xworm | b708ee49186388dc9f334877985ee25c2ade79aca53c710dad8ee458c2dd4e40

Analysis

max time kernel
127s
max time network
137s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cmd.exe
Size

223KB
MD5

12982ac83ad56a6498cb35ac809a372d
SHA1

3f1d1b2ec2d8a66b5f34ca52bddf92f095ecbe1e
SHA256

b708ee49186388dc9f334877985ee25c2ade79aca53c710dad8ee458c2dd4e40
SHA512

93eb087005e04ae00fa4e50d45bded5f7867edb0d3b1a59bf912ec7c0a8d3eb9a8695c6fb97c6d4c2baf54323916456625e228ecfff42327c4083a037ff6749e
SSDEEP

3072:59nbq6SB3q+8BpxITV1nr/6ENVvncMxBJEHBAnpK37nX7880u5Q1tEPsY74tyJh1:e8BIHnr/6wtVx+8ecEPHE9o1r/Z

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

pIY7szY7mQ1Jy6Fv

Attributes

Install_directory
%Temp%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/AsXpMYtv

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2584-23-0x00000000002F0000-0x0000000000300000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2628	powershell.exe
3020	powershell.exe
1556	powershell.exe
1464	powershell.exe
2856	powershell.exe
2160	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\08D439F05E7CC6A92305A91F0A6E046E.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\08D439F05E7CC6A92305A91F0A6E046E.lnk	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
2584	svchost.exe
1524	08D439F05E7CC6A92305A91F0A6E046E
2168	08D439F05E7CC6A92305A91F0A6E046E

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\08D439F05E7CC6A92305A91F0A6E046E = "C:\\Users\\Admin\\AppData\\Local\\Temp\\08D439F05E7CC6A92305A91F0A6E046E"	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
3	pastebin.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
356	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2160	powershell.exe
2628	powershell.exe
3020	powershell.exe
1556	powershell.exe
1464	powershell.exe
2856	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	cmd.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2584	svchost.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	1524	08D439F05E7CC6A92305A91F0A6E046E
Token: SeDebugPrivilege	2168	08D439F05E7CC6A92305A91F0A6E046E

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2160	2716	cmd.exe	30
PID 2716 wrote to memory of 2160	2716	cmd.exe	30
PID 2716 wrote to memory of 2160	2716	cmd.exe	30
PID 2716 wrote to memory of 2628	2716	cmd.exe	32
PID 2716 wrote to memory of 2628	2716	cmd.exe	32
PID 2716 wrote to memory of 2628	2716	cmd.exe	32
PID 2524 wrote to memory of 2584	2524	taskeng.exe	35
PID 2524 wrote to memory of 2584	2524	taskeng.exe	35
PID 2524 wrote to memory of 2584	2524	taskeng.exe	35
PID 2584 wrote to memory of 3020	2584	svchost.exe	36
PID 2584 wrote to memory of 3020	2584	svchost.exe	36
PID 2584 wrote to memory of 3020	2584	svchost.exe	36
PID 2584 wrote to memory of 1556	2584	svchost.exe	38
PID 2584 wrote to memory of 1556	2584	svchost.exe	38
PID 2584 wrote to memory of 1556	2584	svchost.exe	38
PID 2584 wrote to memory of 1464	2584	svchost.exe	40
PID 2584 wrote to memory of 1464	2584	svchost.exe	40
PID 2584 wrote to memory of 1464	2584	svchost.exe	40
PID 2584 wrote to memory of 2856	2584	svchost.exe	42
PID 2584 wrote to memory of 2856	2584	svchost.exe	42
PID 2584 wrote to memory of 2856	2584	svchost.exe	42
PID 2584 wrote to memory of 356	2584	svchost.exe	44
PID 2584 wrote to memory of 356	2584	svchost.exe	44
PID 2584 wrote to memory of 356	2584	svchost.exe	44
PID 2524 wrote to memory of 1524	2524	taskeng.exe	46
PID 2524 wrote to memory of 1524	2524	taskeng.exe	46
PID 2524 wrote to memory of 1524	2524	taskeng.exe	46
PID 2524 wrote to memory of 2168	2524	taskeng.exe	47
PID 2524 wrote to memory of 2168	2524	taskeng.exe	47
PID 2524 wrote to memory of 2168	2524	taskeng.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628

C:\Windows\system32\taskeng.exe
taskeng.exe {ABE1996A-19BE-4FF9-B91B-AB6D7BCE6ECC} S-1-5-21-2257386474-3982792636-3902186748-1000:CTBHAMHL\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\08D439F05E7CC6A92305A91F0A6E046E'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1464
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '08D439F05E7CC6A92305A91F0A6E046E'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "08D439F05E7CC6A92305A91F0A6E046E" /tr "C:\Users\Admin\AppData\Local\Temp\08D439F05E7CC6A92305A91F0A6E046E"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:356
- C:\Users\Admin\AppData\Local\Temp\08D439F05E7CC6A92305A91F0A6E046E
  C:\Users\Admin\AppData\Local\Temp\08D439F05E7CC6A92305A91F0A6E046E
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Users\Admin\AppData\Local\Temp\08D439F05E7CC6A92305A91F0A6E046E
  C:\Users\Admin\AppData\Local\Temp\08D439F05E7CC6A92305A91F0A6E046E
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
223KB

MD5
12982ac83ad56a6498cb35ac809a372d

SHA1
3f1d1b2ec2d8a66b5f34ca52bddf92f095ecbe1e

SHA256
b708ee49186388dc9f334877985ee25c2ade79aca53c710dad8ee458c2dd4e40

SHA512
93eb087005e04ae00fa4e50d45bded5f7867edb0d3b1a59bf912ec7c0a8d3eb9a8695c6fb97c6d4c2baf54323916456625e228ecfff42327c4083a037ff6749e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ab3e5cdc5c049c6e940780af4bb1cbb1

SHA1
4d19776571c19468a1e92c9d6619ec2ab857e273

SHA256
512dfaedd7b2ae81b9be5b90ffe4b9e278d3a5eca8a5c362b8eebb1a6c05fb46

SHA512
671986e9386d1eb699fc2f6f9374a679638f7a54848d76dcdffc0e9be165287e407b339878014362ba8c78d7dc7325035cb332a582630fe383b9fec8f6c8a0a8

Download Submit
memory/1524-50-0x0000000000110000-0x000000000014E000-memory.dmp

Filesize
248KB

Download
memory/2160-7-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2160-8-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2160-6-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/2168-53-0x0000000000810000-0x000000000084E000-memory.dmp

Filesize
248KB

Download
memory/2584-22-0x0000000000F10000-0x0000000000F4E000-memory.dmp

Filesize
248KB

Download
memory/2584-23-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2628-14-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2628-15-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2716-0-0x000007FEF60B3000-0x000007FEF60B4000-memory.dmp

Filesize
4KB

Download
memory/2716-18-0x000000001AD90000-0x000000001AE10000-memory.dmp

Filesize
512KB

Download
memory/2716-1-0x0000000000130000-0x000000000016E000-memory.dmp

Filesize
248KB

Download