xworm | 47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f

Analysis

max time kernel
149s
max time network
137s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-11-2024 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f.exe
Size

3.0MB
MD5

be1e5f16ba15534a69248555daea25a5
SHA1

b6f7090c2e7676268523cc303b75aeba5bad7e6d
SHA256

47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f
SHA512

2ee12e5b3c8e2426ab5824f080bf3c04688322e8579c8d317dc3bd60475fe723b5e329940a210211de101d986109d69bf080eac88e18b79cc507c3c1a9068210
SSDEEP

12288:uCXs2sBkTI/gwxAk9xLXRGzmkA3FazV4c0e/uTf58uAOSQKs0LXb5Ks1TMLPVttZ:uzb/rckazKc0eq8uAOSHLX1T4PVbTl

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

fredrchmn.duckdns.org:6677

heavensgateusa.cloud:6677

20.90.58.81:6677

Mutex

Zb6OkjjQFFzCuGWh

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2384-33-0x0000000000090000-0x00000000000A0000-memory.dmp	family_xworm
behavioral1/memory/2384-35-0x0000000000090000-0x00000000000A0000-memory.dmp	family_xworm
behavioral1/memory/2384-36-0x0000000000090000-0x00000000000A0000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2864 created 1176	2864	Master.pif	21
PID 2864 created 1176	2864	Master.pif	21

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoWave.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoWave.url	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2864	Master.pif
2384	RegAsm.exe

Loads dropped DLL 3 IoCs

pid	Process
2128	cmd.exe
2864	Master.pif
2384	RegAsm.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2084	tasklist.exe
2768	tasklist.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SatelliteSublimedirectory	47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Master.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2864	Master.pif
2864	Master.pif
2864	Master.pif
2864	Master.pif
2864	Master.pif
2864	Master.pif
2864	Master.pif
2864	Master.pif
2864	Master.pif
2864	Master.pif
2864	Master.pif
2864	Master.pif
2864	Master.pif
2864	Master.pif
2864	Master.pif
2864	Master.pif
2864	Master.pif
2864	Master.pif
2384	RegAsm.exe
2864	Master.pif
2864	Master.pif

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	tasklist.exe
Token: SeDebugPrivilege	2768	tasklist.exe
Token: SeDebugPrivilege	2384	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2864	Master.pif
2864	Master.pif
2864	Master.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2864	Master.pif
2864	Master.pif
2864	Master.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2384	RegAsm.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2128	2500	47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f.exe	30
PID 2500 wrote to memory of 2128	2500	47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f.exe	30
PID 2500 wrote to memory of 2128	2500	47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f.exe	30
PID 2500 wrote to memory of 2128	2500	47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f.exe	30
PID 2128 wrote to memory of 2084	2128	cmd.exe	32
PID 2128 wrote to memory of 2084	2128	cmd.exe	32
PID 2128 wrote to memory of 2084	2128	cmd.exe	32
PID 2128 wrote to memory of 2084	2128	cmd.exe	32
PID 2128 wrote to memory of 2132	2128	cmd.exe	33
PID 2128 wrote to memory of 2132	2128	cmd.exe	33
PID 2128 wrote to memory of 2132	2128	cmd.exe	33
PID 2128 wrote to memory of 2132	2128	cmd.exe	33
PID 2128 wrote to memory of 2768	2128	cmd.exe	35
PID 2128 wrote to memory of 2768	2128	cmd.exe	35
PID 2128 wrote to memory of 2768	2128	cmd.exe	35
PID 2128 wrote to memory of 2768	2128	cmd.exe	35
PID 2128 wrote to memory of 956	2128	cmd.exe	36
PID 2128 wrote to memory of 956	2128	cmd.exe	36
PID 2128 wrote to memory of 956	2128	cmd.exe	36
PID 2128 wrote to memory of 956	2128	cmd.exe	36
PID 2128 wrote to memory of 2148	2128	cmd.exe	37
PID 2128 wrote to memory of 2148	2128	cmd.exe	37
PID 2128 wrote to memory of 2148	2128	cmd.exe	37
PID 2128 wrote to memory of 2148	2128	cmd.exe	37
PID 2128 wrote to memory of 2012	2128	cmd.exe	38
PID 2128 wrote to memory of 2012	2128	cmd.exe	38
PID 2128 wrote to memory of 2012	2128	cmd.exe	38
PID 2128 wrote to memory of 2012	2128	cmd.exe	38
PID 2128 wrote to memory of 2808	2128	cmd.exe	39
PID 2128 wrote to memory of 2808	2128	cmd.exe	39
PID 2128 wrote to memory of 2808	2128	cmd.exe	39
PID 2128 wrote to memory of 2808	2128	cmd.exe	39
PID 2128 wrote to memory of 2864	2128	cmd.exe	40
PID 2128 wrote to memory of 2864	2128	cmd.exe	40
PID 2128 wrote to memory of 2864	2128	cmd.exe	40
PID 2128 wrote to memory of 2864	2128	cmd.exe	40
PID 2128 wrote to memory of 2940	2128	cmd.exe	41
PID 2128 wrote to memory of 2940	2128	cmd.exe	41
PID 2128 wrote to memory of 2940	2128	cmd.exe	41
PID 2128 wrote to memory of 2940	2128	cmd.exe	41
PID 2864 wrote to memory of 2776	2864	Master.pif	42
PID 2864 wrote to memory of 2776	2864	Master.pif	42
PID 2864 wrote to memory of 2776	2864	Master.pif	42
PID 2864 wrote to memory of 2776	2864	Master.pif	42
PID 2864 wrote to memory of 2696	2864	Master.pif	44
PID 2864 wrote to memory of 2696	2864	Master.pif	44
PID 2864 wrote to memory of 2696	2864	Master.pif	44
PID 2864 wrote to memory of 2696	2864	Master.pif	44
PID 2776 wrote to memory of 2460	2776	cmd.exe	46
PID 2776 wrote to memory of 2460	2776	cmd.exe	46
PID 2776 wrote to memory of 2460	2776	cmd.exe	46
PID 2776 wrote to memory of 2460	2776	cmd.exe	46
PID 2864 wrote to memory of 2384	2864	Master.pif	48
PID 2864 wrote to memory of 2384	2864	Master.pif	48
PID 2864 wrote to memory of 2384	2864	Master.pif	48
PID 2864 wrote to memory of 2384	2864	Master.pif	48
PID 2864 wrote to memory of 2384	2864	Master.pif	48
PID 2864 wrote to memory of 2384	2864	Master.pif	48
PID 2864 wrote to memory of 2384	2864	Master.pif	48
PID 2864 wrote to memory of 2384	2864	Master.pif	48
PID 2864 wrote to memory of 2384	2864	Master.pif	48

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1176
- C:\Users\Admin\AppData\Local\Temp\47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f.exe
  "C:\Users\Admin\AppData\Local\Temp\47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move Miami Miami.bat & Miami.bat
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2084
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2132
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2768
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:956
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 91603
      4⤵
      System Location Discovery: System Language Discovery
      PID:2148
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "DepthChefDiscsStrikes" Police
      4⤵
      System Location Discovery: System Language Discovery
      PID:2012
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\February + ..\Earn + ..\Audit + ..\Recommend N
      4⤵
      System Location Discovery: System Language Discovery
      PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\91603\Master.pif
      Master.pif N
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Users\Admin\AppData\Local\Temp\91603\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\91603\RegAsm.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2384
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Sage" /tr "wscript //B 'C:\Users\Admin\AppData\Local\DesignWave Innovations\InnoWave.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Sage" /tr "wscript //B 'C:\Users\Admin\AppData\Local\DesignWave Innovations\InnoWave.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2460
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoWave.url" & echo URL="C:\Users\Admin\AppData\Local\DesignWave Innovations\InnoWave.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoWave.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\91603\N

Filesize
225KB

MD5
0964e34f1ecf941ba518bfd72ca62d9b

SHA1
8f7ff71f53d2d36c1771451fac1e822b21a8dd35

SHA256
386967208c919de48469b2e0377f4d0b7f222b3299a65a7887369c9e5766a3c6

SHA512
9d17f7f8255f05c76f6167f4f7b24fcf0ac870011f8b427e19cb8219c80222e5228707d01ab0fa41affd4f1a4d1c6e2f89ce44277fd1d1531f86c55e887675af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Audit

Filesize
64KB

MD5
d7330b5d62441a7f9d82d96bce57c947

SHA1
b7cf5b9740f2a9231b56bc0b30172ef0838d441b

SHA256
73323d73aefa65853992e208131b7a7379bc46c77cf7e802d71510e5a8caf78f

SHA512
66bef2ced19fd5835b11ab950ef679903a4d3586df8ead7fe7bdcc830bd6adbc25fea7a96d6fbf0171fd4615167d2e2c97964ac366ef1d1d61ded14d53f698a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Earn

Filesize
67KB

MD5
fa01c7e1215ada87487c81fdc3c2f541

SHA1
6c335596e590a4c8a44b2d844384e680054a5f17

SHA256
7617c770dbb286738e29ac8027d0026c18b554987698f225d8a9a0284b119bce

SHA512
12bd1715f933c25443772f9cdcaf5817d6279a17e28506337a5984125c8e2be15c85380048561f5a08226c8df0556c9e1f1ac28c5bda0a7546afecad1da0f746

Download Submit
C:\Users\Admin\AppData\Local\Temp\February

Filesize
56KB

MD5
9e1051181a5a96635f59cacfb0e75ed6

SHA1
4bbc70fce84e19cfc340d5fecc04f59a34bc36b5

SHA256
c5d4605cc88c69048ce6200c906007d652a47ef95f12e53eb1fa119e75ccf9db

SHA512
b5b35145c22906bc0c30d1a7b93cc5badd255884e173bba2315f1f98af184da65dc574dca3cfc9bca794c5b959c6f3eae147fcec6c3d88db97a683f773e11ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Miami

Filesize
23KB

MD5
9898e2c331f885d868cff6c77bb3e340

SHA1
963c6d8247a80bde01040a40ffd66c640c265abe

SHA256
2cc67f847ce720176e3b4f771c069f4c0349bf9a6766ce939a01df8dbc44c538

SHA512
a246eb5c271678955dc8c8fb3ecea957b31f1345b955f81f64d92d4abbc7d7b719752326ae97ed55b59f4e1cf16b961edcede2ea0f53f494b0d88fa8c1f32406

Download Submit
C:\Users\Admin\AppData\Local\Temp\Police

Filesize
6KB

MD5
260eb50f5f2c20f9279d41b91f8dcba3

SHA1
bea41838f1f9f69d99614cd9b47ad8eb01b5cf7f

SHA256
65cd81e89a2523a32a5ece8c4ad23c1d9ebab1a55ff4d703902492b18b28214c

SHA512
57b428ddfc6cca7fc658a2f9e77f06f5628599c3252312695b20953e56026ba8c20e95a4a50e3c4e1335fefd3068525b06cf4c9295338d42727e6941ab782387

Download Submit
C:\Users\Admin\AppData\Local\Temp\Recommend

Filesize
38KB

MD5
b4846fc055fd6618816cd8950b89cfaf

SHA1
de4c53b9712cb320bc43a267b513fc39cd0ee88f

SHA256
12ca1a185f79ad2c5ae0ebb538c26aad889ca9c49f79b70c2ae70e41ed65bbe4

SHA512
6e91cfd7805e119c827e9e07c80c7cbb44d371a3d97b7f3597ae7f0bbb9a0efdae43f33aa21868a556b721beff4eba5bf650559b7ffaff47a4ab9a5397b0391b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Soil

Filesize
866KB

MD5
63cda6f02502a4aa6822c7a9c344d077

SHA1
1c6277a07104352fad10d42178cd79d0c32b0bc4

SHA256
79f6daad6457007d5f971686654e4c513443631ba0af2beb27b69625fd68c655

SHA512
339993b783bf839b11bb6e3537553ef7a1bc229e1d8e03300a3d8ec32eb248f8fb20bad2fdb46c91cd861b40e674b72a2cabd4c744a481e5f65047f68b66cf61

Download Submit
\Users\Admin\AppData\Local\Temp\91603\Master.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
\Users\Admin\AppData\Local\Temp\91603\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/2384-33-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download
memory/2384-35-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download
memory/2384-36-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download