xworm | 7b6328329414fa681a268fbda25b3ee454bf1dcb3706e29d724d1038c700b9ab

Analysis

max time kernel
128s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2024 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xplor.exe
Size

43KB
MD5

ad4efdfce404977b56d0f104188f325b
SHA1

015f68788843c6d8f2d8a89151ae96f19732f506
SHA256

7b6328329414fa681a268fbda25b3ee454bf1dcb3706e29d724d1038c700b9ab
SHA512

1f114d722200bd7bb1b87e487330d7065b4d6da3cfe9f02f699503d263a547857ecfe89cef4e04f6f981af12325863b39aa19b5f550357d35b3aea69f3fb35b6
SSDEEP

768:oIIrUKPPi2ojXLkL+Dj3jV9sTi/UJrOaqBbxA63/nlea:oIWpP62oTLk2jTLsO/mqj/nlea

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

193.161.193.99:41402

Attributes

Install_directory
%AppData%
install_file
Teams.exe
telegram
https://api.telegram.org/bot7251026627:AAFe7iqGz4Cd2IluTlmdghq0XQUzAYL6FpY

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000900000002348d-43.dat	family_xworm
behavioral1/memory/5008-53-0x0000000000BD0000-0x0000000000C02000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	xplor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	cscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	Teams.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Teams.lnk	Teams.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Teams.lnk	Teams.exe

Executes dropped EXE 3 IoCs

pid	Process
5008	Teams.exe
928	Teams.exe
4596	Teams.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Teams = "C:\\Users\\Admin\\AppData\\Roaming\\Teams.exe"	Teams.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4236	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1060	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings	xplor.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
448	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2764	powershell.exe
2764	powershell.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeIncreaseQuotaPrivilege	2884	WMIC.exe
Token: SeSecurityPrivilege	2884	WMIC.exe
Token: SeTakeOwnershipPrivilege	2884	WMIC.exe
Token: SeLoadDriverPrivilege	2884	WMIC.exe
Token: SeSystemProfilePrivilege	2884	WMIC.exe
Token: SeSystemtimePrivilege	2884	WMIC.exe
Token: SeProfSingleProcessPrivilege	2884	WMIC.exe
Token: SeIncBasePriorityPrivilege	2884	WMIC.exe
Token: SeCreatePagefilePrivilege	2884	WMIC.exe
Token: SeBackupPrivilege	2884	WMIC.exe
Token: SeRestorePrivilege	2884	WMIC.exe
Token: SeShutdownPrivilege	2884	WMIC.exe
Token: SeDebugPrivilege	2884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2884	WMIC.exe
Token: SeRemoteShutdownPrivilege	2884	WMIC.exe
Token: SeUndockPrivilege	2884	WMIC.exe
Token: SeManageVolumePrivilege	2884	WMIC.exe
Token: 33	2884	WMIC.exe
Token: 34	2884	WMIC.exe
Token: 35	2884	WMIC.exe
Token: 36	2884	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2884	WMIC.exe
Token: SeSecurityPrivilege	2884	WMIC.exe
Token: SeTakeOwnershipPrivilege	2884	WMIC.exe
Token: SeLoadDriverPrivilege	2884	WMIC.exe
Token: SeSystemProfilePrivilege	2884	WMIC.exe
Token: SeSystemtimePrivilege	2884	WMIC.exe
Token: SeProfSingleProcessPrivilege	2884	WMIC.exe
Token: SeIncBasePriorityPrivilege	2884	WMIC.exe
Token: SeCreatePagefilePrivilege	2884	WMIC.exe
Token: SeBackupPrivilege	2884	WMIC.exe
Token: SeRestorePrivilege	2884	WMIC.exe
Token: SeShutdownPrivilege	2884	WMIC.exe
Token: SeDebugPrivilege	2884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2884	WMIC.exe
Token: SeRemoteShutdownPrivilege	2884	WMIC.exe
Token: SeUndockPrivilege	2884	WMIC.exe
Token: SeManageVolumePrivilege	2884	WMIC.exe
Token: 33	2884	WMIC.exe
Token: 34	2884	WMIC.exe
Token: 35	2884	WMIC.exe
Token: 36	2884	WMIC.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	5008	Teams.exe
Token: SeDebugPrivilege	5008	Teams.exe
Token: SeDebugPrivilege	928	Teams.exe
Token: SeDebugPrivilege	4596	Teams.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 388	3080	xplor.exe	86
PID 3080 wrote to memory of 388	3080	xplor.exe	86
PID 388 wrote to memory of 332	388	cmd.exe	88
PID 388 wrote to memory of 332	388	cmd.exe	88
PID 332 wrote to memory of 4432	332	cscript.exe	89
PID 332 wrote to memory of 4432	332	cscript.exe	89
PID 4432 wrote to memory of 2404	4432	cmd.exe	91
PID 4432 wrote to memory of 2404	4432	cmd.exe	91
PID 4432 wrote to memory of 2764	4432	cmd.exe	92
PID 4432 wrote to memory of 2764	4432	cmd.exe	92
PID 2764 wrote to memory of 2884	2764	powershell.exe	93
PID 2764 wrote to memory of 2884	2764	powershell.exe	93
PID 2764 wrote to memory of 1060	2764	powershell.exe	95
PID 2764 wrote to memory of 1060	2764	powershell.exe	95
PID 3080 wrote to memory of 5008	3080	xplor.exe	96
PID 3080 wrote to memory of 5008	3080	xplor.exe	96
PID 5008 wrote to memory of 448	5008	Teams.exe	97
PID 5008 wrote to memory of 448	5008	Teams.exe	97
PID 5008 wrote to memory of 3832	5008	Teams.exe	104
PID 5008 wrote to memory of 3832	5008	Teams.exe	104
PID 5008 wrote to memory of 4440	5008	Teams.exe	106
PID 5008 wrote to memory of 4440	5008	Teams.exe	106
PID 4440 wrote to memory of 4236	4440	cmd.exe	108
PID 4440 wrote to memory of 4236	4440	cmd.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\xplor.exe
"C:\Users\Admin\AppData\Local\Temp\xplor.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\proxy.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Windows\system32\cscript.exe
    cscript //nologo temp.vbs
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\proxy.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4432
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\proxy.bat"
        5⤵
        
        PID:2404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "$d = wmic diskdrive get model;if ($d -like '*DADY HARDDISK*' -or $d -like '*QEMU HARDDISK*') { taskkill /f /im cmd.exe }"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Windows\System32\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
- C:\Users\Admin\AppData\Local\Temp\Teams.exe
  "C:\Users\Admin\AppData\Local\Temp\Teams.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Teams" /tr "C:\Users\Admin\AppData\Roaming\Teams.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:448
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "Teams"
    3⤵
    PID:3832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC34.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4236

C:\Users\Admin\AppData\Roaming\Teams.exe
C:\Users\Admin\AppData\Roaming\Teams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Users\Admin\AppData\Roaming\Teams.exe
C:\Users\Admin\AppData\Roaming\Teams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Teams.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Teams.exe

Filesize
174KB

MD5
5b0b34c692864a86067b8dd7cfe9279f

SHA1
57df0126235d5ede2c0f069e90488792a13f6b9f

SHA256
3a111ab1f2d61a9a2e4be2a37657b9d7627a55c414fb5885e3ece64f5f18a2a8

SHA512
20b076be2e23ef09a25e697e81c60645a0217fcb31695c50a533d32a35bb3b9fa73e15b1559ef21bed888c49b37a58cd4664da7eb5ce1517797c9655d42c46e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sc32c1l0.yqm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotZhVstg.bat

Filesize
172B

MD5
77b306681eb30f5c0b0ed03bc452918d

SHA1
66ec571ecb739fae0ddafabd6e252831168ff14d

SHA256
e2796d978e3f0b205ac1f9951f5689db8322955bff5aa5f7377c245c5076388e

SHA512
50d3e76e8b1fc7b90db5c461bace88604195aeddee17238b7124494969f4ae8b802b868c476962bb316ba818be36a120ca849dc15e18cfee1a7b40fc0f224690

Download Submit
C:\Users\Admin\AppData\Local\Temp\proxy.bat

Filesize
3.4MB

MD5
768430c61888f6865e096ff1095d5013

SHA1
fadd8fb1c3bc5b76f5c5a1894e8aa7e1aca46624

SHA256
979a8c58e1589fcda32d1dd95ad199826ee5f9e05af33956f76fd632566ca44a

SHA512
125345722ecee2c89327ed1e2bf44c6f9872fa07b7406371751e5125ea3b09573f262720e94431564da075d6cd4eafdd61950fa87080b7f384683bd36554ea7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.vbs

Filesize
93B

MD5
846dde9e8c14ebae4e11d791674c8008

SHA1
d3779c868307680070cfd752bc64ee07cb88ed9f

SHA256
8f9f145d06f96fcd364e4ffc7942816cd717c679745f6db9ae51054e4dbeb945

SHA512
99c496241db187980b4e6d92d4c986475c8b5b341590be9b33ea8cc428a5ddcb18314508f36b8738c3856dc4a658370f1703df066c2c9609525b5b68a26a5149

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAC34.tmp.bat

Filesize
157B

MD5
3a1b2938ddab8af85507091c53a7f5c4

SHA1
1669fe91f77380284293c98e820982fd6b79493d

SHA256
14c8d45871f1d2a7e8771672f80f3b9affa3405f970f246b64bc458b49d05e90

SHA512
cf9df04da570310510462b674b9fcea08b38284b7a2f9daa83dfdd9961b18f7f0b050100254aa0485c0b82ebf48c4a141d7fce5192e5f3bac0282a9a749f23f8

Download Submit
memory/2764-27-0x00000293B29E0000-0x00000293B2A02000-memory.dmp

Filesize
136KB

Download
memory/5008-53-0x0000000000BD0000-0x0000000000C02000-memory.dmp

Filesize
200KB

Download
memory/5008-64-0x00000000011D0000-0x00000000011DC000-memory.dmp

Filesize
48KB

Download