xworm | b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6

Analysis

max time kernel
126s
max time network
137s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03/08/2024, 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe
Size

35.0MB
MD5

71a8a8297116bb9e6a527c82db38ae0c
SHA1

f42ad3f6636c5d987939033d9cb09b657fc2a76b
SHA256

b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6
SHA512

f84b9b160f6cbb5b1ad7947c0ebac7cc7b24d379b3136f7ffa6becfe3bfedcda2a7008779b25334b1572a9e6f6854ec727f57b493d913cbf59a33a90e4200db9
SSDEEP

786432:vkudQtsmW+e5RU2j6+s7LWB75zuk2q9TqyMeLBSQryklN:vjdQt9W+eHU2qHWB75ikfNNBShWN

Score

10^/10

xworm discovery execution persistence pyinstaller rat trojan

Malware Config

Extracted

Family

xworm

heart-debian.gl.at.ply.gg:47573

Attributes

Install_directory
%AppData%
install_file
system32.exe
telegram
https://api.telegram.org/bot7458595634:AAEEmxZd7rBIYX3YZTRCO1t9uU7_yLyhcaw/sendMessage?chat_id=1473354298

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001227f-2.dat	family_xworm
behavioral1/memory/2744-6-0x0000000001070000-0x000000000108A000-memory.dmp	family_xworm
behavioral1/memory/2004-334-0x0000000000BA0000-0x0000000000BBA000-memory.dmp	family_xworm
behavioral1/memory/880-337-0x0000000000BE0000-0x0000000000BFA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1520	powershell.exe
956	powershell.exe
1768	powershell.exe
3004	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.lnk	DXXPRIVATE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.lnk	DXXPRIVATE.exe

Executes dropped EXE 5 IoCs

pid	Process
2744	DXXPRIVATE.exe
2788	DXX SOFTS PRIVATE.exe
1904	DXX SOFTS PRIVATE.exe
2004	system32.exe
880	system32.exe

Loads dropped DLL 5 IoCs

pid	Process
2704	b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe
2704	b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe
2728	Process not Found
2788	DXX SOFTS PRIVATE.exe
1904	DXX SOFTS PRIVATE.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\system32 = "C:\\Users\\Admin\\AppData\\Roaming\\system32.exe"	DXXPRIVATE.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0008000000016d32-9.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1256	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3004	powershell.exe
1520	powershell.exe
956	powershell.exe
1768	powershell.exe
2744	DXXPRIVATE.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	DXXPRIVATE.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	2744	DXXPRIVATE.exe
Token: SeDebugPrivilege	2004	system32.exe
Token: SeDebugPrivilege	880	system32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2744	DXXPRIVATE.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2744	2704	b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe	31
PID 2704 wrote to memory of 2744	2704	b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe	31
PID 2704 wrote to memory of 2744	2704	b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe	31
PID 2704 wrote to memory of 2744	2704	b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe	31
PID 2704 wrote to memory of 2788	2704	b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe	32
PID 2704 wrote to memory of 2788	2704	b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe	32
PID 2704 wrote to memory of 2788	2704	b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe	32
PID 2704 wrote to memory of 2788	2704	b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe	32
PID 2788 wrote to memory of 1904	2788	DXX SOFTS PRIVATE.exe	34
PID 2788 wrote to memory of 1904	2788	DXX SOFTS PRIVATE.exe	34
PID 2788 wrote to memory of 1904	2788	DXX SOFTS PRIVATE.exe	34
PID 2744 wrote to memory of 3004	2744	DXXPRIVATE.exe	36
PID 2744 wrote to memory of 3004	2744	DXXPRIVATE.exe	36
PID 2744 wrote to memory of 3004	2744	DXXPRIVATE.exe	36
PID 2744 wrote to memory of 1520	2744	DXXPRIVATE.exe	38
PID 2744 wrote to memory of 1520	2744	DXXPRIVATE.exe	38
PID 2744 wrote to memory of 1520	2744	DXXPRIVATE.exe	38
PID 2744 wrote to memory of 956	2744	DXXPRIVATE.exe	40
PID 2744 wrote to memory of 956	2744	DXXPRIVATE.exe	40
PID 2744 wrote to memory of 956	2744	DXXPRIVATE.exe	40
PID 2744 wrote to memory of 1768	2744	DXXPRIVATE.exe	42
PID 2744 wrote to memory of 1768	2744	DXXPRIVATE.exe	42
PID 2744 wrote to memory of 1768	2744	DXXPRIVATE.exe	42
PID 2744 wrote to memory of 1256	2744	DXXPRIVATE.exe	44
PID 2744 wrote to memory of 1256	2744	DXXPRIVATE.exe	44
PID 2744 wrote to memory of 1256	2744	DXXPRIVATE.exe	44
PID 2044 wrote to memory of 2004	2044	taskeng.exe	47
PID 2044 wrote to memory of 2004	2044	taskeng.exe	47
PID 2044 wrote to memory of 2004	2044	taskeng.exe	47
PID 2044 wrote to memory of 880	2044	taskeng.exe	48
PID 2044 wrote to memory of 880	2044	taskeng.exe	48
PID 2044 wrote to memory of 880	2044	taskeng.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe
"C:\Users\Admin\AppData\Local\Temp\b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Users\Admin\AppData\Local\Temp\DXXPRIVATE.exe
  "C:\Users\Admin\AppData\Local\Temp\DXXPRIVATE.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DXXPRIVATE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DXXPRIVATE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\system32.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system32.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system32" /tr "C:\Users\Admin\AppData\Roaming\system32.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1256
- C:\Users\Admin\AppData\Local\Temp\DXX SOFTS PRIVATE.exe
  "C:\Users\Admin\AppData\Local\Temp\DXX SOFTS PRIVATE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\DXX SOFTS PRIVATE.exe
    "C:\Users\Admin\AppData\Local\Temp\DXX SOFTS PRIVATE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1904

C:\Windows\system32\taskeng.exe
taskeng.exe {4EBE3D75-3D36-4D53-A799-00AF27A40054} S-1-5-21-940600906-3464502421-4240639183-1000:MGWWAYYN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Roaming\system32.exe
  C:\Users\Admin\AppData\Roaming\system32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Users\Admin\AppData\Roaming\system32.exe
  C:\Users\Admin\AppData\Roaming\system32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI27882\python311.dll

Filesize
5.5MB

MD5
65e381a0b1bc05f71c139b0c7a5b8eb2

SHA1
7c4a3adf21ebcee5405288fc81fc4be75019d472

SHA256
53a969094231b9032abe4148939ce08a3a4e4b30b0459fc7d90c89f65e8dcd4a

SHA512
4db465ef927dfb019ab6faec3a3538b0c3a8693ea3c2148fd16163bf31c03c899dfdf350c31457edf64e671e3cc3e46851f32f0f84b267535bebc4768ef53d39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WZJN0RJ7606YK5HPNR4Y.temp

Filesize
7KB

MD5
0e660ebe385cfad8c033c2e8a9d70e6a

SHA1
2a11275246e34ac45d803eaed30e3ab4ff1d8a7d

SHA256
c4611783945ba88c887e92a10caeceac56b1e21e9fea87d09f530dd5276c2b40

SHA512
20ce357f3963b41a12715f9e088ae43e1ff9d972ca502af5bc237d7fb67a3ca2ff7fde6259804341932a431f033fd2a2b65cd2d1f7eedb19c16006d550b22df0

Download Submit
\Users\Admin\AppData\Local\Temp\DXX SOFTS PRIVATE.exe

Filesize
34.9MB

MD5
75d32588eb6d63a219979c4d426f6b24

SHA1
7418f040c081e3a3fa941da7b2596c53eb14e13f

SHA256
25d1dad3e5662b215e5b05f51db5e24714fdd2b5db9c424d7e11677be0c32808

SHA512
c3d20730fa5e4e5558b535069ea45df0d30638e49a33dff83662efd895ea519836291581b85f4b21ce84d2aece344a462ecb03cfb497fab9912a83f4f82d43e9

Download Submit
\Users\Admin\AppData\Local\Temp\DXXPRIVATE.exe

Filesize
77KB

MD5
0023d5028225136e000201652d675318

SHA1
2c0c6c975e263d88225916db67f4dff50c577380

SHA256
fc975db05fc20acc0c6bfefc517f9c54487857c0332877036408035a95677a68

SHA512
c842faccb9de56d38de1112799fb9bbead47fdbeaf70f1d0159dd0a6516b848040d33793163a1fbb6212fff8ad17925c67720c900c36b218cdd349a2dd08087f

Download Submit
memory/880-337-0x0000000000BE0000-0x0000000000BFA000-memory.dmp

Filesize
104KB

Download
memory/1520-173-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/1520-174-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2004-334-0x0000000000BA0000-0x0000000000BBA000-memory.dmp

Filesize
104KB

Download
memory/2704-12-0x0000000000400000-0x0000000002700000-memory.dmp

Filesize
35.0MB

Download
memory/2744-6-0x0000000001070000-0x000000000108A000-memory.dmp

Filesize
104KB

Download
memory/3004-167-0x0000000002A70000-0x0000000002A78000-memory.dmp

Filesize
32KB

Download
memory/3004-166-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download