xworm | 830a8850179510edc23d3f8f6a9d589c6e671165ec421761a28945bcee5a714b

Analysis

max time kernel
1560s
max time network
1561s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sda.exe
Size

7.6MB
MD5

2f9007000a22245b8f2ca5328bda6559
SHA1

f0e3a4e403d001059b5d028dbf2841f7e31a8d18
SHA256

830a8850179510edc23d3f8f6a9d589c6e671165ec421761a28945bcee5a714b
SHA512

65dcb282965b76f8cd6e9a5ce10b06a55ca2369ec72b7838a1e82fac4b193a7eb80cc0fd7c43c7b55e2ff6839e60771e578b393414f6ef516680277b63ffbeeb
SSDEEP

196608:h1wuNAHvQxejeXNzFK5KS1f6CiyZr/XTy1mjVjFGmossw:hd0vQIjWNxK5i2/XTymGmJ

Score

10^/10

xworm execution persistence rat trojan upx

Malware Config

Extracted

Family

xworm

Version

3.1

147.185.221.23:53631

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0005000000010300-5.dat	family_xworm
behavioral1/memory/2548-7-0x0000000001160000-0x0000000001172000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2540	powershell.exe
2476	powershell.exe
2152	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 4 IoCs

pid	Process
2548	XClient.exe
2572	Test.exe
2772	Test.exe
1236	Process not Found

Loads dropped DLL 3 IoCs

pid	Process
1624	sda.exe
2572	Test.exe
2772	Test.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019450-37.dat	upx
behavioral1/memory/2772-40-0x000007FEF2330000-0x000007FEF2993000-memory.dmp	upx
behavioral1/memory/2772-64-0x000007FEF2330000-0x000007FEF2993000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2992	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2540	powershell.exe
2476	powershell.exe
2152	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2772	Test.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	XClient.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2548	1624	sda.exe	29
PID 1624 wrote to memory of 2548	1624	sda.exe	29
PID 1624 wrote to memory of 2548	1624	sda.exe	29
PID 1624 wrote to memory of 2572	1624	sda.exe	30
PID 1624 wrote to memory of 2572	1624	sda.exe	30
PID 1624 wrote to memory of 2572	1624	sda.exe	30
PID 2572 wrote to memory of 2772	2572	Test.exe	31
PID 2572 wrote to memory of 2772	2572	Test.exe	31
PID 2572 wrote to memory of 2772	2572	Test.exe	31
PID 2548 wrote to memory of 2540	2548	XClient.exe	32
PID 2548 wrote to memory of 2540	2548	XClient.exe	32
PID 2548 wrote to memory of 2540	2548	XClient.exe	32
PID 2548 wrote to memory of 2476	2548	XClient.exe	34
PID 2548 wrote to memory of 2476	2548	XClient.exe	34
PID 2548 wrote to memory of 2476	2548	XClient.exe	34
PID 2548 wrote to memory of 2152	2548	XClient.exe	36
PID 2548 wrote to memory of 2152	2548	XClient.exe	36
PID 2548 wrote to memory of 2152	2548	XClient.exe	36
PID 2548 wrote to memory of 584	2548	XClient.exe	38
PID 2548 wrote to memory of 584	2548	XClient.exe	38
PID 2548 wrote to memory of 584	2548	XClient.exe	38
PID 2548 wrote to memory of 564	2548	XClient.exe	41
PID 2548 wrote to memory of 564	2548	XClient.exe	41
PID 2548 wrote to memory of 564	2548	XClient.exe	41
PID 2548 wrote to memory of 1812	2548	XClient.exe	43
PID 2548 wrote to memory of 1812	2548	XClient.exe	43
PID 2548 wrote to memory of 1812	2548	XClient.exe	43
PID 1812 wrote to memory of 2992	1812	cmd.exe	45
PID 1812 wrote to memory of 2992	1812	cmd.exe	45
PID 1812 wrote to memory of 2992	1812	cmd.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sda.exe
"C:\Users\Admin\AppData\Local\Temp\sda.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:584
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "XClient"
    3⤵
    PID:564
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp732D.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2992
- C:\Users\Admin\AppData\Roaming\Test.exe
  "C:\Users\Admin\AppData\Roaming\Test.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Users\Admin\AppData\Roaming\Test.exe
    "C:\Users\Admin\AppData\Roaming\Test.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI25722\python313.dll

Filesize
1.8MB

MD5
6ef5d2f77064df6f2f47af7ee4d44f0f

SHA1
0003946454b107874aa31839d41edcda1c77b0af

SHA256
ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367

SHA512
1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp732D.tmp.bat

Filesize
156B

MD5
822813d895b2b8ee46b298f953127d04

SHA1
13cff486c2135759683761205769742c8940a268

SHA256
2b98ea173ad71e0cbce789eb168f442561cd7b2853c6d0f1bbbbe32bf1459eb5

SHA512
a6aea89a88bfde97e463587ab7430ba6be37256d70e30243fd22dda47296fa06b6a3d267545669cc78953b4f4d70b6adbae6fa21d4f7b160fefe1a14cb3f49ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f60cdcbaa4ad1940ea2b53c3ac6be3ee

SHA1
5528d8ad7d5caa6e3d999bf53a0fe08e6753cb7a

SHA256
72187c49275bdc34ee4de6a0e741645ff4e5721e6c55670b907f7d9b1fcce767

SHA512
47e0c51d05886d13700247ee3fb1e7f426ca02728a6cad6e8078e34ead5fd274d72c1018085d0ab16bf88232d2c4ac37cb8ccfc44d3dd51f609a52881dc81c7b

Download Submit
C:\Users\Admin\AppData\Roaming\Test.exe

Filesize
7.6MB

MD5
e58a5970c9d1f7f7fd7c87488cf0245a

SHA1
b00bff176f4a4ad149e64bbf69ed5b992fdd9ec7

SHA256
2505414e8b39be413fd09aeb0a25697b3bfba68fec5ab219c6dbdf12a2ef2a7c

SHA512
a3ca2024ab29b3ce33bdf7b5638f432867ca5f7fec70ec8e32690f7f25b26ebefb649baeb28e03176adf9c7ea8c9e38e1542b66990d9c00daea19e96b407d5f2

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
43KB

MD5
7e71f66eb4bd975fa6894f7be63d9de7

SHA1
a0b6a69adffde7a5209498ce1656f0d406da9204

SHA256
89055b8db329f28180bdd72d02227f175a46b79b470c5131e932d235104ab6e1

SHA512
5a776de6708ffa802700febe9a6a1cd95cd907f8d435c7ea28644c3c31565e373223b8db05ca142cb5bdc0d13745fba03099edbfc2fe7f9095232a997cdf6bf1

Download Submit
memory/1624-1-0x00000000001F0000-0x000000000099A000-memory.dmp

Filesize
7.7MB

Download
memory/1624-0-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

Filesize
4KB

Download
memory/2476-52-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2476-53-0x0000000002780000-0x0000000002788000-memory.dmp

Filesize
32KB

Download
memory/2540-46-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2540-45-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2548-63-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2548-61-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2548-7-0x0000000001160000-0x0000000001172000-memory.dmp

Filesize
72KB

Download
memory/2548-65-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2548-38-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2548-75-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2772-40-0x000007FEF2330000-0x000007FEF2993000-memory.dmp

Filesize
6.4MB

Download
memory/2772-64-0x000007FEF2330000-0x000007FEF2993000-memory.dmp

Filesize
6.4MB

Download