xworm | e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d

Analysis

max time kernel
129s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d.exe
Size

1.2MB
MD5

8fb19c3d4cb103c9c135b8cb66a3b69f
SHA1

b16e6b15410da8ec3e35fda27d6950faeecaefff
SHA256

e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d
SHA512

502c7b57c08addd41d1de3ae7978d3caeb1841e55313c2fc5a7519efab661d27470388e0e5a8c47c0e03160c448331172ff73845f21f29ec5c190d9959c10262
SSDEEP

24576:GbypZzt2/HBrpbIQPl5JDM/8qb3Ma1zQYHRgR9Vj:Guzt0lP5wf1caSR

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

primary.fastly-dns.com:54984

kbk.con-ip.com:54984

Mutex

UvbWPurmSYHI9fDh

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/5092-35-0x00000000003F0000-0x00000000003FE000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1008 created 3584	1008	Households.pif	56
PID 1008 created 3584	1008	Households.pif	56

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PhotoFusionX.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PhotoFusionX.url	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1008	Households.pif
5092	jsc.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
916	tasklist.exe
752	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1008 set thread context of 5092	1008	Households.pif	116

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Households.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
800	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
800	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1008	Households.pif
1008	Households.pif
1008	Households.pif
1008	Households.pif
1008	Households.pif
1008	Households.pif
1008	Households.pif
1008	Households.pif
1008	Households.pif
1008	Households.pif
1008	Households.pif
1008	Households.pif
1008	Households.pif
1008	Households.pif
1008	Households.pif
1008	Households.pif
1008	Households.pif
1008	Households.pif
1008	Households.pif
1008	Households.pif
1008	Households.pif
1008	Households.pif

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	916	tasklist.exe
Token: SeDebugPrivilege	752	tasklist.exe
Token: SeDebugPrivilege	5092	jsc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1008	Households.pif
1008	Households.pif
1008	Households.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1008	Households.pif
1008	Households.pif
1008	Households.pif

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 740	2892	e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d.exe	99
PID 2892 wrote to memory of 740	2892	e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d.exe	99
PID 2892 wrote to memory of 740	2892	e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d.exe	99
PID 740 wrote to memory of 4968	740	cmd.exe	100
PID 740 wrote to memory of 4968	740	cmd.exe	100
PID 740 wrote to memory of 4968	740	cmd.exe	100
PID 4968 wrote to memory of 916	4968	cmd.exe	101
PID 4968 wrote to memory of 916	4968	cmd.exe	101
PID 4968 wrote to memory of 916	4968	cmd.exe	101
PID 4968 wrote to memory of 4304	4968	cmd.exe	102
PID 4968 wrote to memory of 4304	4968	cmd.exe	102
PID 4968 wrote to memory of 4304	4968	cmd.exe	102
PID 4968 wrote to memory of 752	4968	cmd.exe	103
PID 4968 wrote to memory of 752	4968	cmd.exe	103
PID 4968 wrote to memory of 752	4968	cmd.exe	103
PID 4968 wrote to memory of 4564	4968	cmd.exe	104
PID 4968 wrote to memory of 4564	4968	cmd.exe	104
PID 4968 wrote to memory of 4564	4968	cmd.exe	104
PID 4968 wrote to memory of 2736	4968	cmd.exe	105
PID 4968 wrote to memory of 2736	4968	cmd.exe	105
PID 4968 wrote to memory of 2736	4968	cmd.exe	105
PID 4968 wrote to memory of 2716	4968	cmd.exe	106
PID 4968 wrote to memory of 2716	4968	cmd.exe	106
PID 4968 wrote to memory of 2716	4968	cmd.exe	106
PID 4968 wrote to memory of 4860	4968	cmd.exe	107
PID 4968 wrote to memory of 4860	4968	cmd.exe	107
PID 4968 wrote to memory of 4860	4968	cmd.exe	107
PID 4968 wrote to memory of 1008	4968	cmd.exe	108
PID 4968 wrote to memory of 1008	4968	cmd.exe	108
PID 4968 wrote to memory of 1008	4968	cmd.exe	108
PID 4968 wrote to memory of 800	4968	cmd.exe	109
PID 4968 wrote to memory of 800	4968	cmd.exe	109
PID 4968 wrote to memory of 800	4968	cmd.exe	109
PID 1008 wrote to memory of 652	1008	Households.pif	111
PID 1008 wrote to memory of 652	1008	Households.pif	111
PID 1008 wrote to memory of 652	1008	Households.pif	111
PID 1008 wrote to memory of 5092	1008	Households.pif	116
PID 1008 wrote to memory of 5092	1008	Households.pif	116
PID 1008 wrote to memory of 5092	1008	Households.pif	116
PID 1008 wrote to memory of 5092	1008	Households.pif	116
PID 1008 wrote to memory of 5092	1008	Households.pif	116

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3584
- C:\Users\Admin\AppData\Local\Temp\e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d.exe
  "C:\Users\Admin\AppData\Local\Temp\e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    cmd /k cmd < Incident & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4968
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4304
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4564
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c mkdir 20133
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Cio + Asks + Gnu + Able + Nov + Rt 20133\Households.pif
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Joan 20133\m
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4860
    - - C:\Users\Admin\AppData\Local\Temp\45625\20133\Households.pif
        
        20133\Households.pif 20133\m
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1008
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 localhost
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:800
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PhotoFusionX.url" & echo URL="C:\Users\Admin\AppData\Local\Natalie Mitchell\PhotoFusionX.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PhotoFusionX.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:652
- C:\Users\Admin\AppData\Local\Temp\45625\20133\jsc.exe
  C:\Users\Admin\AppData\Local\Temp\45625\20133\jsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\45625\20133\Households.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\45625\20133\jsc.exe

Filesize
46KB

MD5
94c8e57a80dfca2482dedb87b93d4fd9

SHA1
5729e6c7d2f5ab760f0093b9d44f8ac0f876a803

SHA256
39e87f0edcdd15582cfefdfab1975aadd2c7ca1e3a5f07b1146ce3206f401bb5

SHA512
1798a3607b2b94732b52de51d2748c86f9453343b6d8a417e98e65ddb38e9198cdcb2f45bf60823cb429b312466b28c5103c7588f2c4ef69fa27bfdb4f4c67dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\45625\Able

Filesize
273KB

MD5
b18b63a85cdcf60914260cfae0ae4957

SHA1
1dc4f8248065a06af8e22d236b2bb36d13c3bd32

SHA256
aa28b7ddc712c0af41d66059f4e12ddaaa6029374435f6a0ffb3c78b52ce19fa

SHA512
f82fe5443f6da12996bea01e1e655b160b41fb274acb477a66ecf9dc6a14f1ad5b8eb126933066a6fef91167be56d7d2910da1f064f5b98454bca0f0a692eaff

Download Submit
C:\Users\Admin\AppData\Local\Temp\45625\Asks

Filesize
106KB

MD5
aad6c578267939659e3df7d42a7a8783

SHA1
ae99d294d46fc9b39ad425f40c7f131cc7da42f2

SHA256
77661944a98fecc707d67075d5dfbedd6abf50165eaef7993267fd89cc526a72

SHA512
1251cc47882d76690052653a39ac9d1d879c3dca748d6d531fe77f0baedb114d4cbd98dc768629ceb90d38d9c753903287c8e4aefa6e732a5077c616c4884882

Download Submit
C:\Users\Admin\AppData\Local\Temp\45625\Cio

Filesize
137KB

MD5
1ba107d3e8d90334d4c59dfb51ab5779

SHA1
d650f3435899afb6e7b55288f447edc7d9d37a51

SHA256
16f0ab5e6a6574868a538223d9539a084d60d4249ef834e2ee084b7467c1c37d

SHA512
0f412fd5c85f43a0866d39252e05f4715b125e7cc7b9d6cb536a4c4220531330a5b0a142cef57c2ed1fee9c598a1fc114c8031f2fedb07a79069df39de2159e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\45625\Gnu

Filesize
230KB

MD5
6b26517c639069470bbf1bbea3f6f7e9

SHA1
3201e4cb1cb0a1c893a4f8371bc9fe518a79d306

SHA256
4b77e166a7aba7435faf11534fafa1d4b10b34d138bd2bdfdad0c42b1fdd8a35

SHA512
ed6523d35b47907cca54966511e7d5b99a4fa7ec255aa4b3021fcaba6237465efd4648b1989625441a5fa501d178e90cc7ab6704da131cd6daa4ae9e2386a148

Download Submit
C:\Users\Admin\AppData\Local\Temp\45625\Incident

Filesize
12KB

MD5
c308fce63eaeb0964204ee344e74c530

SHA1
37587a71e11f159e23ca8c6a806023dcd764d43d

SHA256
95b11d335117db2a17ed7313eaeff4ba5631787d0a5bea0b0c21527b47fba006

SHA512
72edb8133bd940955333261ad79ec2441a0fa684203ba7debb572a825abd0c81903a3d90235655d668a6ec005ab1eab3e4f3dc1c59723b88c38138e0692276da

Download Submit
C:\Users\Admin\AppData\Local\Temp\45625\Joan

Filesize
417KB

MD5
35e1231ab34f283787bc9869e2d081fc

SHA1
5e0d32feef1b4600cbcf7181e8b1652c93976b4c

SHA256
9806a7ed5a2f26f6146768182c935f3cb58aa7ac268ca0f2846f7ffd901271a4

SHA512
629101714e8636cca95b74d2fea959859bde5d0e9175f2e432254982286feccb789eacdbbc2fdce6567ff946952c2db155f9c29df2e4a66fa465380934d09f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\45625\Nov

Filesize
105KB

MD5
f9c1c01c5afe440a6f116c8030b2c178

SHA1
ce5f477a9900079c69f4fa6beeb455e74fff1193

SHA256
ce0d0f68f168bebdbe643d04003480a70f1728d2ffe41e090c3f049158291a9c

SHA512
19c2d5a543226658045abec5638ae89f83b345459e069a30932f2588058c57af415dece15b7200361c4c7fadca6d822c935db47b4edb0c8c9da967a8b4ec603b

Download Submit
C:\Users\Admin\AppData\Local\Temp\45625\Rt

Filesize
73KB

MD5
e0ce0608f7d9c00e386462fc9bc982ef

SHA1
5341820e38bd5dcd13ce25c9baf70e866af5e218

SHA256
39c5a08df71151027538f77df3164a0dde1e82af24e1c49e95e8e841b960ebae

SHA512
09cd9ccc957991fd922bb7922aba6c07d8a1c93ff899e8727856a27deec844be02c78b3d976d19bba50ffffa939904a6e26243c227dae14c104754d04c82614f

Download Submit
memory/2892-0-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/2892-6-0x0000000000700000-0x0000000000836000-memory.dmp

Filesize
1.2MB

Download
memory/2892-31-0x0000000000700000-0x0000000000836000-memory.dmp

Filesize
1.2MB

Download
memory/2892-7-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/5092-34-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/5092-35-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/5092-38-0x0000000004D00000-0x0000000004D9C000-memory.dmp

Filesize
624KB

Download