xworm | b6a0c0000264b84cffcf9fd20e7a6321a6ca97be8babf2092805fbb5ae577809

Analysis

max time kernel
133s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04/07/2024, 23:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

injector.exe
Size

49KB
MD5

37fbd83271e9f0a2dbe4372ec015c23f
SHA1

7deaca82f648bc67b5cc86e20696fff3a6a957a9
SHA256

b6a0c0000264b84cffcf9fd20e7a6321a6ca97be8babf2092805fbb5ae577809
SHA512

a3eff87bf8f4d8265706aa366060b661628a8621441762078356e029ea23f6369bf3d807e33b4ca8ff0adb84f8ab17cd46fd7a5387237c2be81ba57d83c7d300
SSDEEP

768:ZWO7VMyjFxpyKlSFyx9DKx6YOjhNOKEkzbwonH8wSpO1bNX:ggVMy/sBFU9DU6YOjq1EwoH865F

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

https://pastebin.com/raw/r8P3Ngmc:324

Mutex

LrtSM6IVyhGy1fuw

Attributes

Install_directory
%AppData%
install_file
injector.exe
pastebin_url
https://pastebin.com/raw/r8P3Ngmc

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral3/memory/4588-0-0x0000000000140000-0x0000000000152000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3000	powershell.exe
1940	powershell.exe
2748	powershell.exe
4132	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\injector.lnk	injector.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\injector.lnk	injector.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\injector = "C:\\Users\\Admin\\AppData\\Roaming\\injector.exe"	injector.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
3	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
2748	powershell.exe
2748	powershell.exe
2748	powershell.exe
4132	powershell.exe
4132	powershell.exe
4132	powershell.exe
3000	powershell.exe
3000	powershell.exe
3000	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4588	injector.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeIncreaseQuotaPrivilege	1940	powershell.exe
Token: SeSecurityPrivilege	1940	powershell.exe
Token: SeTakeOwnershipPrivilege	1940	powershell.exe
Token: SeLoadDriverPrivilege	1940	powershell.exe
Token: SeSystemProfilePrivilege	1940	powershell.exe
Token: SeSystemtimePrivilege	1940	powershell.exe
Token: SeProfSingleProcessPrivilege	1940	powershell.exe
Token: SeIncBasePriorityPrivilege	1940	powershell.exe
Token: SeCreatePagefilePrivilege	1940	powershell.exe
Token: SeBackupPrivilege	1940	powershell.exe
Token: SeRestorePrivilege	1940	powershell.exe
Token: SeShutdownPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeSystemEnvironmentPrivilege	1940	powershell.exe
Token: SeRemoteShutdownPrivilege	1940	powershell.exe
Token: SeUndockPrivilege	1940	powershell.exe
Token: SeManageVolumePrivilege	1940	powershell.exe
Token: 33	1940	powershell.exe
Token: 34	1940	powershell.exe
Token: 35	1940	powershell.exe
Token: 36	1940	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeIncreaseQuotaPrivilege	2748	powershell.exe
Token: SeSecurityPrivilege	2748	powershell.exe
Token: SeTakeOwnershipPrivilege	2748	powershell.exe
Token: SeLoadDriverPrivilege	2748	powershell.exe
Token: SeSystemProfilePrivilege	2748	powershell.exe
Token: SeSystemtimePrivilege	2748	powershell.exe
Token: SeProfSingleProcessPrivilege	2748	powershell.exe
Token: SeIncBasePriorityPrivilege	2748	powershell.exe
Token: SeCreatePagefilePrivilege	2748	powershell.exe
Token: SeBackupPrivilege	2748	powershell.exe
Token: SeRestorePrivilege	2748	powershell.exe
Token: SeShutdownPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeSystemEnvironmentPrivilege	2748	powershell.exe
Token: SeRemoteShutdownPrivilege	2748	powershell.exe
Token: SeUndockPrivilege	2748	powershell.exe
Token: SeManageVolumePrivilege	2748	powershell.exe
Token: 33	2748	powershell.exe
Token: 34	2748	powershell.exe
Token: 35	2748	powershell.exe
Token: 36	2748	powershell.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeIncreaseQuotaPrivilege	4132	powershell.exe
Token: SeSecurityPrivilege	4132	powershell.exe
Token: SeTakeOwnershipPrivilege	4132	powershell.exe
Token: SeLoadDriverPrivilege	4132	powershell.exe
Token: SeSystemProfilePrivilege	4132	powershell.exe
Token: SeSystemtimePrivilege	4132	powershell.exe
Token: SeProfSingleProcessPrivilege	4132	powershell.exe
Token: SeIncBasePriorityPrivilege	4132	powershell.exe
Token: SeCreatePagefilePrivilege	4132	powershell.exe
Token: SeBackupPrivilege	4132	powershell.exe
Token: SeRestorePrivilege	4132	powershell.exe
Token: SeShutdownPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeSystemEnvironmentPrivilege	4132	powershell.exe
Token: SeRemoteShutdownPrivilege	4132	powershell.exe
Token: SeUndockPrivilege	4132	powershell.exe
Token: SeManageVolumePrivilege	4132	powershell.exe
Token: 33	4132	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 1940	4588	injector.exe	73
PID 4588 wrote to memory of 1940	4588	injector.exe	73
PID 4588 wrote to memory of 2748	4588	injector.exe	76
PID 4588 wrote to memory of 2748	4588	injector.exe	76
PID 4588 wrote to memory of 4132	4588	injector.exe	78
PID 4588 wrote to memory of 4132	4588	injector.exe	78
PID 4588 wrote to memory of 3000	4588	injector.exe	80
PID 4588 wrote to memory of 3000	4588	injector.exe	80

C:\Users\Admin\AppData\Local\Temp\injector.exe
"C:\Users\Admin\AppData\Local\Temp\injector.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\injector.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'injector.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\injector.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'injector.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f9db1383d522155506432a20ea7c54e2

SHA1
1660a5a066c2a26393ce3b34d6a8af5e7971988c

SHA256
37eef42208d2a9bbebbb33c89019767dd6c174aefbe8418325a1a35c71d8b201

SHA512
43ef8de0cf06dbc272a60c4d2d059dce3cd83623dc0710a2e7beee1af0b4119d6199295694c6c5815f0e04dbb079a1cb2b30c40607165f1522c8ba1a0bbb3eab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0a3b4c8627c2eb142bdca79039dbfb7a

SHA1
2ac7226d22c2737ce12033525006fae371de5167

SHA256
6f5346d0ffbf8cc3810d36214830203560de3ea476261468b7b62393df1c0c55

SHA512
4de0cfc110f57e039270df7870a9f4dd5ebce9c7c7530a0e01679cc01d9554a25303df943b186fa97bcdb8c080de3052ef9d8c0634587323614da65ba1f40005

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e68d0b1881b9084b62529aacdfda63b

SHA1
6e94ca42a8c817aa94b6f204212bde71b71927b6

SHA256
0876f27a62ea7970aadd4f3468bfe3f3c8823b557ec940dfd4aebb3ff434de02

SHA512
6c7e1198f1e27815c5c90bf10c2f93f3ff20d96e1054d55b1b8835c260db0173f388430dbe4b35dca918be575f58226506b1d3e53142b87a8c18f9723dc0612a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qxeate4v.ckg.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/1940-10-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

Filesize
9.9MB

Download
memory/1940-11-0x000001AD7DCB0000-0x000001AD7DD26000-memory.dmp

Filesize
472KB

Download
memory/1940-12-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

Filesize
9.9MB

Download
memory/1940-41-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

Filesize
9.9MB

Download
memory/1940-48-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

Filesize
9.9MB

Download
memory/1940-52-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

Filesize
9.9MB

Download
memory/1940-9-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

Filesize
9.9MB

Download
memory/1940-6-0x000001AD7D9B0000-0x000001AD7D9D2000-memory.dmp

Filesize
136KB

Download
memory/4588-0-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/4588-1-0x00007FFE25063000-0x00007FFE25064000-memory.dmp

Filesize
4KB

Download
memory/4588-187-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

Filesize
9.9MB

Download
memory/4588-188-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

Filesize
9.9MB

Download
memory/4588-191-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

Filesize
9.9MB

Download