xworm | ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
07-11-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice Certificates and CMR.exe
Size

691KB
MD5

cd0e4ac274a929010fed125c319c3e69
SHA1

cc530ce42f9b3024cf491eef61dfbf4dcd905176
SHA256

ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f
SHA512

b5fd740e1ceff2a6d999f5e6fb0ac89fc74ce61aa58eae5526ede9ab0001eeecc26ef1ad80d6e501a4121b4e5a2cacd19d7e52488b895b283c26cd1d94ea4c18
SSDEEP

12288:qTfdqmnKE2pb57I+xdvCss0BW9T3PG6dWHb:qv2t5s+qj049DGAW7

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

pkaraven.duckdns.org:9387

Mutex

AXupjNCu673XjSaT

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/3020-25-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/3020-28-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/3020-23-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/3020-29-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/3020-30-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2452	powershell.exe
2888	powershell.exe
2756	powershell.exe
820	powershell.exe
1336	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice Certificates and CMR.lnk	Invoice Certificates and CMR.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice Certificates and CMR.lnk	Invoice Certificates and CMR.exe

Loads dropped DLL 1 IoCs

pid	Process
3020	Invoice Certificates and CMR.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2176 set thread context of 3020	2176	Invoice Certificates and CMR.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Invoice Certificates and CMR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Invoice Certificates and CMR.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2924	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2176	Invoice Certificates and CMR.exe
2176	Invoice Certificates and CMR.exe
2888	powershell.exe
2452	powershell.exe
2756	powershell.exe
820	powershell.exe
1336	powershell.exe
3020	Invoice Certificates and CMR.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	Invoice Certificates and CMR.exe
Token: SeDebugPrivilege	3020	Invoice Certificates and CMR.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3020	Invoice Certificates and CMR.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2452	2176	Invoice Certificates and CMR.exe	31
PID 2176 wrote to memory of 2452	2176	Invoice Certificates and CMR.exe	31
PID 2176 wrote to memory of 2452	2176	Invoice Certificates and CMR.exe	31
PID 2176 wrote to memory of 2452	2176	Invoice Certificates and CMR.exe	31
PID 2176 wrote to memory of 2888	2176	Invoice Certificates and CMR.exe	33
PID 2176 wrote to memory of 2888	2176	Invoice Certificates and CMR.exe	33
PID 2176 wrote to memory of 2888	2176	Invoice Certificates and CMR.exe	33
PID 2176 wrote to memory of 2888	2176	Invoice Certificates and CMR.exe	33
PID 2176 wrote to memory of 2924	2176	Invoice Certificates and CMR.exe	35
PID 2176 wrote to memory of 2924	2176	Invoice Certificates and CMR.exe	35
PID 2176 wrote to memory of 2924	2176	Invoice Certificates and CMR.exe	35
PID 2176 wrote to memory of 2924	2176	Invoice Certificates and CMR.exe	35
PID 2176 wrote to memory of 3020	2176	Invoice Certificates and CMR.exe	37
PID 2176 wrote to memory of 3020	2176	Invoice Certificates and CMR.exe	37
PID 2176 wrote to memory of 3020	2176	Invoice Certificates and CMR.exe	37
PID 2176 wrote to memory of 3020	2176	Invoice Certificates and CMR.exe	37
PID 2176 wrote to memory of 3020	2176	Invoice Certificates and CMR.exe	37
PID 2176 wrote to memory of 3020	2176	Invoice Certificates and CMR.exe	37
PID 2176 wrote to memory of 3020	2176	Invoice Certificates and CMR.exe	37
PID 2176 wrote to memory of 3020	2176	Invoice Certificates and CMR.exe	37
PID 2176 wrote to memory of 3020	2176	Invoice Certificates and CMR.exe	37
PID 3020 wrote to memory of 2756	3020	Invoice Certificates and CMR.exe	38
PID 3020 wrote to memory of 2756	3020	Invoice Certificates and CMR.exe	38
PID 3020 wrote to memory of 2756	3020	Invoice Certificates and CMR.exe	38
PID 3020 wrote to memory of 2756	3020	Invoice Certificates and CMR.exe	38
PID 3020 wrote to memory of 820	3020	Invoice Certificates and CMR.exe	40
PID 3020 wrote to memory of 820	3020	Invoice Certificates and CMR.exe	40
PID 3020 wrote to memory of 820	3020	Invoice Certificates and CMR.exe	40
PID 3020 wrote to memory of 820	3020	Invoice Certificates and CMR.exe	40
PID 3020 wrote to memory of 1336	3020	Invoice Certificates and CMR.exe	42
PID 3020 wrote to memory of 1336	3020	Invoice Certificates and CMR.exe	42
PID 3020 wrote to memory of 1336	3020	Invoice Certificates and CMR.exe	42
PID 3020 wrote to memory of 1336	3020	Invoice Certificates and CMR.exe	42

C:\Users\Admin\AppData\Local\Temp\Invoice Certificates and CMR.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice Certificates and CMR.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Invoice Certificates and CMR.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uuWsHcHRt.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uuWsHcHRt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1786.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2924
- C:\Users\Admin\AppData\Local\Temp\Invoice Certificates and CMR.exe
  "C:\Users\Admin\AppData\Local\Temp\Invoice Certificates and CMR.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Invoice Certificates and CMR.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Invoice Certificates and CMR.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Invoice Certificates and CMR.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1786.tmp

Filesize
1KB

MD5
d509d7de374e1f2a85a7070ceab8f5ea

SHA1
ba2ec14c4f77c4805cbf28771ecb2cbbd870ead2

SHA256
862da5a7da86706a84029f78ed06a7f1fd54e8431f96a9d027e4105d43261e52

SHA512
f0447de158136bead892ccb9ece84a0a583cf7dbe36d3ad643096b582e9a90234981ab4288f010f92a8b1f9f7974cbb7401753ef6ba9c40cfb370ffb023a8f6f

Download Submit
C:\Users\Admin\AppData\Roaming\Invoice Certificates and CMR.exe

Filesize
691KB

MD5
cd0e4ac274a929010fed125c319c3e69

SHA1
cc530ce42f9b3024cf491eef61dfbf4dcd905176

SHA256
ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f

SHA512
b5fd740e1ceff2a6d999f5e6fb0ac89fc74ce61aa58eae5526ede9ab0001eeecc26ef1ad80d6e501a4121b4e5a2cacd19d7e52488b895b283c26cd1d94ea4c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c0946077402790738f19fc7a2fb71c87

SHA1
c38a772da72db215e2034587a5757f19849039c2

SHA256
4c2238e09784a2d5320b181a75c999071763dbc7c60daff2cfd1758afdc0a217

SHA512
68176ee3702de115ce9e68b00df78f3d1f14086901eb6f05f6cdb38f6fafb8145fea71c05bb186e53d88948a5e5526c5d95afd54e63177fe906a52bd10585200

Download Submit
memory/2176-31-0x0000000074D30000-0x000000007541E000-memory.dmp

Filesize
6.9MB

Download
memory/2176-1-0x0000000000AC0000-0x0000000000B72000-memory.dmp

Filesize
712KB

Download
memory/2176-2-0x0000000074D30000-0x000000007541E000-memory.dmp

Filesize
6.9MB

Download
memory/2176-3-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/2176-4-0x0000000074D30000-0x000000007541E000-memory.dmp

Filesize
6.9MB

Download
memory/2176-5-0x00000000005F0000-0x000000000060C000-memory.dmp

Filesize
112KB

Download
memory/2176-6-0x00000000004E0000-0x0000000000530000-memory.dmp

Filesize
320KB

Download
memory/2176-0-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/3020-25-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3020-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3020-21-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3020-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3020-30-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3020-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3020-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3020-20-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download