xworm | ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f

Analysis

max time kernel
128s
max time network
137s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08/11/2024, 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe
Size

691KB
MD5

cd0e4ac274a929010fed125c319c3e69
SHA1

cc530ce42f9b3024cf491eef61dfbf4dcd905176
SHA256

ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f
SHA512

b5fd740e1ceff2a6d999f5e6fb0ac89fc74ce61aa58eae5526ede9ab0001eeecc26ef1ad80d6e501a4121b4e5a2cacd19d7e52488b895b283c26cd1d94ea4c18
SSDEEP

12288:qTfdqmnKE2pb57I+xdvCss0BW9T3PG6dWHb:qv2t5s+qj049DGAW7

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

pkaraven.duckdns.org:9387

Mutex

AXupjNCu673XjSaT

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/1456-30-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/1456-29-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/1456-28-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/1456-25-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/1456-23-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2384	powershell.exe
2192	powershell.exe
2860	powershell.exe
2756	powershell.exe
1932	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.lnk	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.lnk	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe

Loads dropped DLL 1 IoCs

pid	Process
1456	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2876 set thread context of 1456	2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe
2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe
2860	powershell.exe
2192	powershell.exe
2756	powershell.exe
1932	powershell.exe
2384	powershell.exe
1456	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe
Token: SeDebugPrivilege	1456	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1456	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2192	2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	31
PID 2876 wrote to memory of 2192	2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	31
PID 2876 wrote to memory of 2192	2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	31
PID 2876 wrote to memory of 2192	2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	31
PID 2876 wrote to memory of 2860	2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	33
PID 2876 wrote to memory of 2860	2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	33
PID 2876 wrote to memory of 2860	2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	33
PID 2876 wrote to memory of 2860	2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	33
PID 2876 wrote to memory of 2092	2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	34
PID 2876 wrote to memory of 2092	2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	34
PID 2876 wrote to memory of 2092	2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	34
PID 2876 wrote to memory of 2092	2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	34
PID 2876 wrote to memory of 1456	2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	37
PID 2876 wrote to memory of 1456	2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	37
PID 2876 wrote to memory of 1456	2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	37
PID 2876 wrote to memory of 1456	2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	37
PID 2876 wrote to memory of 1456	2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	37
PID 2876 wrote to memory of 1456	2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	37
PID 2876 wrote to memory of 1456	2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	37
PID 2876 wrote to memory of 1456	2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	37
PID 2876 wrote to memory of 1456	2876	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	37
PID 1456 wrote to memory of 2756	1456	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	38
PID 1456 wrote to memory of 2756	1456	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	38
PID 1456 wrote to memory of 2756	1456	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	38
PID 1456 wrote to memory of 2756	1456	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	38
PID 1456 wrote to memory of 1932	1456	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	40
PID 1456 wrote to memory of 1932	1456	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	40
PID 1456 wrote to memory of 1932	1456	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	40
PID 1456 wrote to memory of 1932	1456	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	40
PID 1456 wrote to memory of 2384	1456	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	42
PID 1456 wrote to memory of 2384	1456	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	42
PID 1456 wrote to memory of 2384	1456	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	42
PID 1456 wrote to memory of 2384	1456	ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe	42

C:\Users\Admin\AppData\Local\Temp\ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe
"C:\Users\Admin\AppData\Local\Temp\ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uuWsHcHRt.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uuWsHcHRt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDDF0.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2092
- C:\Users\Admin\AppData\Local\Temp\ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe
  "C:\Users\Admin\AppData\Local\Temp\ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDDF0.tmp

Filesize
1KB

MD5
acb9767d0d5de577e7f67572c2047f14

SHA1
4e1985f192fbb2b59cc1305d3995e402bd205bd0

SHA256
5be9237a47c33182106f6c8bdb26b80c4d69a286ce4ece28dd4144f9e52d86e1

SHA512
7dc7eab6887af7fa1ec20887dcc0bf512283ae28b0a90067a8b87ae2bc98cd79cbe5667f0497dd44b69ff136e18b60a01fa96fe58c4fdf91eda4244bbdd8fef8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
47fa26b9804c72cd45c9b5aecc5a5c07

SHA1
6cce8e2d727bfe2290a3239f72c281ec03612d25

SHA256
2367201c4d460208678aae867bb1983a0a84961032582f613d928bb2b081bb9c

SHA512
920817bebda457075c6f29425aeba1efef131072ae01bf4a2593d13b3406e013fb2d957c5b68b8440afbc956634640dfc865130f57e53373401501076da39956

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4980c83ba0361fc1300ef3db9bf729e6

SHA1
6dea42eda132852cdbd73ae41d13a4afb5764241

SHA256
feced9feed59c8272965aeb8a55b53287847858bdf7e146c4497bc8cd7afd0c6

SHA512
c7c5084c83233818ed635b494c6e6d15ec5869d3dd541a61f059f90771f97aad020456e6296fae8fd72cf86938639ae6a9953e736b83e30af6c7256825009939

Download Submit
\Users\Admin\AppData\Roaming\ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f.exe

Filesize
691KB

MD5
cd0e4ac274a929010fed125c319c3e69

SHA1
cc530ce42f9b3024cf491eef61dfbf4dcd905176

SHA256
ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f

SHA512
b5fd740e1ceff2a6d999f5e6fb0ac89fc74ce61aa58eae5526ede9ab0001eeecc26ef1ad80d6e501a4121b4e5a2cacd19d7e52488b895b283c26cd1d94ea4c18

Download Submit
memory/1456-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1456-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1456-21-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1456-25-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1456-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1456-30-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1456-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1456-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2876-6-0x0000000000270000-0x00000000002C0000-memory.dmp

Filesize
320KB

Download
memory/2876-4-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2876-0-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/2876-5-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2876-31-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2876-3-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/2876-2-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2876-1-0x00000000011D0000-0x0000000001282000-memory.dmp

Filesize
712KB

Download