xworm | 7836ed81b575e364b75dfaea40971da1de436cbd33364d149df3dbc7ce7b5e42

Analysis

max time kernel
22s
max time network
19s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-11-2024 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SоlаraV3.exe
Size

326KB
MD5

940f68edc497b2364f7751a06e5005c3
SHA1

243867ca7db62c2523dc208056747803308367fd
SHA256

7836ed81b575e364b75dfaea40971da1de436cbd33364d149df3dbc7ce7b5e42
SHA512

c9ad27a4407afdfa3130ccdea30b739bfdfae14e04010b65cf0850b49045d1614eb1b9a47be111d1c1d67ff0f94020208369d28d1ed7e6f038a574a183103f40
SSDEEP

6144:SWUovnLzJmE8O2hWbocJIJytNrlrqowMCjNthw66kIOpWWv7MO/:SWUovH4E8fkLIJkqNIjqW6t

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:3566

college-quarter.gl.at.ply.gg:3566

Attributes

Install_directory
%LocalAppData%
install_file
Bootstraper.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001c00000002ab05-6.dat	family_xworm
behavioral1/memory/572-25-0x0000000000E00000-0x0000000000E16000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
572	Solara.exe
2560	Bootstrapper.exe

Loads dropped DLL 7 IoCs

pid	Process
2004	MsiExec.exe
2004	MsiExec.exe
3876	MsiExec.exe
3876	MsiExec.exe
3876	MsiExec.exe
3876	MsiExec.exe
3876	MsiExec.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1

Blocklisted process makes network request 3 IoCs

flow	pid	Process
14	2588	msiexec.exe
15	2588	msiexec.exe
16	2588	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI523.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4F3.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f174.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f174.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF7DD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF84B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFE29.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFFB1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFFE1.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC53F6227F99A69EF.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF84C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF8D15DBF108371BB6.TMP	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
492	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2560	Bootstrapper.exe
2560	Bootstrapper.exe
2588	msiexec.exe
2588	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	572	Solara.exe
Token: SeIncreaseQuotaPrivilege	4832	WMIC.exe
Token: SeSecurityPrivilege	4832	WMIC.exe
Token: SeTakeOwnershipPrivilege	4832	WMIC.exe
Token: SeLoadDriverPrivilege	4832	WMIC.exe
Token: SeSystemProfilePrivilege	4832	WMIC.exe
Token: SeSystemtimePrivilege	4832	WMIC.exe
Token: SeProfSingleProcessPrivilege	4832	WMIC.exe
Token: SeIncBasePriorityPrivilege	4832	WMIC.exe
Token: SeCreatePagefilePrivilege	4832	WMIC.exe
Token: SeBackupPrivilege	4832	WMIC.exe
Token: SeRestorePrivilege	4832	WMIC.exe
Token: SeShutdownPrivilege	4832	WMIC.exe
Token: SeDebugPrivilege	4832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4832	WMIC.exe
Token: SeRemoteShutdownPrivilege	4832	WMIC.exe
Token: SeUndockPrivilege	4832	WMIC.exe
Token: SeManageVolumePrivilege	4832	WMIC.exe
Token: 33	4832	WMIC.exe
Token: 34	4832	WMIC.exe
Token: 35	4832	WMIC.exe
Token: 36	4832	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4832	WMIC.exe
Token: SeSecurityPrivilege	4832	WMIC.exe
Token: SeTakeOwnershipPrivilege	4832	WMIC.exe
Token: SeLoadDriverPrivilege	4832	WMIC.exe
Token: SeSystemProfilePrivilege	4832	WMIC.exe
Token: SeSystemtimePrivilege	4832	WMIC.exe
Token: SeProfSingleProcessPrivilege	4832	WMIC.exe
Token: SeIncBasePriorityPrivilege	4832	WMIC.exe
Token: SeCreatePagefilePrivilege	4832	WMIC.exe
Token: SeBackupPrivilege	4832	WMIC.exe
Token: SeRestorePrivilege	4832	WMIC.exe
Token: SeShutdownPrivilege	4832	WMIC.exe
Token: SeDebugPrivilege	4832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4832	WMIC.exe
Token: SeRemoteShutdownPrivilege	4832	WMIC.exe
Token: SeUndockPrivilege	4832	WMIC.exe
Token: SeManageVolumePrivilege	4832	WMIC.exe
Token: 33	4832	WMIC.exe
Token: 34	4832	WMIC.exe
Token: 35	4832	WMIC.exe
Token: 36	4832	WMIC.exe
Token: SeDebugPrivilege	2560	Bootstrapper.exe
Token: SeShutdownPrivilege	3576	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3576	msiexec.exe
Token: SeSecurityPrivilege	2588	msiexec.exe
Token: SeCreateTokenPrivilege	3576	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3576	msiexec.exe
Token: SeLockMemoryPrivilege	3576	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3576	msiexec.exe
Token: SeMachineAccountPrivilege	3576	msiexec.exe
Token: SeTcbPrivilege	3576	msiexec.exe
Token: SeSecurityPrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeLoadDriverPrivilege	3576	msiexec.exe
Token: SeSystemProfilePrivilege	3576	msiexec.exe
Token: SeSystemtimePrivilege	3576	msiexec.exe
Token: SeProfSingleProcessPrivilege	3576	msiexec.exe
Token: SeIncBasePriorityPrivilege	3576	msiexec.exe
Token: SeCreatePagefilePrivilege	3576	msiexec.exe
Token: SeCreatePermanentPrivilege	3576	msiexec.exe
Token: SeBackupPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 572	3504	SоlаraV3.exe	81
PID 3504 wrote to memory of 572	3504	SоlаraV3.exe	81
PID 3504 wrote to memory of 2560	3504	SоlаraV3.exe	82
PID 3504 wrote to memory of 2560	3504	SоlаraV3.exe	82
PID 2560 wrote to memory of 1512	2560	Bootstrapper.exe	84
PID 2560 wrote to memory of 1512	2560	Bootstrapper.exe	84
PID 1512 wrote to memory of 492	1512	cmd.exe	86
PID 1512 wrote to memory of 492	1512	cmd.exe	86
PID 2560 wrote to memory of 680	2560	Bootstrapper.exe	91
PID 2560 wrote to memory of 680	2560	Bootstrapper.exe	91
PID 680 wrote to memory of 4832	680	cmd.exe	93
PID 680 wrote to memory of 4832	680	cmd.exe	93
PID 2560 wrote to memory of 3576	2560	Bootstrapper.exe	94
PID 2560 wrote to memory of 3576	2560	Bootstrapper.exe	94
PID 2588 wrote to memory of 2004	2588	msiexec.exe	98
PID 2588 wrote to memory of 2004	2588	msiexec.exe	98
PID 2588 wrote to memory of 3876	2588	msiexec.exe	99
PID 2588 wrote to memory of 3876	2588	msiexec.exe	99
PID 2588 wrote to memory of 3876	2588	msiexec.exe	99

C:\Users\Admin\AppData\Local\Temp\SоlаraV3.exe
"C:\Users\Admin\AppData\Local\Temp\SоlаraV3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Users\Admin\AppData\Local\Temp\Solara.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:572
- C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:492
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:680
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4832
- - C:\Windows\System32\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3576

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 2977D3B81882D995B0D1DC408D2928CC
  2⤵
  - Loads dropped DLL
  PID:2004
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3DAB3B48AF8CA6B1A5A75B60015A8A59
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe

Filesize
800KB

MD5
2a4dcf20b82896be94eb538260c5fb93

SHA1
21f232c2fd8132f8677e53258562ad98b455e679

SHA256
ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a

SHA512
4f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.exe

Filesize
65KB

MD5
9fd4b31c5e12879b9e0f3fa48ff88081

SHA1
90dd044eb4e5ad488072bcc1008edcf0071b3842

SHA256
47b3fc39d4f9bf58f5921140f9fc4eb0f74af42b57058a66966e3e15a1796aa0

SHA512
4220194debd7c2c7b9818aa97cbb7ba82c7caf1bba590edd3900994f99e9af7d971ec2478f34d3854f41fa53a2ca0f8114ac9517cc821813f520782f81e95581

Download Submit
C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

Filesize
30.1MB

MD5
0e4e9aa41d24221b29b19ba96c1a64d0

SHA1
231ade3d5a586c0eb4441c8dbfe9007dc26b2872

SHA256
5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

SHA512
e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

Download Submit
C:\Windows\Installer\MSIF7DD.tmp

Filesize
122KB

MD5
9fe9b0ecaea0324ad99036a91db03ebb

SHA1
144068c64ec06fc08eadfcca0a014a44b95bb908

SHA256
e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

SHA512
906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

Download Submit
C:\Windows\Installer\MSIF84C.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSIFFB1.tmp

Filesize
297KB

MD5
7a86ce1a899262dd3c1df656bff3fb2c

SHA1
33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

SHA256
b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

SHA512
421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

Download Submit
memory/572-31-0x00007FFCFF130000-0x00007FFCFFBF2000-memory.dmp

Filesize
10.8MB

Download
memory/572-25-0x0000000000E00000-0x0000000000E16000-memory.dmp

Filesize
88KB

Download
memory/572-26-0x00007FFCFF130000-0x00007FFCFFBF2000-memory.dmp

Filesize
10.8MB

Download
memory/572-32-0x00007FFCFF130000-0x00007FFCFFBF2000-memory.dmp

Filesize
10.8MB

Download
memory/2560-34-0x000001D4D03E0000-0x000001D4D0402000-memory.dmp

Filesize
136KB

Download
memory/2560-30-0x00007FFCFF130000-0x00007FFCFFBF2000-memory.dmp

Filesize
10.8MB

Download
memory/2560-35-0x00007FFCFF130000-0x00007FFCFFBF2000-memory.dmp

Filesize
10.8MB

Download
memory/2560-29-0x000001D4B5D20000-0x000001D4B5DEE000-memory.dmp

Filesize
824KB

Download
memory/3504-0-0x00007FFCFF133000-0x00007FFCFF135000-memory.dmp

Filesize
8KB

Download
memory/3504-28-0x00007FFCFF130000-0x00007FFCFFBF2000-memory.dmp

Filesize
10.8MB

Download
memory/3504-16-0x00007FFCFF130000-0x00007FFCFFBF2000-memory.dmp

Filesize
10.8MB

Download
memory/3504-1-0x0000000000E80000-0x0000000000ED6000-memory.dmp

Filesize
344KB

Download