xworm | d7d0c2631a0b521fb3e0bd438bc6039672c9892d305e0219bf48daa6fa304336

Resubmissions

22/07/2024, 15:24

240722-stfwaavfjp 10

22/07/2024, 15:11

240722-skn6asvclk 10

Analysis

max time kernel
102s
max time network
155s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 15:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

InspectedSetupFreeV1.3.exe
Size

100KB
MD5

32fc084c514fdd90340e84c95dd1b1d0
SHA1

c216536523a116d7797211f82f46b7c736871962
SHA256

d7d0c2631a0b521fb3e0bd438bc6039672c9892d305e0219bf48daa6fa304336
SHA512

a254b4048e11c95fd4676eb976901805c2ca82adb7caaac5ec0d83e089394a2abb04d109c3c95aee9a4500dded124c3e999cf31e57758f5c59b070a432c1eae3
SSDEEP

3072:z0GvrRmy5wl9za2BL905Ft1zcYQ9jmoUZ:IGvr5wlFp9059zcYQY

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Valdemar-21441.portmap.host:21441

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000c000000014132-5.dat	family_xworm
behavioral1/memory/2440-8-0x0000000000D60000-0x0000000000D7C000-memory.dmp	family_xworm
behavioral1/memory/1716-46-0x0000000000A20000-0x0000000000A3C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2216	powershell.exe
2604	powershell.exe
1612	powershell.exe
1504	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	FreeInspectedSetupV1.3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	FreeInspectedSetupV1.3.exe

Executes dropped EXE 3 IoCs

pid	Process
2440	FreeInspectedSetupV1.3.exe
1716	XClient.exe
2716	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	FreeInspectedSetupV1.3.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.py	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2272	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2440	FreeInspectedSetupV1.3.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2604	powershell.exe
1612	powershell.exe
1504	powershell.exe
2216	powershell.exe
2440	FreeInspectedSetupV1.3.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2440	FreeInspectedSetupV1.3.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2440	FreeInspectedSetupV1.3.exe
Token: SeDebugPrivilege	1716	XClient.exe
Token: SeDebugPrivilege	2716	XClient.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2680	AcroRd32.exe
2680	AcroRd32.exe
2440	FreeInspectedSetupV1.3.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2440	2388	InspectedSetupFreeV1.3.exe	29
PID 2388 wrote to memory of 2440	2388	InspectedSetupFreeV1.3.exe	29
PID 2388 wrote to memory of 2440	2388	InspectedSetupFreeV1.3.exe	29
PID 2388 wrote to memory of 2856	2388	InspectedSetupFreeV1.3.exe	30
PID 2388 wrote to memory of 2856	2388	InspectedSetupFreeV1.3.exe	30
PID 2388 wrote to memory of 2856	2388	InspectedSetupFreeV1.3.exe	30
PID 2440 wrote to memory of 2604	2440	FreeInspectedSetupV1.3.exe	32
PID 2440 wrote to memory of 2604	2440	FreeInspectedSetupV1.3.exe	32
PID 2440 wrote to memory of 2604	2440	FreeInspectedSetupV1.3.exe	32
PID 2856 wrote to memory of 2680	2856	rundll32.exe	34
PID 2856 wrote to memory of 2680	2856	rundll32.exe	34
PID 2856 wrote to memory of 2680	2856	rundll32.exe	34
PID 2856 wrote to memory of 2680	2856	rundll32.exe	34
PID 2440 wrote to memory of 1612	2440	FreeInspectedSetupV1.3.exe	35
PID 2440 wrote to memory of 1612	2440	FreeInspectedSetupV1.3.exe	35
PID 2440 wrote to memory of 1612	2440	FreeInspectedSetupV1.3.exe	35
PID 2440 wrote to memory of 1504	2440	FreeInspectedSetupV1.3.exe	38
PID 2440 wrote to memory of 1504	2440	FreeInspectedSetupV1.3.exe	38
PID 2440 wrote to memory of 1504	2440	FreeInspectedSetupV1.3.exe	38
PID 2440 wrote to memory of 2216	2440	FreeInspectedSetupV1.3.exe	40
PID 2440 wrote to memory of 2216	2440	FreeInspectedSetupV1.3.exe	40
PID 2440 wrote to memory of 2216	2440	FreeInspectedSetupV1.3.exe	40
PID 2440 wrote to memory of 2272	2440	FreeInspectedSetupV1.3.exe	42
PID 2440 wrote to memory of 2272	2440	FreeInspectedSetupV1.3.exe	42
PID 2440 wrote to memory of 2272	2440	FreeInspectedSetupV1.3.exe	42
PID 2496 wrote to memory of 1716	2496	taskeng.exe	45
PID 2496 wrote to memory of 1716	2496	taskeng.exe	45
PID 2496 wrote to memory of 1716	2496	taskeng.exe	45
PID 2496 wrote to memory of 2716	2496	taskeng.exe	46
PID 2496 wrote to memory of 2716	2496	taskeng.exe	46
PID 2496 wrote to memory of 2716	2496	taskeng.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\InspectedSetupFreeV1.3.exe
"C:\Users\Admin\AppData\Local\Temp\InspectedSetupFreeV1.3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Roaming\FreeInspectedSetupV1.3.exe
  "C:\Users\Admin\AppData\Roaming\FreeInspectedSetupV1.3.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\FreeInspectedSetupV1.3.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FreeInspectedSetupV1.3.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2272
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\INSPECTEDfree.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\INSPECTEDfree.py"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2680

C:\Windows\system32\taskeng.exe
taskeng.exe {7ADC77E7-359F-4AB3-80B2-81D7B6EE6A4E} S-1-5-21-2212144002-1172735686-1556890956-1000:MVFYZPLM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FreeInspectedSetupV1.3.exe

Filesize
84KB

MD5
8c00a8c46310ee271e576695f6cafb6b

SHA1
34b7cd31b3f93ae18ad6d9c3fb8a2e7936a0cd42

SHA256
d175d2e76884e1b7fd54372240887f05816e5dacc6d45fdefd377eb6fe6f8a64

SHA512
5334758f59968f02e2ecda3d481e3596a34adee5bd059ef5cf483e546e14729654c4398b1e5ec8ac452803be31a513e2b88bd76995d4badf5869fea3bb363f46

Download Submit
C:\Users\Admin\AppData\Roaming\INSPECTEDfree.py

Filesize
6KB

MD5
8e7c31442c74161f512d84d8eaa53bec

SHA1
7f3e23999f9266420006c92913d3e8bf97f388e1

SHA256
b318ea280d72d060c0d12a279d964f46a52db202870b47f32ba41a5f046169c2

SHA512
0acf6f412345a82cbcbe4da79fc040b0d2f4af9b2beae2ad19a37b75645e60ebceac8f1aa548baf6ecef3d337686e705934ca820fdc15d160b3ff3d7836227fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ecf50f762887f45ba62bebe408d1211b

SHA1
719327b00ff590f3924137144b61cac8e6eefea0

SHA256
a5648a94e3125e00aaa9412ea8fa8168d4b51ccc26c4978f12a669052d9a84fa

SHA512
380c8a67322244436374f0ad0ec8b40ce1c53918c9f6131999dcbda84afb8b36fa2374ff6fa4a82510d79d7d632782dd2017c9684ed7a97c50ae78081c1cb5f2

Download Submit
memory/1504-31-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/1504-30-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/1612-21-0x000000001B460000-0x000000001B742000-memory.dmp

Filesize
2.9MB

Download
memory/1612-22-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/1716-46-0x0000000000A20000-0x0000000000A3C000-memory.dmp

Filesize
112KB

Download
memory/2388-0-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

Filesize
4KB

Download
memory/2388-1-0x0000000000DB0000-0x0000000000DD0000-memory.dmp

Filesize
128KB

Download
memory/2440-9-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2440-8-0x0000000000D60000-0x0000000000D7C000-memory.dmp

Filesize
112KB

Download
memory/2440-41-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2440-42-0x000000001B260000-0x000000001B26C000-memory.dmp

Filesize
48KB

Download
memory/2604-15-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2604-14-0x000000001B2A0000-0x000000001B582000-memory.dmp

Filesize
2.9MB

Download