Overview

overview

10

Static

static

10

XWorm-5.6-....6.exe

windows11-21h2-x64

10

Resubmissions

02-10-2024 20:42

241002-zhgrrsvhql 10

02-10-2024 20:38

241002-zepm7syfng 10

02-10-2024 20:33

241002-zbv1tayeld 10

02-10-2024 20:28

241002-y9hbyaveml 10

Analysis

  • max time kernel
    198s
  • max time network
    148s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02-10-2024 20:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XWorm-5.6-main/Xworm V5.6.exe

  • Size

    14.9MB

  • MD5

    56ccb739926a725e78a7acf9af52c4bb

  • SHA1

    5b01b90137871c3c8f0d04f510c4d56b23932cbc

  • SHA256

    90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

  • SHA512

    2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

  • SSDEEP

    196608:P4/BAe1d4ihvy85JhhYc3BSL1kehn4inje:PuyIhhkRka4i

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

hcvUk5Zw9sQ6GgkF

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Executes dropped EXE 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yj2hvasv\yj2hvasv.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E3C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8CDE914F1817473DACDF5A8258D6F8F5.TMP"
        3⤵
          PID:1604
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:884
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004F0
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5056
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:4288
        • C:\Users\Admin\Downloads\XClient.exe
          "C:\Users\Admin\Downloads\XClient.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2356
        • C:\Users\Admin\Downloads\XClient.exe
          "C:\Users\Admin\Downloads\XClient.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4000

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RES1E3C.tmp
          Filesize

          1KB

          MD5

          7f81d12b26cc6fad802c787c5ebcbea1

          SHA1

          4d36695feaf8e59cd0774cad192cb8aa1f5ae72c

          SHA256

          b91d1778185ccb1a861fd3dcd5ea8c584408cfbe2514a2a93175834b6182eb51

          SHA512

          429770722e5205c826d057fe438eac1e4359a0cab845156988ffe526e868985c4e8e2ad9fb4d8cbb6a475f6da91a3994839cf53d82da7e10bae4d5ce73c1a378

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\vbc8CDE914F1817473DACDF5A8258D6F8F5.TMP
          Filesize

          1KB

          MD5

          d40c58bd46211e4ffcbfbdfac7c2bb69

          SHA1

          c5cf88224acc284a4e81bd612369f0e39f3ac604

          SHA256

          01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

          SHA512

          48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\yj2hvasv\yj2hvasv.0.vb
          Filesize

          78KB

          MD5

          23d5c7a9a00ae5c30c237e23edcbacec

          SHA1

          270f045b4840c609861d950a908a9d2a483d043b

          SHA256

          f391e625fdef58b02d2a45c994eb4de5cf9089a54c30878ae5eaf783ce6c423a

          SHA512

          9bc7f4b864d30793a9babe553168e82f1214a2745156643d44d94d4068ad492370bcd7cf0eb48415280ba2ead705845121636d7bb46ff0399743c7afcbb97eb5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\yj2hvasv\yj2hvasv.cmdline
          Filesize

          292B

          MD5

          fdecea4baff1656a939d9a578b4debb6

          SHA1

          e731891ebcc0313e2e150f6132887543d562c955

          SHA256

          340d6fcdc85c89b4ab87c158c847f197e45f23519cf65f120a56ae1c138b4458

          SHA512

          cb72e712b11d11b3f252c4fd27f47f58fd669c926b0f2edb0d4aa0e3a01303258a36b5744b356b2c71599d9718ee6e05b460a4e8e1005ee9ed10beb86e285099

          Download Submit

        • C:\Users\Admin\Downloads\XClient.exe
          Filesize

          39KB

          MD5

          27882544bd5a677e3a17cf3d6f4f48eb

          SHA1

          f6fc1a1fb69c15bb60421e344c2b4c3ebb9cb839

          SHA256

          0c17bdeaf875c4e07825c13d30537812e341296ab4f4a825cf8c53f7e62dac0b

          SHA512

          be6a83f209de56012fa93fecdbbec671d4788dfe8b7cd62de277a11f5571624fb76b296aee2cbca17bf6afe68789ac13ce0dc8362fb2c62095a1abe358dc68eb

          Download Submit

        • memory/1280-6-0x00007FF953D90000-0x00007FF954852000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1280-10-0x000001903F230000-0x000001903F276000-memory.dmp

          Filesize

          280KB

          Download

        • memory/1280-7-0x00007FF953D90000-0x00007FF954852000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1280-8-0x00007FF953D90000-0x00007FF954852000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1280-9-0x00007FF953D90000-0x00007FF954852000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1280-12-0x0000019040210000-0x000001904021D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/1280-11-0x000001903EB50000-0x000001903EB59000-memory.dmp

          Filesize

          36KB

          Download

        • memory/1280-14-0x0000019040240000-0x000001904024B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1280-13-0x0000019040220000-0x000001904023E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1280-0-0x00007FF953D93000-0x00007FF953D95000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1280-15-0x00007FF953D90000-0x00007FF954852000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1280-21-0x00007FF953D90000-0x00007FF954852000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1280-48-0x0000019047FA0000-0x0000019048108000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1280-5-0x00007FF953D93000-0x00007FF953D95000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1280-4-0x00007FF953D90000-0x00007FF954852000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1280-3-0x0000019040640000-0x0000019040834000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1280-2-0x00007FF953D90000-0x00007FF954852000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1280-1-0x00000190233A0000-0x0000019024288000-memory.dmp

          Filesize

          14.9MB

          Download

        • memory/2356-75-0x0000000000020000-0x0000000000030000-memory.dmp

          Filesize

          64KB

          Download