xworm | c6bbc1ad606b87a1dbaf549ec82f321a21dd38f2f1357379afc988f3ec1ffb49

Analysis

max time kernel
63s
max time network
22s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
27-07-2024 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df.exe
Size

41KB
MD5

afaf1c9ead744f15ce545ee3695d3836
SHA1

01815f63bc7bac3f2ae3645eb8e1e848b57a1195
SHA256

c6bbc1ad606b87a1dbaf549ec82f321a21dd38f2f1357379afc988f3ec1ffb49
SHA512

bcd6169039743a223795e7768cba1cb2073bbb0ced57adc7edb2fa588a3f5d4080005fd741a63b049e796dd40342047461b7e12f96b5793bc214004a8b22f3a8
SSDEEP

768:PbmspVWP24S4mg4SjeMNu0Rpj9liAsQhLOewo1SR:PB8NTj9lh1OkMR

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

2.2

increased-wage.gl.at.ply.gg :9707

Mutex

ItxCSE4oSaJ1LumC

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4388-1-0x0000000000070000-0x0000000000080000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\df.exe	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Executes dropped EXE 1 IoCs

Processes:

df.exe

pid process

2640 df.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2724 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

df.exedf.exe

description pid process

Token: SeDebugPrivilege 4388 df.exe
Token: SeDebugPrivilege 2640 df.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

df.exe

description pid process target process

PID 4388 wrote to memory of 2724 4388 df.exe schtasks.exe
PID 4388 wrote to memory of 2724 4388 df.exe schtasks.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

pid	process
2640	df.exe

pid	process
2724	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	4388	df.exe
Token: SeDebugPrivilege	2640	df.exe

description	pid	process	target process
PID 4388 wrote to memory of 2724	4388	df.exe	schtasks.exe
PID 4388 wrote to memory of 2724	4388	df.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\df.exe
"C:\Users\Admin\AppData\Local\Temp\df.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "df" /tr "C:\Users\Admin\AppData\Roaming\df.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Users\Admin\AppData\Roaming\df.exe
C:\Users\Admin\AppData\Roaming\df.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\df.exe

Filesize
41KB

MD5
afaf1c9ead744f15ce545ee3695d3836

SHA1
01815f63bc7bac3f2ae3645eb8e1e848b57a1195

SHA256
c6bbc1ad606b87a1dbaf549ec82f321a21dd38f2f1357379afc988f3ec1ffb49

SHA512
bcd6169039743a223795e7768cba1cb2073bbb0ced57adc7edb2fa588a3f5d4080005fd741a63b049e796dd40342047461b7e12f96b5793bc214004a8b22f3a8

Download Submit
memory/2640-8-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp

Filesize
9.9MB

Download
memory/2640-10-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp

Filesize
9.9MB

Download
memory/4388-0-0x00007FFB65DB3000-0x00007FFB65DB4000-memory.dmp

Filesize
4KB

Download
memory/4388-1-0x0000000000070000-0x0000000000080000-memory.dmp

Filesize
64KB

Download
memory/4388-3-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp

Filesize
9.9MB

Download
memory/4388-4-0x00007FFB65DB3000-0x00007FFB65DB4000-memory.dmp

Filesize
4KB

Download
memory/4388-5-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp

Filesize
9.9MB

Download