xworm | efa06e9799ef360dcbbf7d37e046986ac989adb4409aee7ad175767a035fa804

Analysis

max time kernel
136s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Desktop.exe
Size

1.2MB
MD5

2dce02858aa01053276e5f91333f06a0
SHA1

2de850a50f176a79dfa1ecb07ac8c8af880e349b
SHA256

efa06e9799ef360dcbbf7d37e046986ac989adb4409aee7ad175767a035fa804
SHA512

23e63cb23771d5783f2d1883a8c68edfbceea94b7da11d74db3402e22a9cde077cd6033d959082aa0cae28db9ce8543a7c3d322f04cfac34f816c8219c1771c4
SSDEEP

24576:yuDXTIGaPhEYzUzA0bgQfFWC9zLVNkxfwJoMwnvoVJYneEuzXxh8p1WCmK72IfZ:1Djlabwz9kQfF5JgYqMwnsYn7UkkDLIh

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

connection-arizona.gl.at.ply.gg:65211

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00080000000234c3-27.dat	family_xworm
behavioral2/memory/1128-35-0x0000000000800000-0x0000000000830000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2092	powershell.exe
1632	powershell.exe
3652	powershell.exe
2256	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	checker.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	Desktop.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	checker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	checker.exe

Executes dropped EXE 5 IoCs

pid	Process
5016	checker.sfx.exe
3196	RTC_Launcher.exe
1128	checker.exe
388	svchost.exe
4472	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	checker.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1244	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2092	powershell.exe
2092	powershell.exe
1632	powershell.exe
1632	powershell.exe
3652	powershell.exe
3652	powershell.exe
2256	powershell.exe
2256	powershell.exe
1128	checker.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1128	checker.exe
Token: SeDebugPrivilege	3196	RTC_Launcher.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	1128	checker.exe
Token: SeDebugPrivilege	388	svchost.exe
Token: SeDebugPrivilege	4472	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1128	checker.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 5016	1036	Desktop.exe	86
PID 1036 wrote to memory of 5016	1036	Desktop.exe	86
PID 1036 wrote to memory of 3196	1036	Desktop.exe	88
PID 1036 wrote to memory of 3196	1036	Desktop.exe	88
PID 5016 wrote to memory of 1128	5016	checker.sfx.exe	89
PID 5016 wrote to memory of 1128	5016	checker.sfx.exe	89
PID 1128 wrote to memory of 2092	1128	checker.exe	91
PID 1128 wrote to memory of 2092	1128	checker.exe	91
PID 1128 wrote to memory of 1632	1128	checker.exe	93
PID 1128 wrote to memory of 1632	1128	checker.exe	93
PID 1128 wrote to memory of 3652	1128	checker.exe	95
PID 1128 wrote to memory of 3652	1128	checker.exe	95
PID 1128 wrote to memory of 2256	1128	checker.exe	97
PID 1128 wrote to memory of 2256	1128	checker.exe	97
PID 1128 wrote to memory of 1244	1128	checker.exe	99
PID 1128 wrote to memory of 1244	1128	checker.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Desktop.exe
"C:\Users\Admin\AppData\Local\Temp\Desktop.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Users\Admin\AppData\Roaming\checker.sfx.exe
  "C:\Users\Admin\AppData\Roaming\checker.sfx.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Users\Admin\AppData\Roaming\checker.exe
    "C:\Users\Admin\AppData\Roaming\checker.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\checker.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'checker.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2256
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1244
- C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe
  "C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3196

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7d1065573a0dbb09303ef324ab9b41a7

SHA1
9d0099e575b74d00fa39e3a7e84933c4ed753fc2

SHA256
1a6b86d72340011d4bb464c09cf11806b1b371bb70b3e287d3f569e15bcafd97

SHA512
bfcd159a47a36bf4fab290631859bd56aabca5577368bae5705cbc254de36a97122d6864a0aecfd8c6d0adb8ed7b3b52fbd4aa6694b9cfa5a9f211e79b39f7a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_52s5pth4.14e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe

Filesize
758KB

MD5
cb1929328dea316fcb34f3486697d16e

SHA1
8c2db8d4b4644cb356a9283b2fa7bb6a988a5d7b

SHA256
7a3deffc327b1e49cbc95dc4c41f1f4c0fd55825cc7c18fd06b96a900e0bf5f9

SHA512
90ef1cc19c01c1c0b2b4b802e88d622ff07ffc91273350200cd0589e6acabb63634af2883f6cae554dacab0f401b4294d13291707507c6fa035c282214fc6a28

Download Submit
C:\Users\Admin\AppData\Roaming\checker.exe

Filesize
166KB

MD5
5a4ec217baf0274a69c939ced1ed50f8

SHA1
fc0ea2e2865b2eebc9e2ccc91ae900b9bedefcec

SHA256
2f28a96343eeb7421dbd5b20ce1dddb33b61cd5aee37ac5e1fcf2b2a0b237c1f

SHA512
bc85e6a23829dcbd31a3ceec5fda20e4484e745ed25962e9b5fa131f3f1e8cf8ed926e44a1ee96c70340d2a48b2e2ed9c143d46656d14c92c429cf65a8e9b5f4

Download Submit
C:\Users\Admin\AppData\Roaming\checker.sfx.exe

Filesize
503KB

MD5
5da956740023898acc56f8559f5e72b3

SHA1
c8acb57ec376bd63c95f33076894a472c900fef2

SHA256
0788d1d1029aabfed8f5fd2f4621d7d860455c8e282cbe7ec00ed1312c44a1d7

SHA512
48d0690927740aa2f52ae83614a376211720632a92398c8d0e9cdea419fb46d4d95b39b980e5ccf6b8cb659034a2e38d78db60d7cb9fd6c7d47cdc7d8c0a488e

Download Submit
memory/1128-35-0x0000000000800000-0x0000000000830000-memory.dmp

Filesize
192KB

Download
memory/2092-45-0x0000029575DC0000-0x0000029575DE2000-memory.dmp

Filesize
136KB

Download
memory/3196-22-0x0000020A14810000-0x0000020A148D4000-memory.dmp

Filesize
784KB

Download
memory/3196-21-0x00007FFFB2053000-0x00007FFFB2055000-memory.dmp

Filesize
8KB

Download