xworm | 91a2b73583a677271296fc0a00b2aa2088d49e5b7ab149846e03d576349abf83

Analysis

max time kernel
575s
max time network
585s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gwg.exe
Size

67KB
MD5

71dff4bce7c9df88ee150794ad9ac897
SHA1

130ef6f9426c956b754d09e08fe879b9ac89e73f
SHA256

91a2b73583a677271296fc0a00b2aa2088d49e5b7ab149846e03d576349abf83
SHA512

739d94ccdc5b2bb758555138054633261d1d4efb07ebd5dfc0870bba4946f36d3d3fa949cffaa98391941fcad876f9f66fb67feb148667d5f0153f125aae34c0
SSDEEP

1536:FTt2UoRi4p3VYOfB3IrB7HX9OuV+bOdijpEi0Ol7/ciXd:z2UohHI1ok+boiGi0OlrcW

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

il-putting.gl.at.ply.gg:28246

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/memory/2396-1-0x00000000003F0000-0x0000000000408000-memory.dmp	family_xworm
behavioral1/files/0x000900000001749c-6.dat	family_xworm
behavioral1/memory/2244-10-0x0000000000C70000-0x0000000000C88000-memory.dmp	family_xworm
behavioral1/memory/696-13-0x0000000000210000-0x0000000000228000-memory.dmp	family_xworm
behavioral1/memory/2188-15-0x0000000000130000-0x0000000000148000-memory.dmp	family_xworm
behavioral1/memory/2840-17-0x0000000001130000-0x0000000001148000-memory.dmp	family_xworm
behavioral1/memory/1824-20-0x00000000012D0000-0x00000000012E8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 10 IoCs

pid	Process
2584	system64
2244	system64
828	system64
696	system64
2188	system64
2840	system64
2340	system64
1824	system64
2872	system64
1580	system64

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2396	gwg.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	gwg.exe
Token: SeDebugPrivilege	2396	gwg.exe
Token: SeDebugPrivilege	2584	system64
Token: SeDebugPrivilege	2244	system64
Token: SeDebugPrivilege	828	system64
Token: SeDebugPrivilege	696	system64
Token: SeDebugPrivilege	2188	system64
Token: SeDebugPrivilege	2840	system64
Token: SeDebugPrivilege	2340	system64
Token: SeDebugPrivilege	1824	system64
Token: SeDebugPrivilege	2872	system64
Token: SeDebugPrivilege	1580	system64

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2396	gwg.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2616	2396	gwg.exe	31
PID 2396 wrote to memory of 2616	2396	gwg.exe	31
PID 2396 wrote to memory of 2616	2396	gwg.exe	31
PID 2868 wrote to memory of 2584	2868	taskeng.exe	34
PID 2868 wrote to memory of 2584	2868	taskeng.exe	34
PID 2868 wrote to memory of 2584	2868	taskeng.exe	34
PID 2868 wrote to memory of 2244	2868	taskeng.exe	35
PID 2868 wrote to memory of 2244	2868	taskeng.exe	35
PID 2868 wrote to memory of 2244	2868	taskeng.exe	35
PID 2868 wrote to memory of 828	2868	taskeng.exe	36
PID 2868 wrote to memory of 828	2868	taskeng.exe	36
PID 2868 wrote to memory of 828	2868	taskeng.exe	36
PID 2868 wrote to memory of 696	2868	taskeng.exe	37
PID 2868 wrote to memory of 696	2868	taskeng.exe	37
PID 2868 wrote to memory of 696	2868	taskeng.exe	37
PID 2868 wrote to memory of 2188	2868	taskeng.exe	38
PID 2868 wrote to memory of 2188	2868	taskeng.exe	38
PID 2868 wrote to memory of 2188	2868	taskeng.exe	38
PID 2868 wrote to memory of 2840	2868	taskeng.exe	39
PID 2868 wrote to memory of 2840	2868	taskeng.exe	39
PID 2868 wrote to memory of 2840	2868	taskeng.exe	39
PID 2868 wrote to memory of 2340	2868	taskeng.exe	40
PID 2868 wrote to memory of 2340	2868	taskeng.exe	40
PID 2868 wrote to memory of 2340	2868	taskeng.exe	40
PID 2868 wrote to memory of 1824	2868	taskeng.exe	41
PID 2868 wrote to memory of 1824	2868	taskeng.exe	41
PID 2868 wrote to memory of 1824	2868	taskeng.exe	41
PID 2868 wrote to memory of 2872	2868	taskeng.exe	42
PID 2868 wrote to memory of 2872	2868	taskeng.exe	42
PID 2868 wrote to memory of 2872	2868	taskeng.exe	42
PID 2868 wrote to memory of 1580	2868	taskeng.exe	43
PID 2868 wrote to memory of 1580	2868	taskeng.exe	43
PID 2868 wrote to memory of 1580	2868	taskeng.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\gwg.exe
"C:\Users\Admin\AppData\Local\Temp\gwg.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system64" /tr "C:\Users\Admin\system64"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2616

C:\Windows\system32\taskeng.exe
taskeng.exe {B6E1FA03-D655-4207-9714-15D1B8F903E4} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\system64
  C:\Users\Admin\system64
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Users\Admin\system64
  C:\Users\Admin\system64
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Users\Admin\system64
  C:\Users\Admin\system64
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:828
- C:\Users\Admin\system64
  C:\Users\Admin\system64
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:696
- C:\Users\Admin\system64
  C:\Users\Admin\system64
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Users\Admin\system64
  C:\Users\Admin\system64
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Users\Admin\system64
  C:\Users\Admin\system64
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Users\Admin\system64
  C:\Users\Admin\system64
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Users\Admin\system64
  C:\Users\Admin\system64
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Users\Admin\system64
  C:\Users\Admin\system64
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\system64

Filesize
67KB

MD5
71dff4bce7c9df88ee150794ad9ac897

SHA1
130ef6f9426c956b754d09e08fe879b9ac89e73f

SHA256
91a2b73583a677271296fc0a00b2aa2088d49e5b7ab149846e03d576349abf83

SHA512
739d94ccdc5b2bb758555138054633261d1d4efb07ebd5dfc0870bba4946f36d3d3fa949cffaa98391941fcad876f9f66fb67feb148667d5f0153f125aae34c0

Download Submit
memory/696-13-0x0000000000210000-0x0000000000228000-memory.dmp

Filesize
96KB

Download
memory/1824-20-0x00000000012D0000-0x00000000012E8000-memory.dmp

Filesize
96KB

Download
memory/2188-15-0x0000000000130000-0x0000000000148000-memory.dmp

Filesize
96KB

Download
memory/2244-10-0x0000000000C70000-0x0000000000C88000-memory.dmp

Filesize
96KB

Download
memory/2396-0-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

Filesize
4KB

Download
memory/2396-1-0x00000000003F0000-0x0000000000408000-memory.dmp

Filesize
96KB

Download
memory/2396-3-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2396-4-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

Filesize
4KB

Download
memory/2396-8-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-17-0x0000000001130000-0x0000000001148000-memory.dmp

Filesize
96KB

Download