xworm | ee75d0a55a2e0c16ab8d9b7e732b1e1532b5ef699889632637c7ea41b75d6027

Analysis

max time kernel
41s
max time network
41s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PanelExecutorV11.exe_bound.exe
Size

196KB
MD5

383c7f9f75adf2764857393fbf1f21e3
SHA1

cf6f36d1fe32d2e584c64cc191324385d6944766
SHA256

ee75d0a55a2e0c16ab8d9b7e732b1e1532b5ef699889632637c7ea41b75d6027
SHA512

9d9efd77f4a3aa4663bc3568077e76bb11791e20bebd3ef6d83155b3045936d430651b839e6f498bae937b3af8c5a07a64876a9ba043043c8dd3856004c367ba
SSDEEP

3072:dsWe7t0jzKDDeJIdUEBaFwBGDT2ybboZPs1MoUD+N5GPKLi1dgj:2nlnPdpaFwBGDKybb4PUUDW5GPn/

Score

10^/10

xworm evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

192.168.100.28:7777

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1400-23-0x00000000004D0000-0x00000000004EA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2716	powershell.exe
2532	powershell.exe
2344	powershell.exe
2988	powershell.exe
2112	powershell.exe
2768	powershell.exe
2964	powershell.exe

Disables Task Manager via registry modification
evasion

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PanelExecutorV10.lnk	PanelExecutorV11.exe_bound.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PanelExecutorV10.lnk	PanelExecutorV11.exe_bound.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\PanelExecutorV10 = "C:\\ProgramData\\PanelExecutorV10"	PanelExecutorV11.exe_bound.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2744	schtasks.exe
1944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2768	powershell.exe
2964	powershell.exe
2716	powershell.exe
2532	powershell.exe
2344	powershell.exe
2988	powershell.exe
2112	powershell.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe
1400	PanelExecutorV11.exe_bound.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1400	PanelExecutorV11.exe_bound.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	1400	PanelExecutorV11.exe_bound.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1400	PanelExecutorV11.exe_bound.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2768	1400	PanelExecutorV11.exe_bound.exe	30
PID 1400 wrote to memory of 2768	1400	PanelExecutorV11.exe_bound.exe	30
PID 1400 wrote to memory of 2768	1400	PanelExecutorV11.exe_bound.exe	30
PID 1400 wrote to memory of 2964	1400	PanelExecutorV11.exe_bound.exe	32
PID 1400 wrote to memory of 2964	1400	PanelExecutorV11.exe_bound.exe	32
PID 1400 wrote to memory of 2964	1400	PanelExecutorV11.exe_bound.exe	32
PID 1400 wrote to memory of 2716	1400	PanelExecutorV11.exe_bound.exe	34
PID 1400 wrote to memory of 2716	1400	PanelExecutorV11.exe_bound.exe	34
PID 1400 wrote to memory of 2716	1400	PanelExecutorV11.exe_bound.exe	34
PID 1400 wrote to memory of 2744	1400	PanelExecutorV11.exe_bound.exe	36
PID 1400 wrote to memory of 2744	1400	PanelExecutorV11.exe_bound.exe	36
PID 1400 wrote to memory of 2744	1400	PanelExecutorV11.exe_bound.exe	36
PID 1400 wrote to memory of 2532	1400	PanelExecutorV11.exe_bound.exe	38
PID 1400 wrote to memory of 2532	1400	PanelExecutorV11.exe_bound.exe	38
PID 1400 wrote to memory of 2532	1400	PanelExecutorV11.exe_bound.exe	38
PID 1400 wrote to memory of 2344	1400	PanelExecutorV11.exe_bound.exe	40
PID 1400 wrote to memory of 2344	1400	PanelExecutorV11.exe_bound.exe	40
PID 1400 wrote to memory of 2344	1400	PanelExecutorV11.exe_bound.exe	40
PID 1400 wrote to memory of 2988	1400	PanelExecutorV11.exe_bound.exe	42
PID 1400 wrote to memory of 2988	1400	PanelExecutorV11.exe_bound.exe	42
PID 1400 wrote to memory of 2988	1400	PanelExecutorV11.exe_bound.exe	42
PID 1400 wrote to memory of 2112	1400	PanelExecutorV11.exe_bound.exe	44
PID 1400 wrote to memory of 2112	1400	PanelExecutorV11.exe_bound.exe	44
PID 1400 wrote to memory of 2112	1400	PanelExecutorV11.exe_bound.exe	44
PID 1400 wrote to memory of 1944	1400	PanelExecutorV11.exe_bound.exe	46
PID 1400 wrote to memory of 1944	1400	PanelExecutorV11.exe_bound.exe	46
PID 1400 wrote to memory of 1944	1400	PanelExecutorV11.exe_bound.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PanelExecutorV11.exe_bound.exe
"C:\Users\Admin\AppData\Local\Temp\PanelExecutorV11.exe_bound.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PanelExecutorV11.exe_bound.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\PanelExecutorV11.exe_bound.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\PanelExecutorV11.exe_bound.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "PanelExecutorV11.exe_bound" /tr "C:\ProgramData\PanelExecutorV11.exe_bound.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\PanelExecutorV11.exe_bound.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PanelExecutorV11.exe_bound.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\PanelExecutorV10'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PanelExecutorV10'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "PanelExecutorV10" /tr "C:\ProgramData\PanelExecutorV10"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
64df826e855bba4a89f2938af51c551a

SHA1
caea820d08fa1a3b5d30882d7fd4471b52431dbc

SHA256
35f1ca6d7e54fb344ba4bdbdae52356d4523ffb47d558020736ef7ef586b170f

SHA512
a3becb405427e3a6436bef4aaf0aabc6905549ecfe931c2da9019d11e18cdd730fd068f36a25265b781770251bfed86270f8b9bca9d5fb3fc80621588191faf8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3561ee54231ef5edc1301c6456ed4636

SHA1
075ee7072eecf3c0410833b0574bac4f4e5f261a

SHA256
c48d2e111bea40566d0c9d5d7ca7801dfbc0d6ec9aee4448f8c00d1af8dcf20b

SHA512
560d5f8e42bf74146fe06e17819ecfe15a5d6b6eee20f4f4d334f45777546dac8924f479ec576038139768f0c6470e97f3cd87a0b9c5b558d5abe62a3ed55d90

Download Submit
memory/1400-23-0x00000000004D0000-0x00000000004EA000-memory.dmp

Filesize
104KB

Download
memory/1400-0-0x000007FEF68F3000-0x000007FEF68F4000-memory.dmp

Filesize
4KB

Download
memory/1400-2-0x000007FEF68F0000-0x000007FEF72DC000-memory.dmp

Filesize
9.9MB

Download
memory/1400-1-0x0000000000FB0000-0x0000000000FD0000-memory.dmp

Filesize
128KB

Download
memory/1400-49-0x000007FEF68F3000-0x000007FEF68F4000-memory.dmp

Filesize
4KB

Download
memory/1400-57-0x000007FEF68F0000-0x000007FEF72DC000-memory.dmp

Filesize
9.9MB

Download
memory/2768-8-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2768-9-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2768-7-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/2964-15-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2964-16-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download