xworm | 9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642

Analysis

max time kernel
144s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642.exe
Size

1.0MB
MD5

bf265e0055178b2aa642fc6df2ae5f40
SHA1

f692cbf19ecf33a48ddefa2b615ea979fa5633b4
SHA256

9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642
SHA512

c20bfffbe194f551dfaeab68579b89f5c4fb8d5bb90d80b516f008a4debc009505d059e03a404d08605f903be1126c1600e96786369a7abe6813842ab36cae3d
SSDEEP

12288:BCQdkpj9XCQR9Fo+lSEr/CAcHqpxr0H8totz8LfAz1uviBCGG4HgoKQJZNL:BVdujt9pAE0+rMN8LYzcyTAqJZNL

Score

10^/10

xworm discovery rat trojan

Malware Config

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2892-355-0x0000000000090000-0x00000000000A0000-memory.dmp	family_xworm
behavioral1/memory/2892-354-0x0000000000090000-0x00000000000A0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2196	Horizon.pif

Loads dropped DLL 1 IoCs

pid	Process
2972	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1040	tasklist.exe
1616	tasklist.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MiddleOrganize	9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642.exe
File opened for modification	C:\Windows\EmotionalCnet	9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642.exe
File opened for modification	C:\Windows\NigerMauritius	9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Horizon.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2892	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1040	tasklist.exe
Token: SeDebugPrivilege	1616	tasklist.exe
Token: SeDebugPrivilege	2892	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2892	RegAsm.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2972	2328	9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642.exe	31
PID 2328 wrote to memory of 2972	2328	9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642.exe	31
PID 2328 wrote to memory of 2972	2328	9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642.exe	31
PID 2328 wrote to memory of 2972	2328	9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642.exe	31
PID 2972 wrote to memory of 1040	2972	cmd.exe	33
PID 2972 wrote to memory of 1040	2972	cmd.exe	33
PID 2972 wrote to memory of 1040	2972	cmd.exe	33
PID 2972 wrote to memory of 1040	2972	cmd.exe	33
PID 2972 wrote to memory of 836	2972	cmd.exe	34
PID 2972 wrote to memory of 836	2972	cmd.exe	34
PID 2972 wrote to memory of 836	2972	cmd.exe	34
PID 2972 wrote to memory of 836	2972	cmd.exe	34
PID 2972 wrote to memory of 1616	2972	cmd.exe	36
PID 2972 wrote to memory of 1616	2972	cmd.exe	36
PID 2972 wrote to memory of 1616	2972	cmd.exe	36
PID 2972 wrote to memory of 1616	2972	cmd.exe	36
PID 2972 wrote to memory of 1524	2972	cmd.exe	37
PID 2972 wrote to memory of 1524	2972	cmd.exe	37
PID 2972 wrote to memory of 1524	2972	cmd.exe	37
PID 2972 wrote to memory of 1524	2972	cmd.exe	37
PID 2972 wrote to memory of 2284	2972	cmd.exe	38
PID 2972 wrote to memory of 2284	2972	cmd.exe	38
PID 2972 wrote to memory of 2284	2972	cmd.exe	38
PID 2972 wrote to memory of 2284	2972	cmd.exe	38
PID 2972 wrote to memory of 3028	2972	cmd.exe	39
PID 2972 wrote to memory of 3028	2972	cmd.exe	39
PID 2972 wrote to memory of 3028	2972	cmd.exe	39
PID 2972 wrote to memory of 3028	2972	cmd.exe	39
PID 2972 wrote to memory of 876	2972	cmd.exe	40
PID 2972 wrote to memory of 876	2972	cmd.exe	40
PID 2972 wrote to memory of 876	2972	cmd.exe	40
PID 2972 wrote to memory of 876	2972	cmd.exe	40
PID 2972 wrote to memory of 2196	2972	cmd.exe	41
PID 2972 wrote to memory of 2196	2972	cmd.exe	41
PID 2972 wrote to memory of 2196	2972	cmd.exe	41
PID 2972 wrote to memory of 2196	2972	cmd.exe	41
PID 2972 wrote to memory of 2056	2972	cmd.exe	42
PID 2972 wrote to memory of 2056	2972	cmd.exe	42
PID 2972 wrote to memory of 2056	2972	cmd.exe	42
PID 2972 wrote to memory of 2056	2972	cmd.exe	42
PID 1932 wrote to memory of 2684	1932	cmd.exe	47
PID 1932 wrote to memory of 2684	1932	cmd.exe	47
PID 1932 wrote to memory of 2684	1932	cmd.exe	47
PID 1932 wrote to memory of 2684	1932	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642.exe
"C:\Users\Admin\AppData\Local\Temp\9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Dragon Dragon.bat & Dragon.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:836
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- - C:\Windows\SysWOW64\findstr.exe
    findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 609587
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2284
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "outputdiffswalnutcontainer" Sufficient
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Combine + ..\Transportation + ..\Chef k
    3⤵
    - System Location Discovery: System Language Discovery
    PID:876
- - C:\Users\Admin\AppData\Local\Temp\609587\Horizon.pif
    Horizon.pif k
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\609587\RegAsm.exe
      C:\Users\Admin\AppData\Local\Temp\609587\RegAsm.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2892
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2056

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Windows" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js'" /sc minute /mo 5 /F
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /create /tn "Windows" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2684

C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url" & echo URL="C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url" & exit
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Chef

Filesize
64KB

MD5
4929feb5427b3e00555c7cebeb73ab46

SHA1
a48cf5e4a6e44bba30589f5cf96536a3a007141b

SHA256
8faea441687488ed8da8773c1acf4f6ba847b42359716d1275fe44100fc46cd9

SHA512
a13ce8842a46e19c436558f51de82ae036b520182a042865c3c625cdb6c4c9bee4ba7f914cf0feac67685e6f299ceaea2008b3255b0868c0d5f414c07b32e43b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Combine

Filesize
85KB

MD5
dad5d9394613487c0825ad87374a4a96

SHA1
806d908a747487b4693b1dc7598c66670b342cac

SHA256
81887327e72b9233e2a002ed8d4557669f3305a60fc4ab45b3cb37257798c42c

SHA512
f0a5e4051f24360bdf6d7f969d187ab848e42906878a33f960c72dfa28a7ed48540eb59dc28ae0691ba7771aae501387221e1549bf71e24c9f850c05e6513418

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dragon

Filesize
13KB

MD5
8f99511bc647d62d0ab24676ffbf1f81

SHA1
ee9c17c288b3ecd7984edd8f5d3f3c2806c28beb

SHA256
3ae4eccb218817f804f188b17cdab5f2d5a46e4b01f61992522c687cb265b8a6

SHA512
9e7cf15d925c810c1cf0b56e73f5dfbe54188becf481fc600bf4479b0f3d4a2fb1bd261b4874ffc9a0498c0e3a30f4e08c4bc97e800d6013cd37c8bf46917ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sufficient

Filesize
7KB

MD5
b3b46c8e223bde8e40e6628db25523c9

SHA1
b1fe51169b519463044c613d4f3edf9c26115dac

SHA256
d0fa12b632138baed0239d8da41e60ae5e9d08c4ab7de774bea56741e8bd9a09

SHA512
e426f66a18ec6c5471908520a81d8f0e6b14b48841f96da6a5480603dddf65be6e56ed44a0411f5a3387f387a0a5ef3e651f90f4398d1643665330428db9263f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Transportation

Filesize
74KB

MD5
30a3404783a2d7652e29d645628b04c9

SHA1
aaf37b72d13c697276b34e323ca1bd00fc243cdf

SHA256
5b264df9d00b5df6d976a76cca68f3fd70bc1c277344d6d8c16a024cebbcb9a6

SHA512
48d768d87b9ede55b34ec699fd223e7fab0b55cc8fcafcab28dede80dd235cbf2bd3e9429f1533d6f891ddff1221f9d8c7cefb15bce8b155322ee97981d23eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Traveling

Filesize
864KB

MD5
4546bdeea370b865f80ba3e523b3ade7

SHA1
7118f8844c1f938d3e00b5c50624d995ee01236a

SHA256
ade4df61ada81439b176e2b32f970ec6a0697c959e3d75c0e40eea07813ed930

SHA512
1c031f1a10e0080a3f5ed1359ebc05d214c8aa19a760ea05bb1008f3f1ee37d119f60ccd6c98c20044647711beb4f62c49a936b88199066dccceb9d741a1adb5

Download Submit
\Users\Admin\AppData\Local\Temp\609587\Horizon.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
memory/2892-355-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download
memory/2892-354-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download