xworm | 11663edd452b775ef1547956aae32121b71d0fbd235f7a926ad0932fa4243e5c

Analysis

max time kernel
139s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe
Size

5.3MB
MD5

41142f7b082b159c08fccab6be1378b1
SHA1

0be691768a797e4585535d7c8411097565da7305
SHA256

11663edd452b775ef1547956aae32121b71d0fbd235f7a926ad0932fa4243e5c
SHA512

1709ff4363ef253bc35eaac6196cd85c209052e5d73666556879e719e9ab779cb7c46e14cd6241dcebd98d6774ab9523f14753b3d7a36ad85f1f23f63c4f127b
SSDEEP

49152:i/u5iFq3MEwoDEAy7AfOU/zXNUfEeXAxhF2rl/IuOryOvKODjj3POMjUfkptVxp/:5OU/jIEeQfoR/IuOFVjUu5

Score

10^/10

xworm discovery persistence rat trojan

Malware Config

Extracted

Family

xworm

192.168.68.1:7000

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 11 IoCs

resource	yara_rule
behavioral1/memory/2036-14-0x0000000000400000-0x00000000004D5000-memory.dmp	family_xworm
behavioral1/memory/2036-13-0x0000000000400000-0x00000000004D5000-memory.dmp	family_xworm
behavioral1/memory/2036-15-0x0000000000400000-0x00000000004D5000-memory.dmp	family_xworm
behavioral1/files/0x0007000000012117-23.dat	family_xworm
behavioral1/memory/2552-40-0x0000000000E80000-0x0000000000E9C000-memory.dmp	family_xworm
behavioral1/memory/1804-50-0x0000000000400000-0x00000000004D5000-memory.dmp	family_xworm
behavioral1/memory/2176-59-0x0000000000890000-0x00000000008AC000-memory.dmp	family_xworm
behavioral1/memory/1804-136-0x0000000000400000-0x00000000004D5000-memory.dmp	family_xworm
behavioral1/memory/1804-137-0x0000000000400000-0x00000000004D5000-memory.dmp	family_xworm
behavioral1/memory/1804-138-0x0000000000400000-0x00000000004D5000-memory.dmp	family_xworm
behavioral1/memory/1804-168-0x0000000000400000-0x00000000004D5000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 4 IoCs

pid	Process
2552	._cache_2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe
2592	Synaptics.exe
1804	Synaptics.exe
2176	._cache_Synaptics.exe

Loads dropped DLL 4 IoCs

pid	Process
2036	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe
2036	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe
1804	Synaptics.exe
1804	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2392 set thread context of 2036	2392	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe	31
PID 2592 set thread context of 1804	2592	Synaptics.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1460	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	._cache_2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe
Token: SeDebugPrivilege	2176	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1460	EXCEL.EXE

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2036	2392	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe	31
PID 2392 wrote to memory of 2036	2392	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe	31
PID 2392 wrote to memory of 2036	2392	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe	31
PID 2392 wrote to memory of 2036	2392	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe	31
PID 2392 wrote to memory of 2036	2392	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe	31
PID 2392 wrote to memory of 2036	2392	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe	31
PID 2392 wrote to memory of 2036	2392	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe	31
PID 2392 wrote to memory of 2036	2392	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe	31
PID 2392 wrote to memory of 2036	2392	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe	31
PID 2392 wrote to memory of 2036	2392	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe	31
PID 2392 wrote to memory of 2036	2392	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe	31
PID 2392 wrote to memory of 2036	2392	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe	31
PID 2392 wrote to memory of 2036	2392	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe	31
PID 2392 wrote to memory of 2036	2392	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe	31
PID 2036 wrote to memory of 2552	2036	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe	32
PID 2036 wrote to memory of 2552	2036	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe	32
PID 2036 wrote to memory of 2552	2036	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe	32
PID 2036 wrote to memory of 2552	2036	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe	32
PID 2036 wrote to memory of 2592	2036	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe	33
PID 2036 wrote to memory of 2592	2036	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe	33
PID 2036 wrote to memory of 2592	2036	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe	33
PID 2036 wrote to memory of 2592	2036	2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe	33
PID 2592 wrote to memory of 1804	2592	Synaptics.exe	34
PID 2592 wrote to memory of 1804	2592	Synaptics.exe	34
PID 2592 wrote to memory of 1804	2592	Synaptics.exe	34
PID 2592 wrote to memory of 1804	2592	Synaptics.exe	34
PID 2592 wrote to memory of 1804	2592	Synaptics.exe	34
PID 2592 wrote to memory of 1804	2592	Synaptics.exe	34
PID 2592 wrote to memory of 1804	2592	Synaptics.exe	34
PID 2592 wrote to memory of 1804	2592	Synaptics.exe	34
PID 2592 wrote to memory of 1804	2592	Synaptics.exe	34
PID 2592 wrote to memory of 1804	2592	Synaptics.exe	34
PID 2592 wrote to memory of 1804	2592	Synaptics.exe	34
PID 2592 wrote to memory of 1804	2592	Synaptics.exe	34
PID 2592 wrote to memory of 1804	2592	Synaptics.exe	34
PID 2592 wrote to memory of 1804	2592	Synaptics.exe	34
PID 1804 wrote to memory of 2176	1804	Synaptics.exe	35
PID 1804 wrote to memory of 2176	1804	Synaptics.exe	35
PID 1804 wrote to memory of 2176	1804	Synaptics.exe	35
PID 1804 wrote to memory of 2176	1804	Synaptics.exe	35

C:\Users\Admin\AppData\Local\Temp\2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\._cache_2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1804
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
5.3MB

MD5
41142f7b082b159c08fccab6be1378b1

SHA1
0be691768a797e4585535d7c8411097565da7305

SHA256
11663edd452b775ef1547956aae32121b71d0fbd235f7a926ad0932fa4243e5c

SHA512
1709ff4363ef253bc35eaac6196cd85c209052e5d73666556879e719e9ab779cb7c46e14cd6241dcebd98d6774ab9523f14753b3d7a36ad85f1f23f63c4f127b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader.exe

Filesize
84KB

MD5
1a3d5746f15e741761a3704a7ff2ff7c

SHA1
5e1df3c61ed0fc213c6e306346465f7283b6effe

SHA256
1a947325f5be1434f642e2ade72d8fcbe7f5aadc000719c6a7119da1ef5ef601

SHA512
054cc94ad5e69d03ec377fdd13dbe4bc060456d4d7032e846a6f908b51b8e4bf572b17d360087fb99cd72574c52eae573e3ddc121c7c8e1c820472bcf0c59903

Download Submit
C:\Users\Admin\AppData\Local\Temp\Onc95pXk.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Onc95pXk.xlsm

Filesize
20KB

MD5
58f817d3b4d74626387703923d38d733

SHA1
5996cd9fd5f1e5673bebca11f9ac803b76c2de93

SHA256
9d51f8e8038d6cfe404f5f34e9992d8443f90d699e581b43862b6c5190efe42c

SHA512
5d9964973cbee2e8c09b67b0b15f19e704fd4f3539bd62c29ca186551bf5c61ba9e43fd5650730af33da13e1d22725ee3507814860ec26a8631a11f728541971

Download Submit
C:\Users\Admin\AppData\Local\Temp\Onc95pXk.xlsm

Filesize
24KB

MD5
1a77badd1f975993393f07dcfd21a486

SHA1
0944e16df7217dd08aaae99c09811ca41b219ba4

SHA256
3a12be887b26bc3637284a7c3488dba2e46d9508dc053396d64406ded617959c

SHA512
cb15529101d7c386076879b5a1e6fc197fe6829bc00c79f1daafe3918cc34a3101df477af8f1be4f97e209cd6ad45035f065ed2d0912802b0d8221dfb28d454b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Onc95pXk.xlsm

Filesize
23KB

MD5
11008598e30b2441146efa9bd66984dd

SHA1
27e84e4b37ef7731cf59c39d4e173687b0755d63

SHA256
9576c65b4c70f8855defbda51619752fc712a9854b68479897597d486993ba19

SHA512
0fed17d273fece8a0474a6447883b8e3bd314e822d671787e02d9e5792a21057ba0552a5eea8255e32fb8a13d657179a658ace3b7ec1cc6c703cb884eb1e59cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Onc95pXk.xlsm

Filesize
28KB

MD5
805983ea8d7b3946509bef3f9f97fa7e

SHA1
a0870a2f60a94a239b563668590ecd2700973e02

SHA256
c96c979da5af25ee5baf50e8c43c55a3b35968cea3024e62d4f89440ac9b489c

SHA512
8d9afea8de166b0c8fb9ead0ed8d742564071f972f20ba3276838b2b00d80d38e86f57e8a55f06b77246bcc53199dffd0ecbe532cec656cf0912f3e3c4bd542b

Download Submit
C:\Users\Admin\Documents\~$UsePush.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
memory/1460-60-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1804-168-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1804-50-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1804-136-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1804-137-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1804-138-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2036-4-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2036-19-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2036-15-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2036-6-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2036-13-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2036-10-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2036-11-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2036-14-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2036-5-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2036-8-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2176-59-0x0000000000890000-0x00000000008AC000-memory.dmp

Filesize
112KB

Download
memory/2392-1-0x0000000000A10000-0x0000000000F64000-memory.dmp

Filesize
5.3MB

Download
memory/2392-0-0x0000000073EAE000-0x0000000073EAF000-memory.dmp

Filesize
4KB

Download
memory/2392-2-0x00000000004C0000-0x00000000004CE000-memory.dmp

Filesize
56KB

Download
memory/2392-3-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/2392-18-0x0000000073EA0000-0x000000007458E000-memory.dmp

Filesize
6.9MB

Download
memory/2552-40-0x0000000000E80000-0x0000000000E9C000-memory.dmp

Filesize
112KB

Download
memory/2592-41-0x0000000000DF0000-0x0000000001344000-memory.dmp

Filesize
5.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads