xworm | ee77fd66103b412195daff2514cd1fb550e61e618c2fa98bfd5ab998e5cd7b6b

Analysis

max time kernel
144s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

explorers.exe
Size

99KB
MD5

70481cef66610d13de32339230ddcfd1
SHA1

39d19ccc6c1d77fe62d39b7eda95559bd2969f16
SHA256

ee77fd66103b412195daff2514cd1fb550e61e618c2fa98bfd5ab998e5cd7b6b
SHA512

75e0f65e0a2957a20796c93654ccde195f9c53d821c25a260c4203a2170aa821dbfc9c1ce3b165a41a23d44ef7c033076f1da9fe2691b2087c60b89dce8a63a7
SSDEEP

1536:gCg7wHl8aTciGekb5jPHyZ6xnOEiXChiH0hLP+VVVVVVVVVVVVVVVVVVVVVVVVVm:Gi8ScRekb5DnOEiXbH0hLND

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:44495

death-manor.gl.at.ply.gg:44495

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2080-1-0x0000000000A80000-0x0000000000A9E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3036	powershell.exe
2592	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3036	powershell.exe
2592	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	explorers.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2080	explorers.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 3036	2080	explorers.exe	28
PID 2080 wrote to memory of 3036	2080	explorers.exe	28
PID 2080 wrote to memory of 3036	2080	explorers.exe	28
PID 2080 wrote to memory of 2592	2080	explorers.exe	30
PID 2080 wrote to memory of 2592	2080	explorers.exe	30
PID 2080 wrote to memory of 2592	2080	explorers.exe	30

C:\Users\Admin\AppData\Local\Temp\explorers.exe
"C:\Users\Admin\AppData\Local\Temp\explorers.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\explorers.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorers.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2af14c5511c7c018cd0dc39d4a920731

SHA1
e92f5f970fe70404a40d7197833e935403150148

SHA256
157d321b97b500a8aa8dba435d2e80ea0368baa0e336475d9954c4ea3577af1f

SHA512
ac4f8937b83b6ba4ec712e35dde514ba15a8aa03ee6fe1bb5b8ba21a0bb8d95259a1748613857050b2b695f4c19d054b0823d3e8b3a7b38ca4e887adaaabada4

Download Submit
memory/2080-0-0x000007FEF6363000-0x000007FEF6364000-memory.dmp

Filesize
4KB

Download
memory/2080-1-0x0000000000A80000-0x0000000000A9E000-memory.dmp

Filesize
120KB

Download
memory/2080-16-0x000000001B070000-0x000000001B0F0000-memory.dmp

Filesize
512KB

Download
memory/2080-17-0x000007FEF6363000-0x000007FEF6364000-memory.dmp

Filesize
4KB

Download
memory/2080-18-0x000000001B070000-0x000000001B0F0000-memory.dmp

Filesize
512KB

Download
memory/2592-14-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2592-15-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/3036-6-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/3036-7-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/3036-8-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download