xworm | 5e83047d8407d37fbe2ad843c7844d0d6189adc107988b389ce1fa9f9c508748

Analysis

max time kernel
24s
max time network
26s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08-11-2024 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rust.Aim/Start.bat
Size

129B
MD5

db38c6d364840c2f07293c6e126b4861
SHA1

d373ea5202039fa1abde76abd7cf42757a68b431
SHA256

af95ba5eb54db6ae3708b77d2f1f317fb0e723fc837ca800409554333060461e
SHA512

9dcd53d90cf7a1bd9cea90ba5663734cda59266a7176421474f3f1cbdcfdba0b8a4230b14d16c68a550e88c91e5b82b9cce207025cb69eac3ebf369d4e24f6b8

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

here-thinking.gl.at.ply.gg:50161

Attributes

Install_directory
%LocalAppData%
install_file
WindowsSecurity.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001d00000002aa8b-31.dat	family_xworm
behavioral2/memory/1140-38-0x0000000000300000-0x0000000000318000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	4796	powershell.exe
3	4796	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4204	powershell.exe
4892	powershell.exe
2336	powershell.exe
1164	powershell.exe
4796	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk	Windows.Security.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk	Windows.Security.exe

Executes dropped EXE 1 IoCs

pid	Process
1140	Windows.Security.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsSecurity = "C:\\Users\\Admin\\AppData\\Local\\WindowsSecurity.exe"	Windows.Security.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
3	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4796	powershell.exe
4796	powershell.exe
4204	powershell.exe
4204	powershell.exe
4892	powershell.exe
4892	powershell.exe
2336	powershell.exe
2336	powershell.exe
1164	powershell.exe
1164	powershell.exe
1140	Windows.Security.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	1140	Windows.Security.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	1140	Windows.Security.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1140	Windows.Security.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 4796	3368	cmd.exe	78
PID 3368 wrote to memory of 4796	3368	cmd.exe	78
PID 4796 wrote to memory of 3556	4796	powershell.exe	79
PID 4796 wrote to memory of 3556	4796	powershell.exe	79
PID 3556 wrote to memory of 556	3556	csc.exe	80
PID 3556 wrote to memory of 556	3556	csc.exe	80
PID 4796 wrote to memory of 1140	4796	powershell.exe	81
PID 4796 wrote to memory of 1140	4796	powershell.exe	81
PID 1140 wrote to memory of 4204	1140	Windows.Security.exe	82
PID 1140 wrote to memory of 4204	1140	Windows.Security.exe	82
PID 1140 wrote to memory of 4892	1140	Windows.Security.exe	84
PID 1140 wrote to memory of 4892	1140	Windows.Security.exe	84
PID 1140 wrote to memory of 2336	1140	Windows.Security.exe	86
PID 1140 wrote to memory of 2336	1140	Windows.Security.exe	86
PID 1140 wrote to memory of 1164	1140	Windows.Security.exe	88
PID 1140 wrote to memory of 1164	1140	Windows.Security.exe	88
PID 1140 wrote to memory of 1604	1140	Windows.Security.exe	90
PID 1140 wrote to memory of 1604	1140	Windows.Security.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Rust.Aim\Start.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\Rust.Aim\First.ps1"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g5apnlrn\g5apnlrn.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D6D.tmp" "c:\Users\Admin\AppData\Local\Temp\g5apnlrn\CSCB4B13DD505242AF982A6EF58049891C.TMP"
      4⤵
      PID:556
- - C:\Users\Admin\AppData\Local\Temp\Windows.Security.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows.Security.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows.Security.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4204
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows.Security.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\WindowsSecurity.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2336
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1164
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSecurity" /tr "C:\Users\Admin\AppData\Local\WindowsSecurity.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e0391d00f5bfbc34be70790f14d5edf

SHA1
fcb04d8599c23967de4f154a101be480933ab0d0

SHA256
1c0c0c86d7c736fc9fb148ac7cd6e67565dc5b76fa116ae3b000a79e91855136

SHA512
231b9cc6efb928f0748cef04f287d9204c4f7d2eb4bc27f345e9a1afc6d0675057978ca44d1a95334ee2380709aa6dbe74015fedff8f17611a64efcfb9f64d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
856900844f6f1c326c89d0bcfb2f0c28

SHA1
1caad440d46fa8c0cbed4822b4be2bbdddba97c2

SHA256
ae24414ec53b3ae43ddbf1ff7b6643f8bf45281406f6415742f4305360d70a32

SHA512
ed8f421e151d797b33440dd0ddb6d6a5ec93fe7806ad82c60af3f77d545cf5dc319bce67804bd0613bb551a3f01648ec0d1918805dc7342145c8bb23ad12cab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
446c3266fe2d269282887afb9e0953c9

SHA1
3a856b7d606d3606dc5dffa8f4065e9c920ed7ab

SHA256
0f87f1cf57f5c29713b90eb32a68572e44b4f0638c21dd7002526c037d0d78eb

SHA512
e1e7a3c2e1fafa33a6bcbac6404615eafe7059c665887c49830152858087145a595e4a3afa87eceff7c79dd124a2818110be591b93e083e7f7f9b4e942728c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7D6D.tmp

Filesize
1KB

MD5
f2c48d0b4065b9b6f0c57916436385a3

SHA1
890096adabf66792a3a9bee4e16f4b7062b23876

SHA256
3ea8f21af4fe4d67dffa6f7fab08322ee91ace1fb5e0ccdf793db268795e4614

SHA512
0a26a8d228f80bcfe1eaee332abdebd9b422bdafd822697aeafb1d57967d674d497e9582889133d67ba97f6a3ac22d613bb909163cdf475893538f3c601abc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows.Security.exe

Filesize
69KB

MD5
0dda7546fa4191f63d9e6ec287737048

SHA1
6a787a4bafae5cf50cf1226a3b19981b89f144d8

SHA256
496df744057714699bed70787c5419937099f52a0e6f382172cb26b2e510197c

SHA512
d4dee4c9269ea7834ed831e802307d58eb82b7b86d67deb868748f51dbe9f138dfb29e046edda8f938c31728ecd9bfbd581b89a8670e32ca542cb275eccdc47f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aasvnkpl.goc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\g5apnlrn\g5apnlrn.dll

Filesize
3KB

MD5
ea3c515c54fd4594645b744d778c55b5

SHA1
fa5f94a4cdf9d75997cfe7238a7155b16bf972b7

SHA256
62b660e7f5c95247da8b7839342aaca89b23775be9060aba902620f01a470148

SHA512
285729794c0f734352b1907771bc394621be80c08818f34d2ade4317e5cdfb93a07905aa64dc6069383afc360a266b2715ac6d5f7f3124ffd31c42d60a78fdf5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g5apnlrn\CSCB4B13DD505242AF982A6EF58049891C.TMP

Filesize
652B

MD5
bb4bcf7e3d9ed0d638142f42facb8c9a

SHA1
50e1a7b838f775f1ca290e5f4b50133067558582

SHA256
64a31b0e6d4ccb639cd1c033254b37e96cb38343bfd1f23c9c118af36338dd3a

SHA512
b1b842646e7a18e1da022375ebc7b2a8a3792409ba91be7c20a7294a2ec998382c02c32f0b86dde5f029e584ecee701af64e4ecf0a7699096ec7d13c64f3e853

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g5apnlrn\g5apnlrn.0.cs

Filesize
298B

MD5
d2dd7b143c5631aa598407bbe81ef5db

SHA1
a5c77b81db6300d7a7eb424875c96e2611d42d83

SHA256
b3ccd5d9083909c89f8201c421434ec38280c051597b5414559c1df7fcf31cfe

SHA512
bd2cc89e16b2d9ffee6e8e32c9474acd2ba1f9db187b26aa0c9dbde8b7e58476e96756cb6d6d46e8b18b7e1c936d4febc093196e690e35f2002c7da6331fbb62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g5apnlrn\g5apnlrn.cmdline

Filesize
369B

MD5
8556d722c9b63c25f719d49dfea9f908

SHA1
6919072949e83c0961de73cf01ffee2f77c5adfc

SHA256
95de81860b98efbab8a6d19ac965ecfd0cf69a55193d39b510fca29d1c70cab7

SHA512
2b0c5f1af5fe10459c8abcedfdd25ee00a66c5a323f603ce21e5386f4216c35460dbbfd72fe486afcddc51d24807d34c562b9e1eb83dfeaf1f0bd23e889c3387

Download Submit
memory/1140-38-0x0000000000300000-0x0000000000318000-memory.dmp

Filesize
96KB

Download
memory/4796-15-0x00007FFDC8C30000-0x00007FFDC96F2000-memory.dmp

Filesize
10.8MB

Download
memory/4796-25-0x00000253D8570000-0x00000253D8578000-memory.dmp

Filesize
32KB

Download
memory/4796-0-0x00007FFDC8C33000-0x00007FFDC8C35000-memory.dmp

Filesize
8KB

Download
memory/4796-11-0x00007FFDC8C30000-0x00007FFDC96F2000-memory.dmp

Filesize
10.8MB

Download
memory/4796-10-0x00007FFDC8C30000-0x00007FFDC96F2000-memory.dmp

Filesize
10.8MB

Download
memory/4796-80-0x00007FFDC8C30000-0x00007FFDC96F2000-memory.dmp

Filesize
10.8MB

Download
memory/4796-9-0x00000253D8580000-0x00000253D85A2000-memory.dmp

Filesize
136KB

Download
memory/4796-83-0x00007FFDC8C30000-0x00007FFDC96F2000-memory.dmp

Filesize
10.8MB

Download