xworm | e6f83dc04194dcd171ec918e9545b5f1ef71276b17ac03946e66e640eb37d9e6

Analysis

max time kernel
146s
max time network
145s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VicTweaks.exe
Size

153KB
MD5

f77f28c05650e81f23e8ca6659607b11
SHA1

eb7ece2f3515c2b402be5bc79967318ed4cdcb09
SHA256

e6f83dc04194dcd171ec918e9545b5f1ef71276b17ac03946e66e640eb37d9e6
SHA512

f0b47486f95b53e72605aeedd9d583408dffbb784cb618aaa3eec2726d1300488d186ba21f11403b91c2fa382bfb836fb7e286921b31e0a57425d8b9eeb59713
SSDEEP

3072:xrBuw2j46bqwXi/OiS71HBz65/M6If+3Js+3JFkKeTne:xebVnZHxBt25

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:7000

12.0.0.0.1:7000

Attributes

Install_directory
%ProgramData%
install_file
VicToolsRuntime.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2552-1-0x0000000000D40000-0x0000000000D6C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VicToolsRuntime.lnk	VicTweaks.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VicToolsRuntime.lnk	VicTweaks.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2552	VicTweaks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	VicTweaks.exe
Token: SeDebugPrivilege	2552	VicTweaks.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2552	VicTweaks.exe

C:\Users\Admin\AppData\Local\Temp\VicTweaks.exe
"C:\Users\Admin\AppData\Local\Temp\VicTweaks.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2552-0-0x000007FEF58B3000-0x000007FEF58B4000-memory.dmp

Filesize
4KB

Download
memory/2552-1-0x0000000000D40000-0x0000000000D6C000-memory.dmp

Filesize
176KB

Download
memory/2552-2-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Filesize
9.9MB

Download
memory/2552-7-0x000007FEF58B3000-0x000007FEF58B4000-memory.dmp

Filesize
4KB

Download
memory/2552-8-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Filesize
9.9MB

Download