xworm | ade95ea7502350ed28b57d9ebf4412e9e4530437301b1d34628ff7abcedc72f1

Resubmissions

23/07/2024, 16:39

240723-t53pvszakq 10

23/07/2024, 12:25

240723-pllj1sseje 10

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeee.exe
Size

56KB
MD5

0eeac71d0fbfcb23fe2d74e77cfe074e
SHA1

4d9254ab5a2d2f2e7e1d87183996e171528af40c
SHA256

ade95ea7502350ed28b57d9ebf4412e9e4530437301b1d34628ff7abcedc72f1
SHA512

bafbf53393005526330990ae40394786aeffe264da0a7862a8c3e325994169d46d3d0b93dba197dc03864874dd8cabae33a798c4534c7edb54c1b9255fc3d0bc
SSDEEP

1536:mgMGS24CfAEcae7d2/yKcpsb9lb6jeNMONzc5J:yMfi3dnpsb9qe2ONY5J

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

main-although.gl.at.ply.gg:30970

127.0.0.1:30970

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1864-1-0x0000000000A10000-0x0000000000A24000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2668	powershell.exe
2704	powershell.exe
2492	powershell.exe
2796	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	eeee.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	eeee.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2492	powershell.exe
2796	powershell.exe
2668	powershell.exe
2704	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1864	eeee.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	1864	eeee.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 2492	1864	eeee.exe	32
PID 1864 wrote to memory of 2492	1864	eeee.exe	32
PID 1864 wrote to memory of 2492	1864	eeee.exe	32
PID 1864 wrote to memory of 2796	1864	eeee.exe	34
PID 1864 wrote to memory of 2796	1864	eeee.exe	34
PID 1864 wrote to memory of 2796	1864	eeee.exe	34
PID 1864 wrote to memory of 2668	1864	eeee.exe	36
PID 1864 wrote to memory of 2668	1864	eeee.exe	36
PID 1864 wrote to memory of 2668	1864	eeee.exe	36
PID 1864 wrote to memory of 2704	1864	eeee.exe	38
PID 1864 wrote to memory of 2704	1864	eeee.exe	38
PID 1864 wrote to memory of 2704	1864	eeee.exe	38

C:\Users\Admin\AppData\Local\Temp\eeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeee.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\eeee.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'eeee.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7992890adbffd575c83a3759621c88e8

SHA1
e70f51c82131776f7c26a82bcf7e098bb505168d

SHA256
86fb9ac68e3f379847aee5754facf66d2692a9d5951749a7acc87d6012e7bfb6

SHA512
fff9f66d37916df1847402f013242195b1b85e27e0544f512b9a0cf14d73b73781304e03983cd42dd5a6d233eef19748542a4c62d2604b42461cde7479771980

Download Submit
memory/1864-0-0x000007FEF66B3000-0x000007FEF66B4000-memory.dmp

Filesize
4KB

Download
memory/1864-1-0x0000000000A10000-0x0000000000A24000-memory.dmp

Filesize
80KB

Download
memory/1864-2-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/1864-31-0x000007FEF66B3000-0x000007FEF66B4000-memory.dmp

Filesize
4KB

Download
memory/1864-32-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-7-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2492-8-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2492-9-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2796-15-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2796-16-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download