xworm | e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d

Analysis

max time kernel
149s
max time network
135s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d.exe
Size

1.2MB
MD5

8fb19c3d4cb103c9c135b8cb66a3b69f
SHA1

b16e6b15410da8ec3e35fda27d6950faeecaefff
SHA256

e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d
SHA512

502c7b57c08addd41d1de3ae7978d3caeb1841e55313c2fc5a7519efab661d27470388e0e5a8c47c0e03160c448331172ff73845f21f29ec5c190d9959c10262
SSDEEP

24576:GbypZzt2/HBrpbIQPl5JDM/8qb3Ma1zQYHRgR9Vj:Guzt0lP5wf1caSR

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

primary.fastly-dns.com:54984

kbk.con-ip.com:54984

Mutex

UvbWPurmSYHI9fDh

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/784-37-0x0000000000080000-0x000000000008E000-memory.dmp	family_xworm
behavioral1/memory/784-39-0x0000000000080000-0x000000000008E000-memory.dmp	family_xworm
behavioral1/memory/784-40-0x0000000000080000-0x000000000008E000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2128 created 1100	2128	Households.pif	20
PID 2128 created 1100	2128	Households.pif	20

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PhotoFusionX.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PhotoFusionX.url	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2128	Households.pif
784	jsc.exe

Loads dropped DLL 2 IoCs

pid	Process
2052	cmd.exe
2128	Households.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2064	tasklist.exe
2700	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 784	2128	Households.pif	46

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Households.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2904	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2904	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2128	Households.pif
2128	Households.pif
2128	Households.pif
2128	Households.pif
2128	Households.pif
2128	Households.pif
2128	Households.pif
2128	Households.pif
2128	Households.pif
2128	Households.pif
2128	Households.pif

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	tasklist.exe
Token: SeDebugPrivilege	2700	tasklist.exe
Token: SeDebugPrivilege	784	jsc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2128	Households.pif
2128	Households.pif
2128	Households.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2128	Households.pif
2128	Households.pif
2128	Households.pif

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 1348	1776	e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d.exe	31
PID 1776 wrote to memory of 1348	1776	e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d.exe	31
PID 1776 wrote to memory of 1348	1776	e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d.exe	31
PID 1776 wrote to memory of 1348	1776	e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d.exe	31
PID 1348 wrote to memory of 2052	1348	cmd.exe	32
PID 1348 wrote to memory of 2052	1348	cmd.exe	32
PID 1348 wrote to memory of 2052	1348	cmd.exe	32
PID 1348 wrote to memory of 2052	1348	cmd.exe	32
PID 2052 wrote to memory of 2064	2052	cmd.exe	33
PID 2052 wrote to memory of 2064	2052	cmd.exe	33
PID 2052 wrote to memory of 2064	2052	cmd.exe	33
PID 2052 wrote to memory of 2064	2052	cmd.exe	33
PID 2052 wrote to memory of 2292	2052	cmd.exe	34
PID 2052 wrote to memory of 2292	2052	cmd.exe	34
PID 2052 wrote to memory of 2292	2052	cmd.exe	34
PID 2052 wrote to memory of 2292	2052	cmd.exe	34
PID 2052 wrote to memory of 2700	2052	cmd.exe	36
PID 2052 wrote to memory of 2700	2052	cmd.exe	36
PID 2052 wrote to memory of 2700	2052	cmd.exe	36
PID 2052 wrote to memory of 2700	2052	cmd.exe	36
PID 2052 wrote to memory of 2436	2052	cmd.exe	37
PID 2052 wrote to memory of 2436	2052	cmd.exe	37
PID 2052 wrote to memory of 2436	2052	cmd.exe	37
PID 2052 wrote to memory of 2436	2052	cmd.exe	37
PID 2052 wrote to memory of 2800	2052	cmd.exe	38
PID 2052 wrote to memory of 2800	2052	cmd.exe	38
PID 2052 wrote to memory of 2800	2052	cmd.exe	38
PID 2052 wrote to memory of 2800	2052	cmd.exe	38
PID 2052 wrote to memory of 2812	2052	cmd.exe	39
PID 2052 wrote to memory of 2812	2052	cmd.exe	39
PID 2052 wrote to memory of 2812	2052	cmd.exe	39
PID 2052 wrote to memory of 2812	2052	cmd.exe	39
PID 2052 wrote to memory of 2720	2052	cmd.exe	40
PID 2052 wrote to memory of 2720	2052	cmd.exe	40
PID 2052 wrote to memory of 2720	2052	cmd.exe	40
PID 2052 wrote to memory of 2720	2052	cmd.exe	40
PID 2052 wrote to memory of 2128	2052	cmd.exe	41
PID 2052 wrote to memory of 2128	2052	cmd.exe	41
PID 2052 wrote to memory of 2128	2052	cmd.exe	41
PID 2052 wrote to memory of 2128	2052	cmd.exe	41
PID 2052 wrote to memory of 2904	2052	cmd.exe	42
PID 2052 wrote to memory of 2904	2052	cmd.exe	42
PID 2052 wrote to memory of 2904	2052	cmd.exe	42
PID 2052 wrote to memory of 2904	2052	cmd.exe	42
PID 2128 wrote to memory of 1340	2128	Households.pif	44
PID 2128 wrote to memory of 1340	2128	Households.pif	44
PID 2128 wrote to memory of 1340	2128	Households.pif	44
PID 2128 wrote to memory of 1340	2128	Households.pif	44
PID 2128 wrote to memory of 784	2128	Households.pif	46
PID 2128 wrote to memory of 784	2128	Households.pif	46
PID 2128 wrote to memory of 784	2128	Households.pif	46
PID 2128 wrote to memory of 784	2128	Households.pif	46
PID 2128 wrote to memory of 784	2128	Households.pif	46
PID 2128 wrote to memory of 784	2128	Households.pif	46

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1100
- C:\Users\Admin\AppData\Local\Temp\e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d.exe
  "C:\Users\Admin\AppData\Local\Temp\e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    cmd /k cmd < Incident & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2436
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c mkdir 20104
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Cio + Asks + Gnu + Able + Nov + Rt 20104\Households.pif
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Joan 20104\m
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
    - - C:\Users\Admin\AppData\Local\Temp\50451\20104\Households.pif
        
        20104\Households.pif 20104\m
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2128
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 localhost
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2904
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PhotoFusionX.url" & echo URL="C:\Users\Admin\AppData\Local\Natalie Mitchell\PhotoFusionX.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PhotoFusionX.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:1340
- C:\Users\Admin\AppData\Local\Temp\50451\20104\jsc.exe
  C:\Users\Admin\AppData\Local\Temp\50451\20104\jsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\50451\Able

Filesize
273KB

MD5
b18b63a85cdcf60914260cfae0ae4957

SHA1
1dc4f8248065a06af8e22d236b2bb36d13c3bd32

SHA256
aa28b7ddc712c0af41d66059f4e12ddaaa6029374435f6a0ffb3c78b52ce19fa

SHA512
f82fe5443f6da12996bea01e1e655b160b41fb274acb477a66ecf9dc6a14f1ad5b8eb126933066a6fef91167be56d7d2910da1f064f5b98454bca0f0a692eaff

Download Submit
C:\Users\Admin\AppData\Local\Temp\50451\Asks

Filesize
106KB

MD5
aad6c578267939659e3df7d42a7a8783

SHA1
ae99d294d46fc9b39ad425f40c7f131cc7da42f2

SHA256
77661944a98fecc707d67075d5dfbedd6abf50165eaef7993267fd89cc526a72

SHA512
1251cc47882d76690052653a39ac9d1d879c3dca748d6d531fe77f0baedb114d4cbd98dc768629ceb90d38d9c753903287c8e4aefa6e732a5077c616c4884882

Download Submit
C:\Users\Admin\AppData\Local\Temp\50451\Cio

Filesize
137KB

MD5
1ba107d3e8d90334d4c59dfb51ab5779

SHA1
d650f3435899afb6e7b55288f447edc7d9d37a51

SHA256
16f0ab5e6a6574868a538223d9539a084d60d4249ef834e2ee084b7467c1c37d

SHA512
0f412fd5c85f43a0866d39252e05f4715b125e7cc7b9d6cb536a4c4220531330a5b0a142cef57c2ed1fee9c598a1fc114c8031f2fedb07a79069df39de2159e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\50451\Gnu

Filesize
230KB

MD5
6b26517c639069470bbf1bbea3f6f7e9

SHA1
3201e4cb1cb0a1c893a4f8371bc9fe518a79d306

SHA256
4b77e166a7aba7435faf11534fafa1d4b10b34d138bd2bdfdad0c42b1fdd8a35

SHA512
ed6523d35b47907cca54966511e7d5b99a4fa7ec255aa4b3021fcaba6237465efd4648b1989625441a5fa501d178e90cc7ab6704da131cd6daa4ae9e2386a148

Download Submit
C:\Users\Admin\AppData\Local\Temp\50451\Incident

Filesize
12KB

MD5
c308fce63eaeb0964204ee344e74c530

SHA1
37587a71e11f159e23ca8c6a806023dcd764d43d

SHA256
95b11d335117db2a17ed7313eaeff4ba5631787d0a5bea0b0c21527b47fba006

SHA512
72edb8133bd940955333261ad79ec2441a0fa684203ba7debb572a825abd0c81903a3d90235655d668a6ec005ab1eab3e4f3dc1c59723b88c38138e0692276da

Download Submit
C:\Users\Admin\AppData\Local\Temp\50451\Joan

Filesize
417KB

MD5
35e1231ab34f283787bc9869e2d081fc

SHA1
5e0d32feef1b4600cbcf7181e8b1652c93976b4c

SHA256
9806a7ed5a2f26f6146768182c935f3cb58aa7ac268ca0f2846f7ffd901271a4

SHA512
629101714e8636cca95b74d2fea959859bde5d0e9175f2e432254982286feccb789eacdbbc2fdce6567ff946952c2db155f9c29df2e4a66fa465380934d09f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\50451\Nov

Filesize
105KB

MD5
f9c1c01c5afe440a6f116c8030b2c178

SHA1
ce5f477a9900079c69f4fa6beeb455e74fff1193

SHA256
ce0d0f68f168bebdbe643d04003480a70f1728d2ffe41e090c3f049158291a9c

SHA512
19c2d5a543226658045abec5638ae89f83b345459e069a30932f2588058c57af415dece15b7200361c4c7fadca6d822c935db47b4edb0c8c9da967a8b4ec603b

Download Submit
C:\Users\Admin\AppData\Local\Temp\50451\Rt

Filesize
73KB

MD5
e0ce0608f7d9c00e386462fc9bc982ef

SHA1
5341820e38bd5dcd13ce25c9baf70e866af5e218

SHA256
39c5a08df71151027538f77df3164a0dde1e82af24e1c49e95e8e841b960ebae

SHA512
09cd9ccc957991fd922bb7922aba6c07d8a1c93ff899e8727856a27deec844be02c78b3d976d19bba50ffffa939904a6e26243c227dae14c104754d04c82614f

Download Submit
\Users\Admin\AppData\Local\Temp\50451\20104\Households.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
\Users\Admin\AppData\Local\Temp\50451\20104\jsc.exe

Filesize
45KB

MD5
f1feead2143c07ca411d82a29fa964af

SHA1
2198e7bf402773757bb2a25311ffd2644e5a1645

SHA256
8f2800ac8af72e8038e146b3988a30651952f20ed6cdf7be3ae4709fbb026af1

SHA512
e7e2266ec862a793da7cea01c926b7a874453cf2efb0b4b77776c26042dc2ded74f17c390fad97bd2d8c0c4971a1b9d9e6c705a13edbc9e48570922e5e6cc9df

Download Submit
memory/784-36-0x0000000000080000-0x000000000008E000-memory.dmp

Filesize
56KB

Download
memory/784-37-0x0000000000080000-0x000000000008E000-memory.dmp

Filesize
56KB

Download
memory/784-39-0x0000000000080000-0x000000000008E000-memory.dmp

Filesize
56KB

Download
memory/784-40-0x0000000000080000-0x000000000008E000-memory.dmp

Filesize
56KB

Download
memory/1776-0-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1776-30-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1776-29-0x0000000000700000-0x0000000000836000-memory.dmp

Filesize
1.2MB

Download
memory/1776-31-0x0000000000700000-0x0000000000836000-memory.dmp

Filesize
1.2MB

Download