Overview

overview

10

Static

static

3

XWORM-V5.4.exe

windows7-x64

10

XWORM-V5.4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-09-2024 14:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XWORM-V5.4.exe

  • Size

    14.2MB

  • MD5

    741b1f2ee5826897af2ba2ec765296e4

  • SHA1

    706534d9c6a16354974b3b6fd6d1f620524b7dd1

  • SHA256

    0b142a5773fcd9ae5cbb967f748e8da9a89e74aa50a0e1cd52f3aaa313bc749d

  • SHA512

    a0b14ab280d906a8ad1681e335d30a457b02355cc941d12208f2ef460a9b1f700b84789749ee2080fb4351cce09e3cceeb9fea94478c3c81ae1fb184892de03a

  • SSDEEP

    196608:q1X5v7sGYYHDZH3OrlZPtgLklkC9sSJP/rSzQHvWSpdUorPr/kvmXhJ9aCD:qHqDVgV+9kQH+SfLdrnD

Score
10/10
xwormagilenetexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

45.141.26.197:7000

Mutex

9nYi5R05H806aXaO

Attributes
  • Install_directory

    %AppData%

  • install_file

    VLC_Media.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWORM-V5.4.exe
    "C:\Users\Admin\AppData\Local\Temp\XWORM-V5.4.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe
      "C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2916 -s 664
        3⤵
          PID:2944
      • C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe
        "C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe"
        2⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2112
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2656
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2652
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\VLC_Media.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1992
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3020

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe
      Filesize

      176KB

      MD5

      a9376f54dd83bf547f6188f8904ae3af

      SHA1

      85bb802b0ade5b2136c83e6217a2aaace3735edc

      SHA256

      44661d9d0df9aa2e03844719c9e6963a738e431c565f0983d309a0e113508d17

      SHA512

      71a4e6251e201441ccc1ae9633790b977a898e6f42b0d25f4c54d66d99311dad5b63e25f7ac703e932db5a526290f95e9abfe2158b72cd21e8564ac1942a48a9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe
      Filesize

      13.8MB

      MD5

      efb0528d6978337e964d999dacb621df

      SHA1

      244979b8495d3d173a4359d62ad771f99a0033fc

      SHA256

      4786ac3ceb9ecdcb98bdd19a0e93750e6c9c0df460751994840f8ea9733cc491

      SHA512

      4b16aca5638094741a9e5f0e4581b5c3cdbd77835035362468d2a0e077fba0f96b8dd98c4a4ea853b3b623d5b525fe64091daa1b761597b660840a371fbae0df

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ogpXG\ogpXG.dll
      Filesize

      112KB

      MD5

      2f1a50031dcf5c87d92e8b2491fdcea6

      SHA1

      71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

      SHA256

      47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

      SHA512

      1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      51a527b50e7c48ee8bf72fcb90c32573

      SHA1

      9605b84dea6414fa5fdd1dddd64ec351159c28f9

      SHA256

      03f1c566eb1bcf49d899c9f56a5f0879aa2c1ec4a90c5b54ad1660fc8b47735b

      SHA512

      aa5fc3dbcdf83a4a7172f54a4c69e19e91f737ad914a9d427e4426ad8cee7f9ca944094862b6aee7e0a9d1f94e46103cec06ee6b6eb1fbfadea72128f779c261

      Download Submit

    • memory/2112-13-0x00000000013E0000-0x0000000001412000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2368-1-0x0000000001320000-0x0000000002150000-memory.dmp

      Filesize

      14.2MB

      Download

    • memory/2368-0-0x000007FEF5063000-0x000007FEF5064000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2652-33-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2652-34-0x0000000002B00000-0x0000000002B08000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2656-26-0x000000001B650000-0x000000001B932000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2656-27-0x0000000001F70000-0x0000000001F78000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2916-11-0x0000000001260000-0x0000000002040000-memory.dmp

      Filesize

      13.9MB

      Download

    • memory/2916-21-0x000000001CEE0000-0x000000001DACE000-memory.dmp

      Filesize

      11.9MB

      Download

    • memory/2916-14-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2916-51-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

      Filesize

      9.9MB

      Download