6e4e8b19095e5ef1885beb5bcf17a556c08b7ee9ec9691a05fddd1cd5c9951
SSDEEP

196608:fxma6TVvueQBN7l6zrGgRYcZNWnmr2+EzXWLLYPm5ww87XUbmOVsXz/G:jzf78ZacZNW82+spwvsNXy

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

dsasinject-58214.portmap.io:3389

Attributes

Install_directory
%AppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000400000002a99f-16.dat	family_xworm
behavioral2/memory/3920-26-0x0000000000450000-0x000000000046A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2892	powershell.exe
4996	powershell.exe
1904	powershell.exe
1896	powershell.exe
3340	powershell.exe
4936	powershell.exe
1220	powershell.exe
2784	powershell.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk	csrss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk	csrss.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
4200	BRATS V4.2.exe
3920	svchost.exe
4836	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4836	csrss.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
4200	BRATS V4.2.exe
4200	BRATS V4.2.exe
2892	powershell.exe
2892	powershell.exe
4996	powershell.exe
4996	powershell.exe
1904	powershell.exe
1904	powershell.exe
1896	powershell.exe
1896	powershell.exe
3340	powershell.exe
3340	powershell.exe
4936	powershell.exe
4936	powershell.exe
1220	powershell.exe
1220	powershell.exe
2784	powershell.exe
2784	powershell.exe
3920	svchost.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	3920	svchost.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	4836	csrss.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	3340	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeBackupPrivilege	1136	vssvc.exe
Token: SeRestorePrivilege	1136	vssvc.exe
Token: SeAuditPrivilege	1136	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3920	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 4200	2416	BRATS V4.2‌‌.exe	77
PID 2416 wrote to memory of 4200	2416	BRATS V4.2‌‌.exe	77
PID 2416 wrote to memory of 4200	2416	BRATS V4.2‌‌.exe	77
PID 2416 wrote to memory of 3920	2416	BRATS V4.2‌‌.exe	78
PID 2416 wrote to memory of 3920	2416	BRATS V4.2‌‌.exe	78
PID 2416 wrote to memory of 4836	2416	BRATS V4.2‌‌.exe	79
PID 2416 wrote to memory of 4836	2416	BRATS V4.2‌‌.exe	79
PID 3920 wrote to memory of 2892	3920	svchost.exe	80
PID 3920 wrote to memory of 2892	3920	svchost.exe	80
PID 4836 wrote to memory of 4996	4836	csrss.exe	82
PID 4836 wrote to memory of 4996	4836	csrss.exe	82
PID 3920 wrote to memory of 1904	3920	svchost.exe	84
PID 3920 wrote to memory of 1904	3920	svchost.exe	84
PID 4836 wrote to memory of 1896	4836	csrss.exe	86
PID 4836 wrote to memory of 1896	4836	csrss.exe	86
PID 3920 wrote to memory of 3340	3920	svchost.exe	88
PID 3920 wrote to memory of 3340	3920	svchost.exe	88
PID 4836 wrote to memory of 4936	4836	csrss.exe	90
PID 4836 wrote to memory of 4936	4836	csrss.exe	90
PID 3920 wrote to memory of 1220	3920	svchost.exe	92
PID 3920 wrote to memory of 1220	3920	svchost.exe	92
PID 4836 wrote to memory of 2784	4836	csrss.exe	94
PID 4836 wrote to memory of 2784	4836	csrss.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\BRATS V4.2‌‌.exe
"C:\Users\Admin\AppData\Local\Temp\BRATS V4.2‌‌.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\BRATS V4.2.exe
  "C:\Users\Admin\AppData\Local\Temp\BRATS V4.2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4200
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3340
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1220
- C:\ProgramData\csrss.exe
  "C:\ProgramData\csrss.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\csrss.exe

Filesize
28KB

MD5
4d250bcbc14b9b2076b4c651ee3b7deb

SHA1
f5cd7173e1797f085b2da82cfa3729e0144bc16b

SHA256
41a2f2ca1bdf22fcef635dba5bfd267d32c432aa2f9f00c1574465712d7a5260

SHA512
3c3ef5bf7ce6490864256c779493275710645b8cd6087e982b9f49cf1b76f35d1f38799e2641ba5bad00d616aac1eead7b922630795eb88d4a398964365007a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b0a85f07903eaad4aace8865ff28679f

SHA1
caa147464cf2e31bf9b482c3ba3c5c71951566d1

SHA256
c85c7915e0bcc6cc3d7dd2f6b9d9e4f9a3cf0ccefa043b1c500facac8428bfd5

SHA512
7a650a74a049e71b748f60614723de2b9d2385a0f404606bcb22ae807e22a74c53cf672df9e7a23605dfff37865443a5899eafea323134a818eb59c96e0f94bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3191974035f167dcc246a2760b0a735a

SHA1
f84f81890d71bd90f56ebd6acf265eccacf2d5ad

SHA256
b5b9ca41af8d5829902352928f30400ed8fc41515f18a9ed4d06f2845d561d46

SHA512
bdae2185de2725850e79cc2ed1a8781f5df3ed40f0682682a941dcdadc842e1659ead1c783eead891fea8b9b81481f1b74cebc5f9474cacd823272ee54cc23ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ffb9c20fe685c796ea298df0d71a1e13

SHA1
231be8d6975c76c27f657846a5a6c811c976fac2

SHA256
5cb77c4c1c44b909389d683a8c1bf546e1784deb48c3093859ce8efc7392d33d

SHA512
198ad9f8bab184f141892a337ace25a75e63d7a8f58138fb8bacd30ad203ae10da76c558f94e432dd084e587d1427c89ea6073229f1a0de57e41a6f76f98d639

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRATS V4.2.exe

Filesize
9.9MB

MD5
aa8c4f53eb0b74b766271e6c241fa104

SHA1
406089a0fbb3b53267158b4a20f4b2d519d6fe59

SHA256
7d6c33ea84649c9a85a406ee059bf6b3262dd73f7423aa42dcb4882465900157

SHA512
995e117350853713bd3791f5db424c5d86af26ffb1d93b0018492ec41cdf8963032bb5077d46e248aa408579a3efdf32375733753400d647a784ded367d4895c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m34nozel.4hp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
76KB

MD5
7c1243aac3248ae75cc2bab7bf4dfaba

SHA1
3dd055ef06380e5886f59b76761132c36e8b3e8f

SHA256
dbf81c18b8fa71de185da60a70e41f5799405e5a8331e759b399cab5353a1eda

SHA512
3f643f2ec6ca210247eab13abfb2e7e73e0f8621e137c9c1fedc3390fbd5129d78dba438988fa6cf70800def4f60cc2a320e8f269b2bfeaa63bade64c5a2bcbf

Download Submit
memory/2416-0-0x00007FFAF7653000-0x00007FFAF7655000-memory.dmp

Filesize
8KB

Download
memory/2416-39-0x00007FFAF7650000-0x00007FFAF8112000-memory.dmp

Filesize
10.8MB

Download
memory/2416-2-0x00007FFAF7650000-0x00007FFAF8112000-memory.dmp

Filesize
10.8MB

Download
memory/2416-1-0x0000000000D60000-0x000000000170E000-memory.dmp

Filesize
9.7MB

Download
memory/2892-50-0x000002A33D880000-0x000002A33D8A2000-memory.dmp

Filesize
136KB

Download
memory/3920-35-0x00007FFAF7650000-0x00007FFAF8112000-memory.dmp

Filesize
10.8MB

Download
memory/3920-26-0x0000000000450000-0x000000000046A000-memory.dmp

Filesize
104KB

Download
memory/3920-134-0x00007FFAF7650000-0x00007FFAF8112000-memory.dmp

Filesize
10.8MB

Download
memory/4200-49-0x0000000000400000-0x0000000001403000-memory.dmp

Filesize
16.0MB

Download
memory/4200-41-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/4200-42-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/4200-43-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/4200-44-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/4200-47-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/4200-45-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/4200-46-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4836-40-0x0000000000A40000-0x0000000000A4E000-memory.dmp

Filesize
56KB

Download