xworm | d92def7b4ba902ff2e9467e32f042557486c706ffdcff96a669650f3441c7450

Analysis

max time kernel
53s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windowshost.exe
Size

38KB
MD5

20a1f199b70f7c54359e7d957d2f90c6
SHA1

3a0cb097aff88246942c92566bc234fc3102841d
SHA256

d92def7b4ba902ff2e9467e32f042557486c706ffdcff96a669650f3441c7450
SHA512

1876d5529b8e20b94a5589e70b846bf01b6fea6f1fa2b06f17806f125ea6a26f7fe1c0050fca7460484c3623d571a4dac81bff28f7285a63c626f2a67567bfa5
SSDEEP

768:cV+IESzfTvZEz5G7nSthO/i7FWP59WnyOMhQaQko:cs7iZO5XqiFK9WnyOMqh

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

america-surrey.gl.at.ply.gg:54338

Mutex

olCaDHtbRycoMsoN

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1708-1-0x00000000006E0000-0x00000000006F0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	windowshost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	windowshost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3176	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2764	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1708	windowshost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1708	windowshost.exe
Token: SeDebugPrivilege	1708	windowshost.exe
Token: SeDebugPrivilege	2764	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1708	windowshost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1708	windowshost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2764	1708	windowshost.exe	96
PID 1708 wrote to memory of 2764	1708	windowshost.exe	96
PID 1708 wrote to memory of 2916	1708	windowshost.exe	98
PID 1708 wrote to memory of 2916	1708	windowshost.exe	98
PID 2916 wrote to memory of 3176	2916	cmd.exe	100
PID 2916 wrote to memory of 3176	2916	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\windowshost.exe
"C:\Users\Admin\AppData\Local\Temp\windowshost.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /F /IM explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp507C.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp507C.tmp.bat

Filesize
163B

MD5
14216929a621cccf1aa91ed52b5f0de1

SHA1
e836d1f048aabb572dfa7d8b940519d4a9b0a395

SHA256
16a29916daea080e11d925b59a48c5fe6abf0fff3497246e2ea057a8a1db9a5a

SHA512
8313d319980a40cea997557e501eb1124e127d7285ad5005a64ea2983649ec00243c399af27da07be48b837b965719f36fb05ae679a141047563cf7995352abf

Download Submit
memory/1708-0-0x00007FF901873000-0x00007FF901875000-memory.dmp

Filesize
8KB

Download
memory/1708-1-0x00000000006E0000-0x00000000006F0000-memory.dmp

Filesize
64KB

Download
memory/1708-6-0x00007FF901870000-0x00007FF902331000-memory.dmp

Filesize
10.8MB

Download
memory/1708-7-0x00007FF901870000-0x00007FF902331000-memory.dmp

Filesize
10.8MB

Download
memory/1708-8-0x0000000001070000-0x000000000107C000-memory.dmp

Filesize
48KB

Download
memory/1708-9-0x0000000000EC0000-0x0000000000ECA000-memory.dmp

Filesize
40KB

Download
memory/1708-17-0x00007FF901870000-0x00007FF902331000-memory.dmp

Filesize
10.8MB

Download