xworm | f5f9b6a5df5b89a5d9957fe2bf7e527ef7867e9f732c7d0162608de964fae4e5

Resubmissions

10-08-2024 06:35

240810-hcr7wazajm 10

10-08-2024 06:32

240810-hartbstcme 10

Analysis

max time kernel
146s
max time network
156s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
10-08-2024 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pregnant Spidergwen.PNG.exe
Size

159KB
MD5

573662a86adf71a8e3f89a3e78ce2330
SHA1

edba077cbc44df1e81d4cb1b5b7c1a2d71a63a32
SHA256

f5f9b6a5df5b89a5d9957fe2bf7e527ef7867e9f732c7d0162608de964fae4e5
SHA512

9f253f02485ba4f1053e8314ff46547cd26cf9ce4589548690e90e4e25dcf8e5ede468107f252ad45e27d177f4e28359437995ba155c219bcbad09caf466faee
SSDEEP

3072:75K491U+ccf7n8KNlmq1+QIexch+qW9Im9TqH+PSm:7191U+PDFCqtyhTWGm9Tq4

Score

10^/10

xworm evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

manufacturer-rank.gl.at.ply.gg:60383

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/4336-199-0x0000000000E10000-0x0000000000E1E000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000001ab4c-7.dat	family_xworm
behavioral1/memory/4336-10-0x0000000000760000-0x00000000007D4000-memory.dmp	family_xworm

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5"	PNG.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2900	powershell.exe
892	powershell.exe
1516	powershell.exe
2860	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	PNG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	PNG.exe

Executes dropped EXE 4 IoCs

pid	Process
4336	PNG.exe
832	System User
2604	System User
204	System User

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\System User = "C:\\Users\\Admin\\AppData\\Roaming\\System User"	PNG.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2900	powershell.exe
2900	powershell.exe
2900	powershell.exe
892	powershell.exe
892	powershell.exe
892	powershell.exe
1516	powershell.exe
1516	powershell.exe
1516	powershell.exe
2860	powershell.exe
2860	powershell.exe
2860	powershell.exe
4336	PNG.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4336	PNG.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeIncreaseQuotaPrivilege	2900	powershell.exe
Token: SeSecurityPrivilege	2900	powershell.exe
Token: SeTakeOwnershipPrivilege	2900	powershell.exe
Token: SeLoadDriverPrivilege	2900	powershell.exe
Token: SeSystemProfilePrivilege	2900	powershell.exe
Token: SeSystemtimePrivilege	2900	powershell.exe
Token: SeProfSingleProcessPrivilege	2900	powershell.exe
Token: SeIncBasePriorityPrivilege	2900	powershell.exe
Token: SeCreatePagefilePrivilege	2900	powershell.exe
Token: SeBackupPrivilege	2900	powershell.exe
Token: SeRestorePrivilege	2900	powershell.exe
Token: SeShutdownPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeSystemEnvironmentPrivilege	2900	powershell.exe
Token: SeRemoteShutdownPrivilege	2900	powershell.exe
Token: SeUndockPrivilege	2900	powershell.exe
Token: SeManageVolumePrivilege	2900	powershell.exe
Token: 33	2900	powershell.exe
Token: 34	2900	powershell.exe
Token: 35	2900	powershell.exe
Token: 36	2900	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeIncreaseQuotaPrivilege	892	powershell.exe
Token: SeSecurityPrivilege	892	powershell.exe
Token: SeTakeOwnershipPrivilege	892	powershell.exe
Token: SeLoadDriverPrivilege	892	powershell.exe
Token: SeSystemProfilePrivilege	892	powershell.exe
Token: SeSystemtimePrivilege	892	powershell.exe
Token: SeProfSingleProcessPrivilege	892	powershell.exe
Token: SeIncBasePriorityPrivilege	892	powershell.exe
Token: SeCreatePagefilePrivilege	892	powershell.exe
Token: SeBackupPrivilege	892	powershell.exe
Token: SeRestorePrivilege	892	powershell.exe
Token: SeShutdownPrivilege	892	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeSystemEnvironmentPrivilege	892	powershell.exe
Token: SeRemoteShutdownPrivilege	892	powershell.exe
Token: SeUndockPrivilege	892	powershell.exe
Token: SeManageVolumePrivilege	892	powershell.exe
Token: 33	892	powershell.exe
Token: 34	892	powershell.exe
Token: 35	892	powershell.exe
Token: 36	892	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeIncreaseQuotaPrivilege	1516	powershell.exe
Token: SeSecurityPrivilege	1516	powershell.exe
Token: SeTakeOwnershipPrivilege	1516	powershell.exe
Token: SeLoadDriverPrivilege	1516	powershell.exe
Token: SeSystemProfilePrivilege	1516	powershell.exe
Token: SeSystemtimePrivilege	1516	powershell.exe
Token: SeProfSingleProcessPrivilege	1516	powershell.exe
Token: SeIncBasePriorityPrivilege	1516	powershell.exe
Token: SeCreatePagefilePrivilege	1516	powershell.exe
Token: SeBackupPrivilege	1516	powershell.exe
Token: SeRestorePrivilege	1516	powershell.exe
Token: SeShutdownPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeSystemEnvironmentPrivilege	1516	powershell.exe
Token: SeRemoteShutdownPrivilege	1516	powershell.exe
Token: SeUndockPrivilege	1516	powershell.exe
Token: SeManageVolumePrivilege	1516	powershell.exe
Token: 33	1516	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4336	PNG.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 4336	2800	Pregnant Spidergwen.PNG.exe	71
PID 2800 wrote to memory of 4336	2800	Pregnant Spidergwen.PNG.exe	71
PID 4336 wrote to memory of 2900	4336	PNG.exe	73
PID 4336 wrote to memory of 2900	4336	PNG.exe	73
PID 4336 wrote to memory of 892	4336	PNG.exe	76
PID 4336 wrote to memory of 892	4336	PNG.exe	76
PID 4336 wrote to memory of 1516	4336	PNG.exe	78
PID 4336 wrote to memory of 1516	4336	PNG.exe	78
PID 4336 wrote to memory of 2860	4336	PNG.exe	80
PID 4336 wrote to memory of 2860	4336	PNG.exe	80
PID 4336 wrote to memory of 2944	4336	PNG.exe	82
PID 4336 wrote to memory of 2944	4336	PNG.exe	82

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5"	PNG.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system	PNG.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Pregnant Spidergwen.PNG.exe
"C:\Users\Admin\AppData\Local\Temp\Pregnant Spidergwen.PNG.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Users\Admin\AppData\Local\Temp\PNG.exe
  "C:\Users\Admin\AppData\Local\Temp\PNG.exe"
  2⤵
  - UAC bypass
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\PNG.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PNG.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System User'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2860
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\Admin\AppData\Roaming\System User"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2944

C:\Users\Admin\AppData\Roaming\System User
"C:\Users\Admin\AppData\Roaming\System User"
1⤵
- Executes dropped EXE
PID:832

C:\Users\Admin\AppData\Roaming\System User
"C:\Users\Admin\AppData\Roaming\System User"
1⤵
- Executes dropped EXE
PID:2604

C:\Users\Admin\AppData\Roaming\System User
"C:\Users\Admin\AppData\Roaming\System User"
1⤵
- Executes dropped EXE
PID:204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System User.log

Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
627452cb3d187f8512319508b88d4043

SHA1
17322a4c7ec220b501a29cda59d8896b6b45cb1e

SHA256
53887a2a207b83aaf62a72babab36a0e7a5b46b78072ddf7c0bba636e5973570

SHA512
4516242a9d9089b24e7b818ddc050a12a306bf4d1ceb595301a4257ec98aca1499926f39d84e62667a0bdb46425105c1a6a5568e80ff56474dc8b346a65bb789

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3a0b5101d7bc79bbe087bf3910dd66dd

SHA1
7a5e8881e4f44ab594723e96b339115f00bbfb91

SHA256
a012dc89f9d105607953255d6c60cd3ec09b7e418a8c447080929de4be0471b7

SHA512
8dc28ac8c70188f14f97f1e9bdd8c1a90db24bfea28b4a6ebd4ca2c6aa9bbc08519e359d39315cea4a7d543c82db0da11f9729d644fbb50e235484b6bca16352

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ffb87767c104742da681f568af619dfc

SHA1
87e0a7aba0040fd423bcc2330c3ce278e5efd15b

SHA256
79658a993959d87a7200a8a1511fec99c5023da358f179c212a031ce6d520b58

SHA512
defa8030491ecc5ce637c620aed7a7451f9834a40982401d2e91d3b7c227691368b0493bdec738b9de15065cdb997ab2f15c3988e1c48f1773df2a7c4cc8149c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PNG.exe

Filesize
437KB

MD5
3c21cd756c5f0ae7ac13dd21b086e53b

SHA1
4216831c140c537e19c9f66e845583f2231e2435

SHA256
aab3729408b3b167f77a291abdd6becd043066521880b911c5e29115cdebea04

SHA512
42d717e11b61fefc29e64d3b6a17eb97f7f67a8fde4a9f01f0f92ce647ba4d19e2e2aa68c9964023985678ec15427953d543f78fa4ee037971901244ba5da77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xvxeilri.fiu.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2800-9-0x00007FFA41660000-0x00007FFA4204C000-memory.dmp

Filesize
9.9MB

Download
memory/2800-0-0x00007FFA41663000-0x00007FFA41664000-memory.dmp

Filesize
4KB

Download
memory/2800-193-0x00007FFA41660000-0x00007FFA4204C000-memory.dmp

Filesize
9.9MB

Download
memory/2800-1-0x0000000000330000-0x000000000035E000-memory.dmp

Filesize
184KB

Download
memory/2900-20-0x00000202A8190000-0x00000202A8206000-memory.dmp

Filesize
472KB

Download
memory/2900-17-0x00000202A7D80000-0x00000202A7DA2000-memory.dmp

Filesize
136KB

Download
memory/4336-12-0x00007FFA41660000-0x00007FFA4204C000-memory.dmp

Filesize
9.9MB

Download
memory/4336-11-0x00007FFA41660000-0x00007FFA4204C000-memory.dmp

Filesize
9.9MB

Download
memory/4336-195-0x00007FFA41660000-0x00007FFA4204C000-memory.dmp

Filesize
9.9MB

Download
memory/4336-196-0x00007FFA41660000-0x00007FFA4204C000-memory.dmp

Filesize
9.9MB

Download
memory/4336-198-0x0000000000DF0000-0x0000000000DFC000-memory.dmp

Filesize
48KB

Download
memory/4336-199-0x0000000000E10000-0x0000000000E1E000-memory.dmp

Filesize
56KB

Download
memory/4336-10-0x0000000000760000-0x00000000007D4000-memory.dmp

Filesize
464KB

Download
memory/4336-202-0x0000000000E20000-0x0000000000E2A000-memory.dmp

Filesize
40KB

Download
memory/4336-203-0x0000000000E70000-0x0000000000E82000-memory.dmp

Filesize
72KB

Download
memory/4336-204-0x000000001B8B0000-0x000000001B960000-memory.dmp

Filesize
704KB

Download
memory/4336-206-0x000000001F840000-0x000000001FD66000-memory.dmp

Filesize
5.1MB

Download