xworm | 61c9156d480363777ae7bed66561486ab4e7d97c5fca890ece91ea5004636150

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-11-2024 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61c9156d480363777ae7bed66561486ab4e7d97c5fca890ece91ea5004636150N.exe
Size

193KB
MD5

6cad6576780e786ee72a659d50dc4020
SHA1

50cb376363e6317836c3cd774b135531bc6110c0
SHA256

61c9156d480363777ae7bed66561486ab4e7d97c5fca890ece91ea5004636150
SHA512

20724d675c27f11c1496257afa6b3c8304d87a642acaa7cdb9b368d1a76b041afa3f05a09857a835f8124b832ebca10f81c22399abf03cb9af1a925eb62a3ae7
SSDEEP

6144:g2JhWiZqebUcSxw1RrPDhcZhyL8vr/5FZRAdPOl/AT7tu9:DhvSxCJbeZQ8vNFZAPOST7t

Score

10^/10

xworm execution rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

wego666.webredirect.org:666

Mutex

0MJ5uaqdM5KfHEtd

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2616-53-0x00000000004F0000-0x0000000000502000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2752	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2616	$phantom-startup_str_683.bat

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2752	powershell.exe
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat
2616	$phantom-startup_str_683.bat

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2616	$phantom-startup_str_683.bat
Token: SeAssignPrimaryTokenPrivilege	864	svchost.exe
Token: SeIncreaseQuotaPrivilege	864	svchost.exe
Token: SeSecurityPrivilege	864	svchost.exe
Token: SeTakeOwnershipPrivilege	864	svchost.exe
Token: SeLoadDriverPrivilege	864	svchost.exe
Token: SeSystemtimePrivilege	864	svchost.exe
Token: SeBackupPrivilege	864	svchost.exe
Token: SeRestorePrivilege	864	svchost.exe
Token: SeShutdownPrivilege	864	svchost.exe
Token: SeSystemEnvironmentPrivilege	864	svchost.exe
Token: SeUndockPrivilege	864	svchost.exe
Token: SeManageVolumePrivilege	864	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	864	svchost.exe
Token: SeIncreaseQuotaPrivilege	864	svchost.exe
Token: SeSecurityPrivilege	864	svchost.exe
Token: SeTakeOwnershipPrivilege	864	svchost.exe
Token: SeLoadDriverPrivilege	864	svchost.exe
Token: SeSystemtimePrivilege	864	svchost.exe
Token: SeBackupPrivilege	864	svchost.exe
Token: SeRestorePrivilege	864	svchost.exe
Token: SeShutdownPrivilege	864	svchost.exe
Token: SeSystemEnvironmentPrivilege	864	svchost.exe
Token: SeUndockPrivilege	864	svchost.exe
Token: SeManageVolumePrivilege	864	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	864	svchost.exe
Token: SeIncreaseQuotaPrivilege	864	svchost.exe
Token: SeSecurityPrivilege	864	svchost.exe
Token: SeTakeOwnershipPrivilege	864	svchost.exe
Token: SeLoadDriverPrivilege	864	svchost.exe
Token: SeSystemtimePrivilege	864	svchost.exe
Token: SeBackupPrivilege	864	svchost.exe
Token: SeRestorePrivilege	864	svchost.exe
Token: SeShutdownPrivilege	864	svchost.exe
Token: SeSystemEnvironmentPrivilege	864	svchost.exe
Token: SeUndockPrivilege	864	svchost.exe
Token: SeManageVolumePrivilege	864	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	864	svchost.exe
Token: SeIncreaseQuotaPrivilege	864	svchost.exe
Token: SeSecurityPrivilege	864	svchost.exe
Token: SeTakeOwnershipPrivilege	864	svchost.exe
Token: SeLoadDriverPrivilege	864	svchost.exe
Token: SeSystemtimePrivilege	864	svchost.exe
Token: SeBackupPrivilege	864	svchost.exe
Token: SeRestorePrivilege	864	svchost.exe
Token: SeShutdownPrivilege	864	svchost.exe
Token: SeSystemEnvironmentPrivilege	864	svchost.exe
Token: SeUndockPrivilege	864	svchost.exe
Token: SeManageVolumePrivilege	864	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	864	svchost.exe
Token: SeIncreaseQuotaPrivilege	864	svchost.exe
Token: SeSecurityPrivilege	864	svchost.exe
Token: SeTakeOwnershipPrivilege	864	svchost.exe
Token: SeLoadDriverPrivilege	864	svchost.exe
Token: SeSystemtimePrivilege	864	svchost.exe
Token: SeBackupPrivilege	864	svchost.exe
Token: SeRestorePrivilege	864	svchost.exe
Token: SeShutdownPrivilege	864	svchost.exe
Token: SeSystemEnvironmentPrivilege	864	svchost.exe
Token: SeUndockPrivilege	864	svchost.exe
Token: SeManageVolumePrivilege	864	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	864	svchost.exe
Token: SeIncreaseQuotaPrivilege	864	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2616	$phantom-startup_str_683.bat

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2820	2644	61c9156d480363777ae7bed66561486ab4e7d97c5fca890ece91ea5004636150N.exe	31
PID 2644 wrote to memory of 2820	2644	61c9156d480363777ae7bed66561486ab4e7d97c5fca890ece91ea5004636150N.exe	31
PID 2644 wrote to memory of 2820	2644	61c9156d480363777ae7bed66561486ab4e7d97c5fca890ece91ea5004636150N.exe	31
PID 2820 wrote to memory of 2752	2820	61c9156d480363777ae7bed66561486ab4e7d97c5fca890ece91ea5004636150N.exe	33
PID 2820 wrote to memory of 2752	2820	61c9156d480363777ae7bed66561486ab4e7d97c5fca890ece91ea5004636150N.exe	33
PID 2820 wrote to memory of 2752	2820	61c9156d480363777ae7bed66561486ab4e7d97c5fca890ece91ea5004636150N.exe	33
PID 2820 wrote to memory of 1312	2820	61c9156d480363777ae7bed66561486ab4e7d97c5fca890ece91ea5004636150N.exe	35
PID 2820 wrote to memory of 1312	2820	61c9156d480363777ae7bed66561486ab4e7d97c5fca890ece91ea5004636150N.exe	35
PID 2820 wrote to memory of 1312	2820	61c9156d480363777ae7bed66561486ab4e7d97c5fca890ece91ea5004636150N.exe	35
PID 1312 wrote to memory of 2616	1312	WScript.exe	36
PID 1312 wrote to memory of 2616	1312	WScript.exe	36
PID 1312 wrote to memory of 2616	1312	WScript.exe	36
PID 2616 wrote to memory of 1208	2616	$phantom-startup_str_683.bat	21
PID 2616 wrote to memory of 1064	2616	$phantom-startup_str_683.bat	18
PID 2616 wrote to memory of 972	2616	$phantom-startup_str_683.bat	15
PID 2616 wrote to memory of 864	2616	$phantom-startup_str_683.bat	13
PID 2616 wrote to memory of 772	2616	$phantom-startup_str_683.bat	11
PID 2616 wrote to memory of 2080	2616	$phantom-startup_str_683.bat	26
PID 2616 wrote to memory of 612	2616	$phantom-startup_str_683.bat	9
PID 2616 wrote to memory of 820	2616	$phantom-startup_str_683.bat	12
PID 2616 wrote to memory of 284	2616	$phantom-startup_str_683.bat	16
PID 2616 wrote to memory of 692	2616	$phantom-startup_str_683.bat	10
PID 612 wrote to memory of 2760	612	svchost.exe	38
PID 612 wrote to memory of 2760	612	svchost.exe	38
PID 612 wrote to memory of 2760	612	svchost.exe	38
PID 612 wrote to memory of 1440	612	svchost.exe	39
PID 612 wrote to memory of 1440	612	svchost.exe	39
PID 612 wrote to memory of 1440	612	svchost.exe	39

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Suspicious use of WriteProcessMemory
PID:612
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:2760
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -Embedding
  2⤵
  PID:1440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
PID:284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1064

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\61c9156d480363777ae7bed66561486ab4e7d97c5fca890ece91ea5004636150N.exe
  "C:\Users\Admin\AppData\Local\Temp\61c9156d480363777ae7bed66561486ab4e7d97c5fca890ece91ea5004636150N.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\61c9156d480363777ae7bed66561486ab4e7d97c5fca890ece91ea5004636150N.exe
    "C:\Users\Admin\AppData\Local\Temp\61c9156d480363777ae7bed66561486ab4e7d97c5fca890ece91ea5004636150N.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_683_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_683.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2752
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_683.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1312
    - - C:\Users\Admin\AppData\Roaming\$phantom-startup_str_683.bat
        
        "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_683.bat"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1⤵
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\$phantom-startup_str_683.bat

Filesize
193KB

MD5
6cad6576780e786ee72a659d50dc4020

SHA1
50cb376363e6317836c3cd774b135531bc6110c0

SHA256
61c9156d480363777ae7bed66561486ab4e7d97c5fca890ece91ea5004636150

SHA512
20724d675c27f11c1496257afa6b3c8304d87a642acaa7cdb9b368d1a76b041afa3f05a09857a835f8124b832ebca10f81c22399abf03cb9af1a925eb62a3ae7

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_683.vbs

Filesize
124B

MD5
d07323f71d546acdb9dc472b9082cbf5

SHA1
23469289b6b5c000fb86897f4a14479b101b1b7a

SHA256
207f3f27b153aa80a2759e78d2075ff7297416e05823e9002eaff551754bc7c8

SHA512
357857492810e08a437d88e89a2b50afa7e48cdcbcd2e335cb6eac4730780a2cd4dcaa397e7fc7e921ea6da2b296157bf7d7fca3c8c22cacf0b4e51203d5d7da

Download Submit
memory/1208-16-0x00000000025E0000-0x000000000260A000-memory.dmp

Filesize
168KB

Download
memory/1208-18-0x00000000025E0000-0x000000000260A000-memory.dmp

Filesize
168KB

Download
memory/1208-57-0x0000000037C70000-0x0000000037C80000-memory.dmp

Filesize
64KB

Download
memory/1208-56-0x000007FEBE540000-0x000007FEBE550000-memory.dmp

Filesize
64KB

Download
memory/2616-15-0x0000000001320000-0x0000000001356000-memory.dmp

Filesize
216KB

Download
memory/2616-53-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/2644-0-0x000007FEF61C3000-0x000007FEF61C4000-memory.dmp

Filesize
4KB

Download
memory/2644-1-0x0000000000F30000-0x0000000000F66000-memory.dmp

Filesize
216KB

Download
memory/2752-7-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2752-8-0x0000000002730000-0x0000000002738000-memory.dmp

Filesize
32KB

Download