Overview

overview

10

Static

static

10

XWorm V5.2....2.exe

windows7-x64

10

XWorm V5.2....2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    361s
  • max time network
    604s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-09-2024 18:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XWorm V5.2/XWorm V5.2.exe

  • Size

    73KB

  • MD5

    b85f72648cf99409357519725c9bd5fc

  • SHA1

    de3b9162632a96c4a3ac27da6663399a0d393910

  • SHA256

    b06d089bd5be63788ef530ff1f93216625aa66d1d811f9ec3f2892268b656011

  • SHA512

    4569a7a710ea4226dc81b6d158cabae1dd0e5452d5847e5d29d68efa0e2572092c19c9887c5a8498acb78dd2c961bb1d72750e671ff89de0ce2c0b6922292804

  • SSDEEP

    1536:jqst7fwnejh7pHWpUhFYdsTudTb42WKvCBXH3KyuJG6JyORxaE1QHK:jBFZ7pWpHmWTb42NCXRu7yORoEyHK

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

uk1.localto.net:3725

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Deletes itself 1 IoCs
  • Drops startup file 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWorm V5.2.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWorm V5.2.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWorm V5.2.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1608
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm V5.2.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2580
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2456
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "svchost"
      2⤵
        PID:2872
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5DAA.tmp.bat""
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:3032
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:2132
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {FDA6AA97-9796-4AD7-A9FE-5140E028453E} S-1-5-21-457978338-2990298471-2379561640-1000:WOUOSVRD\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\ProgramData\svchost.exe
        C:\ProgramData\svchost.exe
        2⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1896
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2144
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:956
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:892
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1116
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1524

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\svchost.exe
      Filesize

      73KB

      MD5

      b85f72648cf99409357519725c9bd5fc

      SHA1

      de3b9162632a96c4a3ac27da6663399a0d393910

      SHA256

      b06d089bd5be63788ef530ff1f93216625aa66d1d811f9ec3f2892268b656011

      SHA512

      4569a7a710ea4226dc81b6d158cabae1dd0e5452d5847e5d29d68efa0e2572092c19c9887c5a8498acb78dd2c961bb1d72750e671ff89de0ce2c0b6922292804

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp5DAA.tmp.bat
      Filesize

      173B

      MD5

      abca370ebf94f4a505a0bb376fb254d0

      SHA1

      b11c714712e025950ddc8d1d271f4f9bd5b0fced

      SHA256

      f55b6b94711340bb4603459cd34c86fd04318c2c8a89ceb970595ed1c759e19e

      SHA512

      841918abb731fb39c897a8d37adbac5c126675ba832bbc781a4ae135cf1bfc73a90517f7beea48efc6dabb685a041a6f634f1513f39a5fd2ae2106771e2a498c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      bfd94c9bc61f5f1267e0f44dea3820e6

      SHA1

      3b96900967e5a7215884c9eb66cd0456d08e5658

      SHA256

      e2fe1155812ef4af7d4e03e08a2e4b526b02c26d8d1f81bd9a5ba97490a538e1

      SHA512

      c55d65b09c703161f81252da83a1268e7cea7c7e739cfa07fc42ae0986385efc020ed3d5031ef8a3e15d576b5bca6d23b98617e416e0917f02ade27d6c44ac0e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      2ead4730be21afe95d82cb3c2caba064

      SHA1

      dd97c799d72c7bf78df0feae376659c27b23597a

      SHA256

      c2e31cefae4dd182c545cee65361cb85e8cb8013100a90fb640471368448e241

      SHA512

      293f09e253bec0cc3d4e301f7bdca2fa0eaf826ebb835c73480cc7a4e2caddd55423b1c4df7e0c91030c13462256604bf128a3ffc964197925cab35de64a8020

      Download Submit

    • \??\PIPE\srvsvc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit

    • memory/1608-7-0x0000000002670000-0x00000000026F0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1608-8-0x000000001B340000-0x000000001B622000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1608-9-0x0000000002460000-0x0000000002468000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1896-36-0x0000000001220000-0x0000000001238000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2488-17-0x000007FEF5DA3000-0x000007FEF5DA4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2488-29-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2488-0-0x000007FEF5DA3000-0x000007FEF5DA4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2488-47-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2488-2-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2488-1-0x0000000001300000-0x0000000001318000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2676-16-0x0000000001F50000-0x0000000001F58000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2676-15-0x000000001B3F0000-0x000000001B6D2000-memory.dmp

      Filesize

      2.9MB

      Download