xworm | 030324e0a31427fd63213acd29f3cdf5b445a6ec03eb803fb08dbf3a0c1b258b

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2024, 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEW ORDER PURCHASE.exe
Size

656KB
MD5

ca2ed1b927f4bee1cd1f24bb19f4c0e1
SHA1

d1b7dc1cc0412301c61660d0d5cb02d20a6aa77d
SHA256

030324e0a31427fd63213acd29f3cdf5b445a6ec03eb803fb08dbf3a0c1b258b
SHA512

153939e1eeaeb2e3d4fc9f487ce039fde403a18ea94466c55c53ce5e00aefa59ae3324c03687c1794c7d321da9b2dced1bca2a658d5da54e0acb76dfff4d3da7
SSDEEP

12288:cT02YrvZq2mPKxG3sfYFwJH9ZzkwGQWOsKWLCp6X9uruAK5Gi:cTbYdqfKxG3swyVk7QWOhW+p6NBAWGi

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

176.9.162.125:4060

Mutex

znPInVDrQ2IiwTWB

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3908-23-0x00000000004B0000-0x00000000004C0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1692	powershell.exe
3292	powershell.exe
460	powershell.exe
2400	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	NEW ORDER PURCHASE.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	NEW ORDER PURCHASE.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	NEW ORDER PURCHASE.exe

Loads dropped DLL 1 IoCs

pid	Process
1296	NEW ORDER PURCHASE.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3908	NEW ORDER PURCHASE.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1296	NEW ORDER PURCHASE.exe
3908	NEW ORDER PURCHASE.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1296 set thread context of 3908	1296	NEW ORDER PURCHASE.exe	95

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\slutstrenge.tri	NEW ORDER PURCHASE.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\Semiprofessionalized248\evaluxir.pra	NEW ORDER PURCHASE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NEW ORDER PURCHASE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NEW ORDER PURCHASE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1692	powershell.exe
1692	powershell.exe
3292	powershell.exe
3292	powershell.exe
460	powershell.exe
460	powershell.exe
2400	powershell.exe
2400	powershell.exe
3908	NEW ORDER PURCHASE.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1296	NEW ORDER PURCHASE.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3908	NEW ORDER PURCHASE.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	460	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3908	NEW ORDER PURCHASE.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 3908	1296	NEW ORDER PURCHASE.exe	95
PID 1296 wrote to memory of 3908	1296	NEW ORDER PURCHASE.exe	95
PID 1296 wrote to memory of 3908	1296	NEW ORDER PURCHASE.exe	95
PID 1296 wrote to memory of 3908	1296	NEW ORDER PURCHASE.exe	95
PID 1296 wrote to memory of 3908	1296	NEW ORDER PURCHASE.exe	95
PID 3908 wrote to memory of 1692	3908	NEW ORDER PURCHASE.exe	98
PID 3908 wrote to memory of 1692	3908	NEW ORDER PURCHASE.exe	98
PID 3908 wrote to memory of 1692	3908	NEW ORDER PURCHASE.exe	98
PID 3908 wrote to memory of 3292	3908	NEW ORDER PURCHASE.exe	100
PID 3908 wrote to memory of 3292	3908	NEW ORDER PURCHASE.exe	100
PID 3908 wrote to memory of 3292	3908	NEW ORDER PURCHASE.exe	100
PID 3908 wrote to memory of 460	3908	NEW ORDER PURCHASE.exe	102
PID 3908 wrote to memory of 460	3908	NEW ORDER PURCHASE.exe	102
PID 3908 wrote to memory of 460	3908	NEW ORDER PURCHASE.exe	102
PID 3908 wrote to memory of 2400	3908	NEW ORDER PURCHASE.exe	104
PID 3908 wrote to memory of 2400	3908	NEW ORDER PURCHASE.exe	104
PID 3908 wrote to memory of 2400	3908	NEW ORDER PURCHASE.exe	104

C:\Users\Admin\AppData\Local\Temp\NEW ORDER PURCHASE.exe
"C:\Users\Admin\AppData\Local\Temp\NEW ORDER PURCHASE.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Users\Admin\AppData\Local\Temp\NEW ORDER PURCHASE.exe
  "C:\Users\Admin\AppData\Local\Temp\NEW ORDER PURCHASE.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NEW ORDER PURCHASE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NEW ORDER PURCHASE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3292
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:460
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
71e5fb40a7e2081adf79ffc86f3009a1

SHA1
989bc1cdcd5f3975f28b56f8798315e033c2b0e8

SHA256
d8bcae67e639b76fa618730022e59e85d107207b3d5a3c977d7f76eab7217153

SHA512
1b0ad62f6b6805613cb6531d5cfb76d44bcbb0e55ef82a0e8ed0b106b59bc2a88f9181628ed1d4880ae6e87b87e1ab94b2b65c2347dfd23ab4fcf607a898c67e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
779fffc401193cca66822a848e39412d

SHA1
2d9bffea891dfc42932cc7a3886060ef26c9d24f

SHA256
07bce3417ca8f59ed40c4a665b70a1a0a06673d8333855729d9bf557ed1c0b5f

SHA512
0e7d3b03a2ce7e039878fcd65f2dfc13f9bb2977638bde13ba44213e29c8a12d9f86279db34e49645500cf67c49555a27f145257d0326888950c44ce602d9ff3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b14bdf76f3aeec675a84280e15560c75

SHA1
31c406936e9708b9d4abf7afc3e328ce4115232a

SHA256
8161d883be0a34d52b8a27aa88c8cbe04e2ba4cc77aecb3be0ad158abe3fd113

SHA512
221657ff5c4370507050ed25d12274f3f0da4e3743a15e821120db1234b6c0e5618efa0ccc7ddad75b37b7f579d6d93d5107cf05bb510433dc48f9f085949fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_trzowkmi.dt2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssB43D.tmp\System.dll

Filesize
12KB

MD5
564bb0373067e1785cba7e4c24aab4bf

SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1

SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

Download Submit
memory/460-101-0x000000006E210000-0x000000006E25C000-memory.dmp

Filesize
304KB

Download
memory/1296-9-0x0000000077261000-0x0000000077381000-memory.dmp

Filesize
1.1MB

Download
memory/1296-10-0x0000000077261000-0x0000000077381000-memory.dmp

Filesize
1.1MB

Download
memory/1296-11-0x0000000073F55000-0x0000000073F56000-memory.dmp

Filesize
4KB

Download
memory/1692-56-0x00000000080F0000-0x000000000876A000-memory.dmp

Filesize
6.5MB

Download
memory/1692-61-0x0000000007CD0000-0x0000000007CDE000-memory.dmp

Filesize
56KB

Download
memory/1692-27-0x00000000058E0000-0x0000000005F08000-memory.dmp

Filesize
6.2MB

Download
memory/1692-28-0x00000000056B0000-0x00000000056D2000-memory.dmp

Filesize
136KB

Download
memory/1692-29-0x0000000006080000-0x00000000060E6000-memory.dmp

Filesize
408KB

Download
memory/1692-30-0x00000000060F0000-0x0000000006156000-memory.dmp

Filesize
408KB

Download
memory/1692-64-0x0000000007DC0000-0x0000000007DC8000-memory.dmp

Filesize
32KB

Download
memory/1692-40-0x0000000006190000-0x00000000064E4000-memory.dmp

Filesize
3.3MB

Download
memory/1692-41-0x0000000006770000-0x000000000678E000-memory.dmp

Filesize
120KB

Download
memory/1692-42-0x00000000067B0000-0x00000000067FC000-memory.dmp

Filesize
304KB

Download
memory/1692-43-0x0000000007730000-0x0000000007762000-memory.dmp

Filesize
200KB

Download
memory/1692-44-0x000000006E210000-0x000000006E25C000-memory.dmp

Filesize
304KB

Download
memory/1692-54-0x0000000006D50000-0x0000000006D6E000-memory.dmp

Filesize
120KB

Download
memory/1692-55-0x0000000007970000-0x0000000007A13000-memory.dmp

Filesize
652KB

Download
memory/1692-63-0x0000000007DE0000-0x0000000007DFA000-memory.dmp

Filesize
104KB

Download
memory/1692-57-0x0000000007AA0000-0x0000000007ABA000-memory.dmp

Filesize
104KB

Download
memory/1692-58-0x0000000007B10000-0x0000000007B1A000-memory.dmp

Filesize
40KB

Download
memory/1692-59-0x0000000007D20000-0x0000000007DB6000-memory.dmp

Filesize
600KB

Download
memory/1692-60-0x0000000007CA0000-0x0000000007CB1000-memory.dmp

Filesize
68KB

Download
memory/1692-26-0x0000000002E40000-0x0000000002E76000-memory.dmp

Filesize
216KB

Download
memory/1692-62-0x0000000007CE0000-0x0000000007CF4000-memory.dmp

Filesize
80KB

Download
memory/2400-123-0x000000006E210000-0x000000006E25C000-memory.dmp

Filesize
304KB

Download
memory/2400-121-0x0000000005580000-0x00000000058D4000-memory.dmp

Filesize
3.3MB

Download
memory/3292-79-0x000000006E210000-0x000000006E25C000-memory.dmp

Filesize
304KB

Download
memory/3292-68-0x00000000060A0000-0x00000000063F4000-memory.dmp

Filesize
3.3MB

Download
memory/3908-13-0x0000000077305000-0x0000000077306000-memory.dmp

Filesize
4KB

Download
memory/3908-21-0x0000000077261000-0x0000000077381000-memory.dmp

Filesize
1.1MB

Download
memory/3908-20-0x00000000004B0000-0x0000000001704000-memory.dmp

Filesize
18.3MB

Download
memory/3908-100-0x000000007215E000-0x000000007215F000-memory.dmp

Filesize
4KB

Download
memory/3908-23-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/3908-22-0x000000007215E000-0x000000007215F000-memory.dmp

Filesize
4KB

Download
memory/3908-12-0x00000000772E8000-0x00000000772E9000-memory.dmp

Filesize
4KB

Download
memory/3908-24-0x0000000035600000-0x000000003569C000-memory.dmp

Filesize
624KB

Download
memory/3908-139-0x0000000038150000-0x00000000386F4000-memory.dmp

Filesize
5.6MB

Download
memory/3908-140-0x0000000072150000-0x0000000072900000-memory.dmp

Filesize
7.7MB

Download
memory/3908-141-0x0000000038860000-0x00000000388F2000-memory.dmp

Filesize
584KB

Download
memory/3908-142-0x0000000038920000-0x000000003892A000-memory.dmp

Filesize
40KB

Download
memory/3908-144-0x0000000072150000-0x0000000072900000-memory.dmp

Filesize
7.7MB

Download