xworm | 9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642

Analysis

max time kernel
141s
max time network
148s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.0MB
MD5

bf265e0055178b2aa642fc6df2ae5f40
SHA1

f692cbf19ecf33a48ddefa2b615ea979fa5633b4
SHA256

9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642
SHA512

c20bfffbe194f551dfaeab68579b89f5c4fb8d5bb90d80b516f008a4debc009505d059e03a404d08605f903be1126c1600e96786369a7abe6813842ab36cae3d
SSDEEP

12288:BCQdkpj9XCQR9Fo+lSEr/CAcHqpxr0H8totz8LfAz1uviBCGG4HgoKQJZNL:BVdujt9pAE0+rMN8LYzcyTAqJZNL

Score

10^/10

xworm discovery rat trojan

Malware Config

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/1104-359-0x0000000000090000-0x00000000000A0000-memory.dmp	family_xworm
behavioral1/memory/1104-361-0x0000000000090000-0x00000000000A0000-memory.dmp	family_xworm
behavioral1/memory/1104-362-0x0000000000090000-0x00000000000A0000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2264 created 1388	2264	Horizon.pif	21
PID 2264 created 1388	2264	Horizon.pif	21

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2264	Horizon.pif
1104	RegAsm.exe

Loads dropped DLL 3 IoCs

pid	Process
2008	cmd.exe
2264	Horizon.pif
1104	RegAsm.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1804	tasklist.exe
896	tasklist.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\EmotionalCnet	file.exe
File opened for modification	C:\Windows\NigerMauritius	file.exe
File opened for modification	C:\Windows\MiddleOrganize	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Horizon.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2264	Horizon.pif
2264	Horizon.pif
2264	Horizon.pif
2264	Horizon.pif
2264	Horizon.pif
2264	Horizon.pif
2264	Horizon.pif
2264	Horizon.pif
2264	Horizon.pif
2264	Horizon.pif
2264	Horizon.pif
2264	Horizon.pif
2264	Horizon.pif
2264	Horizon.pif
2264	Horizon.pif
2264	Horizon.pif
2264	Horizon.pif
2264	Horizon.pif
1104	RegAsm.exe
2264	Horizon.pif

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	tasklist.exe
Token: SeDebugPrivilege	896	tasklist.exe
Token: SeDebugPrivilege	1104	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2264	Horizon.pif
2264	Horizon.pif
2264	Horizon.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2264	Horizon.pif
2264	Horizon.pif
2264	Horizon.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1104	RegAsm.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 2008	1116	file.exe	31
PID 1116 wrote to memory of 2008	1116	file.exe	31
PID 1116 wrote to memory of 2008	1116	file.exe	31
PID 1116 wrote to memory of 2008	1116	file.exe	31
PID 2008 wrote to memory of 1804	2008	cmd.exe	33
PID 2008 wrote to memory of 1804	2008	cmd.exe	33
PID 2008 wrote to memory of 1804	2008	cmd.exe	33
PID 2008 wrote to memory of 1804	2008	cmd.exe	33
PID 2008 wrote to memory of 1368	2008	cmd.exe	34
PID 2008 wrote to memory of 1368	2008	cmd.exe	34
PID 2008 wrote to memory of 1368	2008	cmd.exe	34
PID 2008 wrote to memory of 1368	2008	cmd.exe	34
PID 2008 wrote to memory of 896	2008	cmd.exe	36
PID 2008 wrote to memory of 896	2008	cmd.exe	36
PID 2008 wrote to memory of 896	2008	cmd.exe	36
PID 2008 wrote to memory of 896	2008	cmd.exe	36
PID 2008 wrote to memory of 2032	2008	cmd.exe	37
PID 2008 wrote to memory of 2032	2008	cmd.exe	37
PID 2008 wrote to memory of 2032	2008	cmd.exe	37
PID 2008 wrote to memory of 2032	2008	cmd.exe	37
PID 2008 wrote to memory of 572	2008	cmd.exe	38
PID 2008 wrote to memory of 572	2008	cmd.exe	38
PID 2008 wrote to memory of 572	2008	cmd.exe	38
PID 2008 wrote to memory of 572	2008	cmd.exe	38
PID 2008 wrote to memory of 1212	2008	cmd.exe	39
PID 2008 wrote to memory of 1212	2008	cmd.exe	39
PID 2008 wrote to memory of 1212	2008	cmd.exe	39
PID 2008 wrote to memory of 1212	2008	cmd.exe	39
PID 2008 wrote to memory of 1360	2008	cmd.exe	40
PID 2008 wrote to memory of 1360	2008	cmd.exe	40
PID 2008 wrote to memory of 1360	2008	cmd.exe	40
PID 2008 wrote to memory of 1360	2008	cmd.exe	40
PID 2008 wrote to memory of 2264	2008	cmd.exe	41
PID 2008 wrote to memory of 2264	2008	cmd.exe	41
PID 2008 wrote to memory of 2264	2008	cmd.exe	41
PID 2008 wrote to memory of 2264	2008	cmd.exe	41
PID 2008 wrote to memory of 2036	2008	cmd.exe	42
PID 2008 wrote to memory of 2036	2008	cmd.exe	42
PID 2008 wrote to memory of 2036	2008	cmd.exe	42
PID 2008 wrote to memory of 2036	2008	cmd.exe	42
PID 2264 wrote to memory of 2760	2264	Horizon.pif	43
PID 2264 wrote to memory of 2760	2264	Horizon.pif	43
PID 2264 wrote to memory of 2760	2264	Horizon.pif	43
PID 2264 wrote to memory of 2760	2264	Horizon.pif	43
PID 2264 wrote to memory of 2884	2264	Horizon.pif	45
PID 2264 wrote to memory of 2884	2264	Horizon.pif	45
PID 2264 wrote to memory of 2884	2264	Horizon.pif	45
PID 2264 wrote to memory of 2884	2264	Horizon.pif	45
PID 2760 wrote to memory of 2936	2760	cmd.exe	47
PID 2760 wrote to memory of 2936	2760	cmd.exe	47
PID 2760 wrote to memory of 2936	2760	cmd.exe	47
PID 2760 wrote to memory of 2936	2760	cmd.exe	47
PID 2264 wrote to memory of 1104	2264	Horizon.pif	48
PID 2264 wrote to memory of 1104	2264	Horizon.pif	48
PID 2264 wrote to memory of 1104	2264	Horizon.pif	48
PID 2264 wrote to memory of 1104	2264	Horizon.pif	48
PID 2264 wrote to memory of 1104	2264	Horizon.pif	48
PID 2264 wrote to memory of 1104	2264	Horizon.pif	48
PID 2264 wrote to memory of 1104	2264	Horizon.pif	48
PID 2264 wrote to memory of 1104	2264	Horizon.pif	48
PID 2264 wrote to memory of 1104	2264	Horizon.pif	48

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1388
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Dragon Dragon.bat & Dragon.bat
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1804
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1368
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:896
  - - C:\Windows\SysWOW64\findstr.exe
      findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2032
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 609587
      4⤵
      System Location Discovery: System Language Discovery
      PID:572
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "outputdiffswalnutcontainer" Sufficient
      4⤵
      System Location Discovery: System Language Discovery
      PID:1212
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Combine + ..\Transportation + ..\Chef k
      4⤵
      System Location Discovery: System Language Discovery
      PID:1360
  - - C:\Users\Admin\AppData\Local\Temp\609587\Horizon.pif
      Horizon.pif k
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Users\Admin\AppData\Local\Temp\609587\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\609587\RegAsm.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1104
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Windows" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Windows" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2936
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url" & echo URL="C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\609587\k

Filesize
223KB

MD5
9c3ccfc1b85ec90de741f82334ec5c13

SHA1
cdb55d03f47197ac3c1556de854384e25a161285

SHA256
08e08296d2da025e5fd84c3ad002a83af525149d56b5d9a24f75a6d080bbea58

SHA512
9b567d773421bf3a84a56911c86589225c1faaad1391063bac65495a0287798a28b764da81c44596cc9c69f7673233876292fd172bbcdad4ce91f391042912c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chef

Filesize
64KB

MD5
4929feb5427b3e00555c7cebeb73ab46

SHA1
a48cf5e4a6e44bba30589f5cf96536a3a007141b

SHA256
8faea441687488ed8da8773c1acf4f6ba847b42359716d1275fe44100fc46cd9

SHA512
a13ce8842a46e19c436558f51de82ae036b520182a042865c3c625cdb6c4c9bee4ba7f914cf0feac67685e6f299ceaea2008b3255b0868c0d5f414c07b32e43b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Combine

Filesize
85KB

MD5
dad5d9394613487c0825ad87374a4a96

SHA1
806d908a747487b4693b1dc7598c66670b342cac

SHA256
81887327e72b9233e2a002ed8d4557669f3305a60fc4ab45b3cb37257798c42c

SHA512
f0a5e4051f24360bdf6d7f969d187ab848e42906878a33f960c72dfa28a7ed48540eb59dc28ae0691ba7771aae501387221e1549bf71e24c9f850c05e6513418

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dragon

Filesize
13KB

MD5
8f99511bc647d62d0ab24676ffbf1f81

SHA1
ee9c17c288b3ecd7984edd8f5d3f3c2806c28beb

SHA256
3ae4eccb218817f804f188b17cdab5f2d5a46e4b01f61992522c687cb265b8a6

SHA512
9e7cf15d925c810c1cf0b56e73f5dfbe54188becf481fc600bf4479b0f3d4a2fb1bd261b4874ffc9a0498c0e3a30f4e08c4bc97e800d6013cd37c8bf46917ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sufficient

Filesize
7KB

MD5
b3b46c8e223bde8e40e6628db25523c9

SHA1
b1fe51169b519463044c613d4f3edf9c26115dac

SHA256
d0fa12b632138baed0239d8da41e60ae5e9d08c4ab7de774bea56741e8bd9a09

SHA512
e426f66a18ec6c5471908520a81d8f0e6b14b48841f96da6a5480603dddf65be6e56ed44a0411f5a3387f387a0a5ef3e651f90f4398d1643665330428db9263f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Transportation

Filesize
74KB

MD5
30a3404783a2d7652e29d645628b04c9

SHA1
aaf37b72d13c697276b34e323ca1bd00fc243cdf

SHA256
5b264df9d00b5df6d976a76cca68f3fd70bc1c277344d6d8c16a024cebbcb9a6

SHA512
48d768d87b9ede55b34ec699fd223e7fab0b55cc8fcafcab28dede80dd235cbf2bd3e9429f1533d6f891ddff1221f9d8c7cefb15bce8b155322ee97981d23eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Traveling

Filesize
864KB

MD5
4546bdeea370b865f80ba3e523b3ade7

SHA1
7118f8844c1f938d3e00b5c50624d995ee01236a

SHA256
ade4df61ada81439b176e2b32f970ec6a0697c959e3d75c0e40eea07813ed930

SHA512
1c031f1a10e0080a3f5ed1359ebc05d214c8aa19a760ea05bb1008f3f1ee37d119f60ccd6c98c20044647711beb4f62c49a936b88199066dccceb9d741a1adb5

Download Submit
\Users\Admin\AppData\Local\Temp\609587\Horizon.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
\Users\Admin\AppData\Local\Temp\609587\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/1104-359-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download
memory/1104-361-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download
memory/1104-362-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download