Overview

overview

10

Static

static

7

XwormLoader.exe

windows7-x64

10

XwormLoader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    37s
  • max time network
    28s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2024 19:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XwormLoader.exe

  • Size

    7.9MB

  • MD5

    5b757c6d0af650a77ba1bf7edea18b36

  • SHA1

    c2ee4e12ff4b70511dbcab25dbf8b0d45f2d52b3

  • SHA256

    c2a9fefda9159dd2712510c1c9077a1885d0ebc45251285dad95ba7184b98856

  • SHA512

    93ca04887c63c3a0a4a5d42c48d0f4f7cc7fe7f6dad4dd45136ac048639d2edab66a2d2459779b9a2a075fa8981ea40567b34e5ed0535c1deecfe5e838385960

  • SSDEEP

    196608:T7b4C6XrL5HfZBEhl3xZi5OslC9+PWbXooVl41u1mMFsr5:T7yvRZBEP3xZi5Oso+PWbXooL4Sa

Score
10/10
xwormexecutionrattrojan

Malware Config

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • .NET Reactor proctector 3 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1240
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1840
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2864
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:824
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1760
    • C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
      "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2760 -s 728
        3⤵
          PID:320
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp129.tmp.bat""
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:2564
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:1056
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {CE209C76-30CF-49BA-A779-FFED16B9D20F} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2400
      • C:\ProgramData\svchost.exe
        C:\ProgramData\svchost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2228

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
      Filesize

      14.9MB

      MD5

      db51a102eab752762748a2dec8f7f67a

      SHA1

      194688ec1511b83063f7b0167ae250764b7591d1

      SHA256

      93e5e7f018053c445c521b010caff89e61f61743635db3500aad32d6e495abb2

      SHA512

      fb2fb6605a17fedb65e636cf3716568e85b8ea423c23e0513eb87f3a3441e2cabc4c3e6346225a9bf7b81e97470f3ab516feea649a7afb5cdf02faff8d7f09a5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      Filesize

      144KB

      MD5

      4b90399888a12fb85ccc3d0190d5a1d3

      SHA1

      3326c027bac28b9480b0c7f621481a6cc033db4e

      SHA256

      cede03d0ef98d200bd5b68f6ca4e0d74e2a62fc430a38083663c3031dbb1c77f

      SHA512

      899ec2df2f5d70716ad5d0686bfe0a6c66ccbcf7f0485efbdfc0615f90b3526cd3d31069fa66c7c6ae8bba6ce92200836c50da40a3731888b7326b970d93216a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp129.tmp.bat
      Filesize

      162B

      MD5

      225fdd9efe90ceb38958f4adbf1f246f

      SHA1

      0c351c4ed22869488fa6bc5319ceb397eb2b3573

      SHA256

      b145b58b457cd64d84b804a13bb8ae17f4a8921834d0e4641b76cb0a7e948d02

      SHA512

      1a03735c20fe57b8609fae0deb064f4f042b5b229692c8f67975f59453b12b4d150c457d46a87d9ceb5bb6d28c0bc48e7134ef67310c6a6b5ca2224a512974e8

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      fb4e295f8b3dac2550e86578146cf12a

      SHA1

      03ee2daf3ffe2ee34b18dd4f4ff3d3ff2eda91a7

      SHA256

      3726f56ac5b755ffa42b07d7241cd860194d26589957c11ff8da8a025ec1462c

      SHA512

      2e9ab3f3a9af7fd08238714bcdbcd69e74496a14e1a65fc2db3b7819459a04dcb94bb348b3bb470749aeaa1b6ab40f3ea9c0a2d09b2268ad9ffb14be0a178806

      Download Submit

    • memory/1240-35-0x000000001B630000-0x000000001B912000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1240-36-0x0000000002970000-0x0000000002978000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1840-43-0x00000000028E0000-0x00000000028E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1840-42-0x000000001B540000-0x000000001B822000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2228-58-0x0000000000E70000-0x0000000000E9A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/2684-14-0x0000000000990000-0x00000000009BA000-memory.dmp

      Filesize

      168KB

      Download

    • memory/2684-17-0x000007FEF30B3000-0x000007FEF30B4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2748-1-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2748-2-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2748-29-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2748-0-0x000007FEF587E000-0x000007FEF587F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2748-3-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2748-6-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2748-16-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2748-13-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2748-11-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2760-28-0x00000000002E0000-0x00000000011C8000-memory.dmp

      Filesize

      14.9MB

      Download