Overview

overview

10

Static

static

10

worm.exe

windows7-x64

10

worm.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1188s
  • max time network
    1198s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-09-2024 07:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    worm.exe

  • Size

    44KB

  • MD5

    c5582c5a0f4569e3bddd255f62081f3d

  • SHA1

    6714c1ccf695d9fbd4ef3c0a1b67fb63b5f96487

  • SHA256

    a71c8484a2a3d8f3cb4ec808e63123d5b2bc3df32a9dad5ade2786700687c1af

  • SHA512

    33aa4d2dcd3f89bf061e6e7aaff3dcd7d3c863707f0e3814ee17d94b0856531897d9494de7eb2bcc2d2f05934abeb7f29cc8fd9e00f3bd382cc57b3652abdc51

  • SSDEEP

    768:+/rBwm5VCiTqFaD0hrOols+qLYMBA+F+t9pf72b16iOChvbVLSJ:+/uQVCiTqMD0hr/beBRFw9Zqb16iOC5g

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

192.168.1.106:7000

193.114.128.233:7000
Mutex

YJuSg89ZuiLRg1IM

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Signatures

  • Detect Xworm Payload 17 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 20 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\worm.exe
    "C:\Users\Admin\AppData\Local\Temp\worm.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\worm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2888
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'worm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2840
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1672
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {242BB0B7-3127-48D8-9B01-F7FC6244B7F9} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1904
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:584
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2164
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2608
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1772
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1204
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1852
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2820
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2400
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3012
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2660
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2772
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2412
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3020
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2588
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1488
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1956
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2104
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:752
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1476

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    1f9879629233dbeb06967d3414f0ff28

    SHA1

    58f48db1c747890d7ae3e3e6028fdf8a0dbc2c48

    SHA256

    68bad3a52f9c3e1f42c71bbf0301869bf5bb5406822c7957e000ea9070f773d2

    SHA512

    c1742a72b05d8f9c3a01e7818684655d053692f884a537b05b8f22b5f399a9aeab085b1c51aad8baf2f3ac936fd2a753f8d2975f06307e01016e9a7ba1462621

    Download Submit

  • C:\Users\Admin\AppData\Roaming\XClient.exe
    Filesize

    44KB

    MD5

    c5582c5a0f4569e3bddd255f62081f3d

    SHA1

    6714c1ccf695d9fbd4ef3c0a1b67fb63b5f96487

    SHA256

    a71c8484a2a3d8f3cb4ec808e63123d5b2bc3df32a9dad5ade2786700687c1af

    SHA512

    33aa4d2dcd3f89bf061e6e7aaff3dcd7d3c863707f0e3814ee17d94b0856531897d9494de7eb2bcc2d2f05934abeb7f29cc8fd9e00f3bd382cc57b3652abdc51

    Download Submit

  • memory/584-39-0x0000000000120000-0x0000000000132000-memory.dmp

    Filesize

    72KB

    Download

  • memory/752-69-0x0000000001210000-0x0000000001222000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1204-47-0x00000000009C0000-0x00000000009D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1488-64-0x0000000000230000-0x0000000000242000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1772-45-0x0000000000870000-0x0000000000882000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1852-49-0x00000000003D0000-0x00000000003E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1904-36-0x0000000000210000-0x0000000000222000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1956-66-0x0000000000A30000-0x0000000000A42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1976-27-0x000007FEF5393000-0x000007FEF5394000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1976-32-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1976-2-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1976-1-0x0000000000930000-0x0000000000942000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1976-0-0x000007FEF5393000-0x000007FEF5394000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2164-41-0x0000000000A80000-0x0000000000A92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2412-59-0x0000000000AF0000-0x0000000000B02000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2608-43-0x0000000000030000-0x0000000000042000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2660-56-0x0000000000CB0000-0x0000000000CC2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2720-16-0x0000000002A60000-0x0000000002A68000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2720-15-0x000000001B4A0000-0x000000001B782000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2820-51-0x00000000010F0000-0x0000000001102000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2888-8-0x000000001B4B0000-0x000000001B792000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2888-7-0x0000000001BB0000-0x0000000001C30000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2888-9-0x0000000002010000-0x0000000002018000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3012-54-0x00000000001E0000-0x00000000001F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3020-61-0x00000000011F0000-0x0000000001202000-memory.dmp

    Filesize

    72KB

    Download