xworm | 7836ed81b575e364b75dfaea40971da1de436cbd33364d149df3dbc7ce7b5e42

Analysis

max time kernel
32s
max time network
33s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SоlаraV3.exe
Size

326KB
MD5

940f68edc497b2364f7751a06e5005c3
SHA1

243867ca7db62c2523dc208056747803308367fd
SHA256

7836ed81b575e364b75dfaea40971da1de436cbd33364d149df3dbc7ce7b5e42
SHA512

c9ad27a4407afdfa3130ccdea30b739bfdfae14e04010b65cf0850b49045d1614eb1b9a47be111d1c1d67ff0f94020208369d28d1ed7e6f038a574a183103f40
SSDEEP

6144:SWUovnLzJmE8O2hWbocJIJytNrlrqowMCjNthw66kIOpWWv7MO/:SWUovH4E8fkLIJkqNIjqW6t

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:3566

college-quarter.gl.at.ply.gg:3566

Attributes

Install_directory
%LocalAppData%
install_file
Bootstraper.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012263-5.dat	family_xworm
behavioral1/memory/2348-8-0x0000000000DB0000-0x0000000000DC6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 3 IoCs

pid	Process
2348	Solara.exe
2900	Bootstrapper.exe
1248	Process not Found

Loads dropped DLL 7 IoCs

pid	Process
2376	SоlаraV3.exe
1872	Process not Found
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2744	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	Solara.exe
Token: SeIncreaseQuotaPrivilege	2704	WMIC.exe
Token: SeSecurityPrivilege	2704	WMIC.exe
Token: SeTakeOwnershipPrivilege	2704	WMIC.exe
Token: SeLoadDriverPrivilege	2704	WMIC.exe
Token: SeSystemProfilePrivilege	2704	WMIC.exe
Token: SeSystemtimePrivilege	2704	WMIC.exe
Token: SeProfSingleProcessPrivilege	2704	WMIC.exe
Token: SeIncBasePriorityPrivilege	2704	WMIC.exe
Token: SeCreatePagefilePrivilege	2704	WMIC.exe
Token: SeBackupPrivilege	2704	WMIC.exe
Token: SeRestorePrivilege	2704	WMIC.exe
Token: SeShutdownPrivilege	2704	WMIC.exe
Token: SeDebugPrivilege	2704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2704	WMIC.exe
Token: SeRemoteShutdownPrivilege	2704	WMIC.exe
Token: SeUndockPrivilege	2704	WMIC.exe
Token: SeManageVolumePrivilege	2704	WMIC.exe
Token: 33	2704	WMIC.exe
Token: 34	2704	WMIC.exe
Token: 35	2704	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2704	WMIC.exe
Token: SeSecurityPrivilege	2704	WMIC.exe
Token: SeTakeOwnershipPrivilege	2704	WMIC.exe
Token: SeLoadDriverPrivilege	2704	WMIC.exe
Token: SeSystemProfilePrivilege	2704	WMIC.exe
Token: SeSystemtimePrivilege	2704	WMIC.exe
Token: SeProfSingleProcessPrivilege	2704	WMIC.exe
Token: SeIncBasePriorityPrivilege	2704	WMIC.exe
Token: SeCreatePagefilePrivilege	2704	WMIC.exe
Token: SeBackupPrivilege	2704	WMIC.exe
Token: SeRestorePrivilege	2704	WMIC.exe
Token: SeShutdownPrivilege	2704	WMIC.exe
Token: SeDebugPrivilege	2704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2704	WMIC.exe
Token: SeRemoteShutdownPrivilege	2704	WMIC.exe
Token: SeUndockPrivilege	2704	WMIC.exe
Token: SeManageVolumePrivilege	2704	WMIC.exe
Token: 33	2704	WMIC.exe
Token: 34	2704	WMIC.exe
Token: 35	2704	WMIC.exe
Token: SeDebugPrivilege	2900	Bootstrapper.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2348	2376	SоlаraV3.exe	31
PID 2376 wrote to memory of 2348	2376	SоlаraV3.exe	31
PID 2376 wrote to memory of 2348	2376	SоlаraV3.exe	31
PID 2376 wrote to memory of 2900	2376	SоlаraV3.exe	32
PID 2376 wrote to memory of 2900	2376	SоlаraV3.exe	32
PID 2376 wrote to memory of 2900	2376	SоlаraV3.exe	32
PID 2900 wrote to memory of 2880	2900	Bootstrapper.exe	34
PID 2900 wrote to memory of 2880	2900	Bootstrapper.exe	34
PID 2900 wrote to memory of 2880	2900	Bootstrapper.exe	34
PID 2880 wrote to memory of 2744	2880	cmd.exe	36
PID 2880 wrote to memory of 2744	2880	cmd.exe	36
PID 2880 wrote to memory of 2744	2880	cmd.exe	36
PID 2900 wrote to memory of 2872	2900	Bootstrapper.exe	37
PID 2900 wrote to memory of 2872	2900	Bootstrapper.exe	37
PID 2900 wrote to memory of 2872	2900	Bootstrapper.exe	37
PID 2872 wrote to memory of 2704	2872	cmd.exe	39
PID 2872 wrote to memory of 2704	2872	cmd.exe	39
PID 2872 wrote to memory of 2704	2872	cmd.exe	39
PID 2900 wrote to memory of 3064	2900	Bootstrapper.exe	41
PID 2900 wrote to memory of 3064	2900	Bootstrapper.exe	41
PID 2900 wrote to memory of 3064	2900	Bootstrapper.exe	41

C:\Users\Admin\AppData\Local\Temp\SоlаraV3.exe
"C:\Users\Admin\AppData\Local\Temp\SоlаraV3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\Solara.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\system32\cmd.exe
    "cmd" /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2744
- - C:\Windows\system32\cmd.exe
    "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2704
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2900 -s 1124
    3⤵
    - Loads dropped DLL
    PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe

Filesize
800KB

MD5
2a4dcf20b82896be94eb538260c5fb93

SHA1
21f232c2fd8132f8677e53258562ad98b455e679

SHA256
ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a

SHA512
4f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.exe

Filesize
65KB

MD5
9fd4b31c5e12879b9e0f3fa48ff88081

SHA1
90dd044eb4e5ad488072bcc1008edcf0071b3842

SHA256
47b3fc39d4f9bf58f5921140f9fc4eb0f74af42b57058a66966e3e15a1796aa0

SHA512
4220194debd7c2c7b9818aa97cbb7ba82c7caf1bba590edd3900994f99e9af7d971ec2478f34d3854f41fa53a2ca0f8114ac9517cc821813f520782f81e95581

Download Submit
memory/2348-8-0x0000000000DB0000-0x0000000000DC6000-memory.dmp

Filesize
88KB

Download
memory/2348-15-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/2348-20-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/2348-26-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/2376-0-0x000007FEF58D3000-0x000007FEF58D4000-memory.dmp

Filesize
4KB

Download
memory/2376-1-0x000000013FAE0000-0x000000013FB36000-memory.dmp

Filesize
344KB

Download
memory/2376-13-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/2376-16-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/2900-18-0x0000000001320000-0x00000000013EE000-memory.dmp

Filesize
824KB

Download