xworm | 36f8beaf5de3dbab25f9bf1d27f215c3732eaef957623c0bf594e2d85296828d

Analysis

max time kernel
10s
max time network
12s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09-11-2024 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uzTbbLmYiV.exe
Size

178KB
MD5

76b12cd4302486469df2508f8e422205
SHA1

52321aa15bf417250ac687f19813e06519dfcdfa
SHA256

36f8beaf5de3dbab25f9bf1d27f215c3732eaef957623c0bf594e2d85296828d
SHA512

550a1c51bbd4ebd7135b43a49c959c8c5fb6ee4876023714a84a7f9e72520ef383b4241529238e20d28fa4da0b72f190729f11390457266cc143ad488e257009
SSDEEP

3072:19DdRKBQ8z6Ar7Hpo14eySdn5fZjSKndN9hFWPA1BZnfcgo1Qs08L:1hdRKBQ82LdbvfxSKnphBNneQs

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

23.ip.gl.ply.gg:39090

Mutex

Rh1oxiSykAHNyfxM

Attributes

Install_directory
%ProgramData%
install_file
svchost.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0029000000045030-16.dat	family_xworm
behavioral1/memory/2560-27-0x0000000000CC0000-0x0000000000CCE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	uzTbbLmYiV.exe

Executes dropped EXE 2 IoCs

pid	Process
1692	uzTbbLmYiV.exe
2560	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 1692	536	uzTbbLmYiV.exe	81
PID 536 wrote to memory of 1692	536	uzTbbLmYiV.exe	81
PID 536 wrote to memory of 2560	536	uzTbbLmYiV.exe	83
PID 536 wrote to memory of 2560	536	uzTbbLmYiV.exe	83

C:\Users\Admin\AppData\Local\Temp\uzTbbLmYiV.exe
"C:\Users\Admin\AppData\Local\Temp\uzTbbLmYiV.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:536
- C:\ProgramData\uzTbbLmYiV.exe
  "C:\ProgramData\uzTbbLmYiV.exe"
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\ProgramData\svchost.exe
  "C:\ProgramData\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.exe

Filesize
33KB

MD5
a2923ce711e5ab693e7162ea82d32b9a

SHA1
5dac601c724e38b4be104a14cf4d261938a4dc96

SHA256
981decca70b75171ed9ed37452cc717f2c7f5b5d7bc602feffa7794e73b6ed65

SHA512
b3fe4b9be4d9f1f1c9e736f67de95ceca4b6ff58708c5d5924221e09bcb436b0789c22c828010f0832381ed24546d5ff0d1ffbf8038998af0a476fb063094ac4

Download Submit
C:\ProgramData\uzTbbLmYiV.exe

Filesize
135KB

MD5
ef48fe16e9ba2dde03906160f16e31cf

SHA1
9838bcc394937856e51d0a0b80a21382a02cb44a

SHA256
8d6b802360360237f5d99ed55ff011b5f7c4bfb59355f4a1db9bb0feb4904c16

SHA512
8f00944badc2ff44e14c51262e9f90d511e11e9fc9fe15d08b6e7a2c40744cf9c43a0cde5343802af7a9cba8af03b525c071e1d209341e71e34cdffd7fee0a02

Download Submit
memory/536-1-0x00000000001B0000-0x00000000001E2000-memory.dmp

Filesize
200KB

Download
memory/536-0-0x00007FFB6B5F3000-0x00007FFB6B5F5000-memory.dmp

Filesize
8KB

Download
memory/2560-27-0x0000000000CC0000-0x0000000000CCE000-memory.dmp

Filesize
56KB

Download
memory/2560-28-0x00007FFB6B5F0000-0x00007FFB6C0B2000-memory.dmp

Filesize
10.8MB

Download
memory/2560-30-0x00000000015A0000-0x00000000015CB000-memory.dmp

Filesize
172KB

Download
memory/2560-31-0x00007FFB6B5F0000-0x00007FFB6C0B2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads