xworm | 0490ba3773fed7d43bc0286755a20a174b2b40d0008d6657229e1a92c631c21e

Analysis

max time kernel
112s
max time network
109s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 00:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bro wtf.exe
Size

54KB
MD5

a02c5e4bd6c0251fd888ad72d0a9fd3f
SHA1

4efdaa0e9b8832306d19d90b1ccca65a7ddc8750
SHA256

0490ba3773fed7d43bc0286755a20a174b2b40d0008d6657229e1a92c631c21e
SHA512

6b6c876f5c67d32a700063e2493b18e5c8082ba2f53dc080576fe4cc8904181e025b555f7b7d0dd7b6a28c83561f2945c6b9b878cbafdd152433359533d8cb8b
SSDEEP

768:8IulzjLvthS+q1gFEWKr1K58nUdE3Wp8wVl8Su0kbKf6KAylN8Il/OaOhWnrUI:FAfe1keKNO3WdL80kb06KfNLBOaOowI

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Phnxss-27839.portmap.host:27839

Attributes

Install_directory
%Userprofile%
install_file
Windows Security Notification.exe
telegram
https://api.telegram.org/bot7358011073:AAGdUduenjLHLDVW3OYWkXisH68mtspgA2Y/sendMessage?chat_id=6860608587

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1480-1-0x00000000002B0000-0x00000000002C4000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Deletes itself 1 IoCs

pid	Process
1176	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Notification.lnk	bro wtf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Notification.lnk	bro wtf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security Notification = "C:\\Users\\Admin\\Windows Security Notification.exe"	bro wtf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
656	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	bro wtf.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1176	1480	bro wtf.exe	30
PID 1480 wrote to memory of 1176	1480	bro wtf.exe	30
PID 1480 wrote to memory of 1176	1480	bro wtf.exe	30
PID 1176 wrote to memory of 656	1176	cmd.exe	32
PID 1176 wrote to memory of 656	1176	cmd.exe	32
PID 1176 wrote to memory of 656	1176	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\bro wtf.exe
"C:\Users\Admin\AppData\Local\Temp\bro wtf.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2B06.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2B06.tmp.bat

Filesize
159B

MD5
33eaf37e6b25c4bece971465b75629c4

SHA1
38302b24b4d8a7f78e3c1d396c71923987ef892f

SHA256
8722fd478c143e173667f23664bd92971fb09c483114e1ace26445eb3f08bd1e

SHA512
eecd5bdb4fa53ee48ce077d317faaae61a6b1f940174fb82b6d3c0f9295939dfb114f96e8182c7dafda91d75ec15b18d41834c8404acb8d5bfe2da83e9912fce

Download Submit
memory/1480-0-0x000007FEF6203000-0x000007FEF6204000-memory.dmp

Filesize
4KB

Download
memory/1480-1-0x00000000002B0000-0x00000000002C4000-memory.dmp

Filesize
80KB

Download
memory/1480-6-0x000007FEF6200000-0x000007FEF6BEC000-memory.dmp

Filesize
9.9MB

Download
memory/1480-7-0x000007FEF6200000-0x000007FEF6BEC000-memory.dmp

Filesize
9.9MB

Download
memory/1480-20-0x000007FEF6200000-0x000007FEF6BEC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads