xworm | d92def7b4ba902ff2e9467e32f042557486c706ffdcff96a669650f3441c7450

Analysis

max time kernel
45s
max time network
53s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windowshost.exe
Size

38KB
MD5

20a1f199b70f7c54359e7d957d2f90c6
SHA1

3a0cb097aff88246942c92566bc234fc3102841d
SHA256

d92def7b4ba902ff2e9467e32f042557486c706ffdcff96a669650f3441c7450
SHA512

1876d5529b8e20b94a5589e70b846bf01b6fea6f1fa2b06f17806f125ea6a26f7fe1c0050fca7460484c3623d571a4dac81bff28f7285a63c626f2a67567bfa5
SSDEEP

768:cV+IESzfTvZEz5G7nSthO/i7FWP59WnyOMhQaQko:cs7iZO5XqiFK9WnyOMqh

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

america-surrey.gl.at.ply.gg:54338

Mutex

olCaDHtbRycoMsoN

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2180-1-0x0000000000CC0000-0x0000000000CD0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	windowshost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	windowshost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2060	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2596	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2180	windowshost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	windowshost.exe
Token: SeDebugPrivilege	2180	windowshost.exe
Token: SeDebugPrivilege	2596	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2180	windowshost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2180	windowshost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2596	2180	windowshost.exe	31
PID 2180 wrote to memory of 2596	2180	windowshost.exe	31
PID 2180 wrote to memory of 2596	2180	windowshost.exe	31
PID 2180 wrote to memory of 2200	2180	windowshost.exe	33
PID 2180 wrote to memory of 2200	2180	windowshost.exe	33
PID 2180 wrote to memory of 2200	2180	windowshost.exe	33
PID 2200 wrote to memory of 2060	2200	cmd.exe	35
PID 2200 wrote to memory of 2060	2200	cmd.exe	35
PID 2200 wrote to memory of 2060	2200	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\windowshost.exe
"C:\Users\Admin\AppData\Local\Temp\windowshost.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpCCFF.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCCFF.tmp.bat

Filesize
163B

MD5
a59769b198bed4d2ed6bd5f9bde8c869

SHA1
d7b526c32bae1c86c5de11e986bdc5ef7f8d0c8e

SHA256
580c7fc98bdc1f2e877551f2c3ae5c828be49c0b721e161fad15d98a848d0ea8

SHA512
a79cc1b8e0caf6735275be466ef98c6c3b96c99ae16392d6aead3477f10de892c8c9aa4a0f862cb08aa4e7475e3d8be8cc0741192c1d4168c084d63978c5c4b0

Download Submit
memory/2180-0-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

Filesize
4KB

Download
memory/2180-1-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

Filesize
64KB

Download
memory/2180-6-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2180-7-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

Filesize
4KB

Download
memory/2180-8-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2180-9-0x0000000000A10000-0x0000000000A1A000-memory.dmp

Filesize
40KB

Download
memory/2180-21-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download