xworm | 9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642.exe
Size

1.0MB
MD5

bf265e0055178b2aa642fc6df2ae5f40
SHA1

f692cbf19ecf33a48ddefa2b615ea979fa5633b4
SHA256

9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642
SHA512

c20bfffbe194f551dfaeab68579b89f5c4fb8d5bb90d80b516f008a4debc009505d059e03a404d08605f903be1126c1600e96786369a7abe6813842ab36cae3d
SSDEEP

12288:BCQdkpj9XCQR9Fo+lSEr/CAcHqpxr0H8totz8LfAz1uviBCGG4HgoKQJZNL:BVdujt9pAE0+rMN8LYzcyTAqJZNL

Score

10^/10

xworm discovery rat trojan

Malware Config

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4616-355-0x0000000000D70000-0x0000000000D80000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4312 created 3520	4312	Horizon.pif	56
PID 4312 created 3520	4312	Horizon.pif	56

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
4312	Horizon.pif
4616	RegAsm.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1964	tasklist.exe
2540	tasklist.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MiddleOrganize	9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642.exe
File opened for modification	C:\Windows\EmotionalCnet	9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642.exe
File opened for modification	C:\Windows\NigerMauritius	9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Horizon.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4616	RegAsm.exe
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	tasklist.exe
Token: SeDebugPrivilege	2540	tasklist.exe
Token: SeDebugPrivilege	4616	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4312	Horizon.pif
4312	Horizon.pif
4312	Horizon.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4616	RegAsm.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 992	4728	9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642.exe	86
PID 4728 wrote to memory of 992	4728	9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642.exe	86
PID 4728 wrote to memory of 992	4728	9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642.exe	86
PID 992 wrote to memory of 1964	992	cmd.exe	88
PID 992 wrote to memory of 1964	992	cmd.exe	88
PID 992 wrote to memory of 1964	992	cmd.exe	88
PID 992 wrote to memory of 4756	992	cmd.exe	89
PID 992 wrote to memory of 4756	992	cmd.exe	89
PID 992 wrote to memory of 4756	992	cmd.exe	89
PID 992 wrote to memory of 2540	992	cmd.exe	91
PID 992 wrote to memory of 2540	992	cmd.exe	91
PID 992 wrote to memory of 2540	992	cmd.exe	91
PID 992 wrote to memory of 4548	992	cmd.exe	92
PID 992 wrote to memory of 4548	992	cmd.exe	92
PID 992 wrote to memory of 4548	992	cmd.exe	92
PID 992 wrote to memory of 1060	992	cmd.exe	95
PID 992 wrote to memory of 1060	992	cmd.exe	95
PID 992 wrote to memory of 1060	992	cmd.exe	95
PID 992 wrote to memory of 4304	992	cmd.exe	96
PID 992 wrote to memory of 4304	992	cmd.exe	96
PID 992 wrote to memory of 4304	992	cmd.exe	96
PID 992 wrote to memory of 3636	992	cmd.exe	97
PID 992 wrote to memory of 3636	992	cmd.exe	97
PID 992 wrote to memory of 3636	992	cmd.exe	97
PID 992 wrote to memory of 4312	992	cmd.exe	98
PID 992 wrote to memory of 4312	992	cmd.exe	98
PID 992 wrote to memory of 4312	992	cmd.exe	98
PID 992 wrote to memory of 3332	992	cmd.exe	99
PID 992 wrote to memory of 3332	992	cmd.exe	99
PID 992 wrote to memory of 3332	992	cmd.exe	99
PID 4312 wrote to memory of 232	4312	Horizon.pif	100
PID 4312 wrote to memory of 232	4312	Horizon.pif	100
PID 4312 wrote to memory of 232	4312	Horizon.pif	100
PID 232 wrote to memory of 2620	232	cmd.exe	103
PID 232 wrote to memory of 2620	232	cmd.exe	103
PID 232 wrote to memory of 2620	232	cmd.exe	103
PID 4312 wrote to memory of 5100	4312	Horizon.pif	102
PID 4312 wrote to memory of 5100	4312	Horizon.pif	102
PID 4312 wrote to memory of 5100	4312	Horizon.pif	102
PID 4312 wrote to memory of 4616	4312	Horizon.pif	109
PID 4312 wrote to memory of 4616	4312	Horizon.pif	109
PID 4312 wrote to memory of 4616	4312	Horizon.pif	109
PID 4312 wrote to memory of 4616	4312	Horizon.pif	109
PID 4312 wrote to memory of 4616	4312	Horizon.pif	109

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3520
- C:\Users\Admin\AppData\Local\Temp\9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642.exe
  "C:\Users\Admin\AppData\Local\Temp\9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Dragon Dragon.bat & Dragon.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:992
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1964
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4756
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2540
  - - C:\Windows\SysWOW64\findstr.exe
      findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4548
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 609587
      4⤵
      System Location Discovery: System Language Discovery
      PID:1060
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "outputdiffswalnutcontainer" Sufficient
      4⤵
      System Location Discovery: System Language Discovery
      PID:4304
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Combine + ..\Transportation + ..\Chef k
      4⤵
      System Location Discovery: System Language Discovery
      PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\609587\Horizon.pif
      Horizon.pif k
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4312
    - - C:\Users\Admin\AppData\Local\Temp\609587\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\609587\RegAsm.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4616
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:3332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Windows" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Windows" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url" & echo URL="C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\609587\Horizon.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\609587\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\609587\k

Filesize
223KB

MD5
9c3ccfc1b85ec90de741f82334ec5c13

SHA1
cdb55d03f47197ac3c1556de854384e25a161285

SHA256
08e08296d2da025e5fd84c3ad002a83af525149d56b5d9a24f75a6d080bbea58

SHA512
9b567d773421bf3a84a56911c86589225c1faaad1391063bac65495a0287798a28b764da81c44596cc9c69f7673233876292fd172bbcdad4ce91f391042912c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chef

Filesize
64KB

MD5
4929feb5427b3e00555c7cebeb73ab46

SHA1
a48cf5e4a6e44bba30589f5cf96536a3a007141b

SHA256
8faea441687488ed8da8773c1acf4f6ba847b42359716d1275fe44100fc46cd9

SHA512
a13ce8842a46e19c436558f51de82ae036b520182a042865c3c625cdb6c4c9bee4ba7f914cf0feac67685e6f299ceaea2008b3255b0868c0d5f414c07b32e43b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Combine

Filesize
85KB

MD5
dad5d9394613487c0825ad87374a4a96

SHA1
806d908a747487b4693b1dc7598c66670b342cac

SHA256
81887327e72b9233e2a002ed8d4557669f3305a60fc4ab45b3cb37257798c42c

SHA512
f0a5e4051f24360bdf6d7f969d187ab848e42906878a33f960c72dfa28a7ed48540eb59dc28ae0691ba7771aae501387221e1549bf71e24c9f850c05e6513418

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dragon

Filesize
13KB

MD5
8f99511bc647d62d0ab24676ffbf1f81

SHA1
ee9c17c288b3ecd7984edd8f5d3f3c2806c28beb

SHA256
3ae4eccb218817f804f188b17cdab5f2d5a46e4b01f61992522c687cb265b8a6

SHA512
9e7cf15d925c810c1cf0b56e73f5dfbe54188becf481fc600bf4479b0f3d4a2fb1bd261b4874ffc9a0498c0e3a30f4e08c4bc97e800d6013cd37c8bf46917ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sufficient

Filesize
7KB

MD5
b3b46c8e223bde8e40e6628db25523c9

SHA1
b1fe51169b519463044c613d4f3edf9c26115dac

SHA256
d0fa12b632138baed0239d8da41e60ae5e9d08c4ab7de774bea56741e8bd9a09

SHA512
e426f66a18ec6c5471908520a81d8f0e6b14b48841f96da6a5480603dddf65be6e56ed44a0411f5a3387f387a0a5ef3e651f90f4398d1643665330428db9263f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Transportation

Filesize
74KB

MD5
30a3404783a2d7652e29d645628b04c9

SHA1
aaf37b72d13c697276b34e323ca1bd00fc243cdf

SHA256
5b264df9d00b5df6d976a76cca68f3fd70bc1c277344d6d8c16a024cebbcb9a6

SHA512
48d768d87b9ede55b34ec699fd223e7fab0b55cc8fcafcab28dede80dd235cbf2bd3e9429f1533d6f891ddff1221f9d8c7cefb15bce8b155322ee97981d23eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Traveling

Filesize
864KB

MD5
4546bdeea370b865f80ba3e523b3ade7

SHA1
7118f8844c1f938d3e00b5c50624d995ee01236a

SHA256
ade4df61ada81439b176e2b32f970ec6a0697c959e3d75c0e40eea07813ed930

SHA512
1c031f1a10e0080a3f5ed1359ebc05d214c8aa19a760ea05bb1008f3f1ee37d119f60ccd6c98c20044647711beb4f62c49a936b88199066dccceb9d741a1adb5

Download Submit
memory/4616-355-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/4616-358-0x0000000005230000-0x00000000052CC000-memory.dmp

Filesize
624KB

Download
memory/4616-359-0x0000000005BD0000-0x0000000006174000-memory.dmp

Filesize
5.6MB

Download
memory/4616-360-0x0000000006180000-0x0000000006212000-memory.dmp

Filesize
584KB

Download
memory/4616-361-0x0000000005BB0000-0x0000000005BBA000-memory.dmp

Filesize
40KB

Download