xworm | 15eb341d2ff1866160269470ef52df4889a17d2ca58476a77d0c2787845888b1

max time kernel
51s
max time network
57s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Eagles Image Logger.exe
Size

6.5MB
MD5

822f47134b780406c02c48e1cdab2e38
SHA1

aa1c4a7b46223f663c8a8751fd3b295ab6443263
SHA256

15eb341d2ff1866160269470ef52df4889a17d2ca58476a77d0c2787845888b1
SHA512

652d6160ce92af854c865351f4b754d528c4493917bb1c4d54d629cf145ab006447cdc493953636acc18a1be078b06307cdac335ae0aa598a21c7d3832e0a818
SSDEEP

196608:vwSbstG7ykI+gHJnHgZcrOSrGymujAoWeVO:vKG7vI+gpnKnQGyXAod

Score

10^/10

xworm execution persistence pyinstaller rat trojan

Malware Config

Extracted

Family

xworm

bulletingmarrano-45523.portmap.host:45523

Attributes

Install_directory
%AppData%
install_file
RuntimeBroker.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000d00000001228a-6.dat	family_xworm
behavioral3/memory/3020-7-0x0000000000B00000-0x0000000000B1C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2904	powershell.exe
1408	powershell.exe
2400	powershell.exe
1992	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	installer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	installer.exe

Executes dropped EXE 3 IoCs

pid	Process
3020	installer.exe
2968	Eagles Image Logger.exe
2740	Eagles Image Logger.exe

Loads dropped DLL 3 IoCs

pid	Process
2248	Eagles Image Logger.exe
2968	Eagles Image Logger.exe
2740	Eagles Image Logger.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker.exe"	installer.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral3/files/0x003a000000013362-14.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1404	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2904	powershell.exe
1408	powershell.exe
2400	powershell.exe
1992	powershell.exe
3020	installer.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	installer.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	3020	installer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3020	installer.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 3020	2248	Eagles Image Logger.exe	28
PID 2248 wrote to memory of 3020	2248	Eagles Image Logger.exe	28
PID 2248 wrote to memory of 3020	2248	Eagles Image Logger.exe	28
PID 2248 wrote to memory of 2968	2248	Eagles Image Logger.exe	29
PID 2248 wrote to memory of 2968	2248	Eagles Image Logger.exe	29
PID 2248 wrote to memory of 2968	2248	Eagles Image Logger.exe	29
PID 2968 wrote to memory of 2740	2968	Eagles Image Logger.exe	31
PID 2968 wrote to memory of 2740	2968	Eagles Image Logger.exe	31
PID 2968 wrote to memory of 2740	2968	Eagles Image Logger.exe	31
PID 3020 wrote to memory of 2904	3020	installer.exe	33
PID 3020 wrote to memory of 2904	3020	installer.exe	33
PID 3020 wrote to memory of 2904	3020	installer.exe	33
PID 3020 wrote to memory of 1408	3020	installer.exe	35
PID 3020 wrote to memory of 1408	3020	installer.exe	35
PID 3020 wrote to memory of 1408	3020	installer.exe	35
PID 3020 wrote to memory of 2400	3020	installer.exe	37
PID 3020 wrote to memory of 2400	3020	installer.exe	37
PID 3020 wrote to memory of 2400	3020	installer.exe	37
PID 3020 wrote to memory of 1992	3020	installer.exe	39
PID 3020 wrote to memory of 1992	3020	installer.exe	39
PID 3020 wrote to memory of 1992	3020	installer.exe	39
PID 3020 wrote to memory of 1404	3020	installer.exe	41
PID 3020 wrote to memory of 1404	3020	installer.exe	41
PID 3020 wrote to memory of 1404	3020	installer.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Eagles Image Logger.exe
"C:\Users\Admin\AppData\Local\Temp\Eagles Image Logger.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Roaming\installer.exe
  "C:\Users\Admin\AppData\Roaming\installer.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\installer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'installer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1404
- C:\Users\Admin\AppData\Roaming\Eagles Image Logger.exe
  "C:\Users\Admin\AppData\Roaming\Eagles Image Logger.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Roaming\Eagles Image Logger.exe
    "C:\Users\Admin\AppData\Roaming\Eagles Image Logger.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI29682\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Roaming\Eagles Image Logger.exe

Filesize
6.4MB

MD5
965fb2fc5db15b030f765e34e2f7cbf9

SHA1
84f5d23cf66081cdcba281e93ddc0938741afd93

SHA256
c71c4fca850ad63b95858df49395fe31b9cb51efdd95660ab7187ad5432523e8

SHA512
75b1879a581d55d5d802eca53f7dbdeb06dbd8078e38264ff4687901fad6675423013c6f7a7359abc168aaa1942202cfc089f7a92ea41fa2d94c69ddb490c601

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3a524f25cb2a090de939464d673ec3ac

SHA1
f721a1a67627d46abb8ffee007ab5cd093e185e1

SHA256
995a3b3e0d4db275bc1caadc9e7e03dc2631fcb234c83eb1f76b613e5126963b

SHA512
800aa6adac042b2f10abd7b8d73336947cc3e9094b799d9edbbf3c784df3c5c4e6ba3e796b5fe37e50e2d3d14b9f127618924c8d33e6ce88174de6475cb626e3

Download Submit
C:\Users\Admin\AppData\Roaming\installer.exe

Filesize
85KB

MD5
1b18c754c9cccfb1be40b725a7cf9b3e

SHA1
2b4bd57ef4d23021ee452b408dcc032aa7f78f07

SHA256
dc56aba24508d371ada577ba9af39be2919fd45e94ae04edc43c5c142c2524a9

SHA512
73bb18727104a5acfc33e0589c0dcacb046715adbdccbf4e77e79949405cf000cd238fa42c3abe938ee15403c75fb0c71cca8af1e9015db4ca92e9cfcd89ff59

Download Submit
memory/1408-59-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/1408-58-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2248-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/2248-1-0x00000000008F0000-0x0000000000F82000-memory.dmp

Filesize
6.6MB

Download
memory/2904-39-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2904-38-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/3020-33-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/3020-10-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/3020-7-0x0000000000B00000-0x0000000000B1C000-memory.dmp

Filesize
112KB

Download
memory/3020-75-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download