xworm | 47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2024 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f.exe
Size

3.0MB
MD5

be1e5f16ba15534a69248555daea25a5
SHA1

b6f7090c2e7676268523cc303b75aeba5bad7e6d
SHA256

47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f
SHA512

2ee12e5b3c8e2426ab5824f080bf3c04688322e8579c8d317dc3bd60475fe723b5e329940a210211de101d986109d69bf080eac88e18b79cc507c3c1a9068210
SSDEEP

12288:uCXs2sBkTI/gwxAk9xLXRGzmkA3FazV4c0e/uTf58uAOSQKs0LXb5Ks1TMLPVttZ:uzb/rckazKc0eq8uAOSHLX1T4PVbTl

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

fredrchmn.duckdns.org:6677

heavensgateusa.cloud:6677

20.90.58.81:6677

Mutex

Zb6OkjjQFFzCuGWh

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/116-29-0x0000000001140000-0x0000000001150000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1620 created 3484	1620	Master.pif	56
PID 1620 created 3484	1620	Master.pif	56

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoWave.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoWave.url	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1620	Master.pif
116	RegAsm.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3672	tasklist.exe
1584	tasklist.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SatelliteSublimedirectory	47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Master.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5096	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
1620	Master.pif
116	RegAsm.exe
1620	Master.pif
1620	Master.pif

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3672	tasklist.exe
Token: SeDebugPrivilege	1584	tasklist.exe
Token: SeDebugPrivilege	116	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1620	Master.pif
1620	Master.pif
1620	Master.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1620	Master.pif
1620	Master.pif
1620	Master.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
116	RegAsm.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 4584	4000	47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f.exe	86
PID 4000 wrote to memory of 4584	4000	47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f.exe	86
PID 4000 wrote to memory of 4584	4000	47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f.exe	86
PID 4584 wrote to memory of 3672	4584	cmd.exe	91
PID 4584 wrote to memory of 3672	4584	cmd.exe	91
PID 4584 wrote to memory of 3672	4584	cmd.exe	91
PID 4584 wrote to memory of 5000	4584	cmd.exe	92
PID 4584 wrote to memory of 5000	4584	cmd.exe	92
PID 4584 wrote to memory of 5000	4584	cmd.exe	92
PID 4584 wrote to memory of 1584	4584	cmd.exe	94
PID 4584 wrote to memory of 1584	4584	cmd.exe	94
PID 4584 wrote to memory of 1584	4584	cmd.exe	94
PID 4584 wrote to memory of 5020	4584	cmd.exe	95
PID 4584 wrote to memory of 5020	4584	cmd.exe	95
PID 4584 wrote to memory of 5020	4584	cmd.exe	95
PID 4584 wrote to memory of 1812	4584	cmd.exe	96
PID 4584 wrote to memory of 1812	4584	cmd.exe	96
PID 4584 wrote to memory of 1812	4584	cmd.exe	96
PID 4584 wrote to memory of 228	4584	cmd.exe	97
PID 4584 wrote to memory of 228	4584	cmd.exe	97
PID 4584 wrote to memory of 228	4584	cmd.exe	97
PID 4584 wrote to memory of 1108	4584	cmd.exe	98
PID 4584 wrote to memory of 1108	4584	cmd.exe	98
PID 4584 wrote to memory of 1108	4584	cmd.exe	98
PID 4584 wrote to memory of 1620	4584	cmd.exe	99
PID 4584 wrote to memory of 1620	4584	cmd.exe	99
PID 4584 wrote to memory of 1620	4584	cmd.exe	99
PID 4584 wrote to memory of 1152	4584	cmd.exe	101
PID 4584 wrote to memory of 1152	4584	cmd.exe	101
PID 4584 wrote to memory of 1152	4584	cmd.exe	101
PID 1620 wrote to memory of 4588	1620	Master.pif	103
PID 1620 wrote to memory of 4588	1620	Master.pif	103
PID 1620 wrote to memory of 4588	1620	Master.pif	103
PID 1620 wrote to memory of 4372	1620	Master.pif	105
PID 1620 wrote to memory of 4372	1620	Master.pif	105
PID 1620 wrote to memory of 4372	1620	Master.pif	105
PID 4588 wrote to memory of 5096	4588	cmd.exe	107
PID 4588 wrote to memory of 5096	4588	cmd.exe	107
PID 4588 wrote to memory of 5096	4588	cmd.exe	107
PID 1620 wrote to memory of 116	1620	Master.pif	115
PID 1620 wrote to memory of 116	1620	Master.pif	115
PID 1620 wrote to memory of 116	1620	Master.pif	115
PID 1620 wrote to memory of 116	1620	Master.pif	115
PID 1620 wrote to memory of 116	1620	Master.pif	115

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3484
- C:\Users\Admin\AppData\Local\Temp\47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f.exe
  "C:\Users\Admin\AppData\Local\Temp\47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move Miami Miami.bat & Miami.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3672
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5000
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1584
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 91603
      4⤵
      System Location Discovery: System Language Discovery
      PID:1812
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "DepthChefDiscsStrikes" Police
      4⤵
      System Location Discovery: System Language Discovery
      PID:228
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\February + ..\Earn + ..\Audit + ..\Recommend N
      4⤵
      System Location Discovery: System Language Discovery
      PID:1108
  - - C:\Users\Admin\AppData\Local\Temp\91603\Master.pif
      Master.pif N
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Users\Admin\AppData\Local\Temp\91603\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\91603\RegAsm.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:116
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:1152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Sage" /tr "wscript //B 'C:\Users\Admin\AppData\Local\DesignWave Innovations\InnoWave.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Sage" /tr "wscript //B 'C:\Users\Admin\AppData\Local\DesignWave Innovations\InnoWave.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5096
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoWave.url" & echo URL="C:\Users\Admin\AppData\Local\DesignWave Innovations\InnoWave.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoWave.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\91603\Master.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\91603\N

Filesize
225KB

MD5
0964e34f1ecf941ba518bfd72ca62d9b

SHA1
8f7ff71f53d2d36c1771451fac1e822b21a8dd35

SHA256
386967208c919de48469b2e0377f4d0b7f222b3299a65a7887369c9e5766a3c6

SHA512
9d17f7f8255f05c76f6167f4f7b24fcf0ac870011f8b427e19cb8219c80222e5228707d01ab0fa41affd4f1a4d1c6e2f89ce44277fd1d1531f86c55e887675af

Download Submit
C:\Users\Admin\AppData\Local\Temp\91603\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Audit

Filesize
64KB

MD5
d7330b5d62441a7f9d82d96bce57c947

SHA1
b7cf5b9740f2a9231b56bc0b30172ef0838d441b

SHA256
73323d73aefa65853992e208131b7a7379bc46c77cf7e802d71510e5a8caf78f

SHA512
66bef2ced19fd5835b11ab950ef679903a4d3586df8ead7fe7bdcc830bd6adbc25fea7a96d6fbf0171fd4615167d2e2c97964ac366ef1d1d61ded14d53f698a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Earn

Filesize
67KB

MD5
fa01c7e1215ada87487c81fdc3c2f541

SHA1
6c335596e590a4c8a44b2d844384e680054a5f17

SHA256
7617c770dbb286738e29ac8027d0026c18b554987698f225d8a9a0284b119bce

SHA512
12bd1715f933c25443772f9cdcaf5817d6279a17e28506337a5984125c8e2be15c85380048561f5a08226c8df0556c9e1f1ac28c5bda0a7546afecad1da0f746

Download Submit
C:\Users\Admin\AppData\Local\Temp\February

Filesize
56KB

MD5
9e1051181a5a96635f59cacfb0e75ed6

SHA1
4bbc70fce84e19cfc340d5fecc04f59a34bc36b5

SHA256
c5d4605cc88c69048ce6200c906007d652a47ef95f12e53eb1fa119e75ccf9db

SHA512
b5b35145c22906bc0c30d1a7b93cc5badd255884e173bba2315f1f98af184da65dc574dca3cfc9bca794c5b959c6f3eae147fcec6c3d88db97a683f773e11ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Miami

Filesize
23KB

MD5
9898e2c331f885d868cff6c77bb3e340

SHA1
963c6d8247a80bde01040a40ffd66c640c265abe

SHA256
2cc67f847ce720176e3b4f771c069f4c0349bf9a6766ce939a01df8dbc44c538

SHA512
a246eb5c271678955dc8c8fb3ecea957b31f1345b955f81f64d92d4abbc7d7b719752326ae97ed55b59f4e1cf16b961edcede2ea0f53f494b0d88fa8c1f32406

Download Submit
C:\Users\Admin\AppData\Local\Temp\Police

Filesize
6KB

MD5
260eb50f5f2c20f9279d41b91f8dcba3

SHA1
bea41838f1f9f69d99614cd9b47ad8eb01b5cf7f

SHA256
65cd81e89a2523a32a5ece8c4ad23c1d9ebab1a55ff4d703902492b18b28214c

SHA512
57b428ddfc6cca7fc658a2f9e77f06f5628599c3252312695b20953e56026ba8c20e95a4a50e3c4e1335fefd3068525b06cf4c9295338d42727e6941ab782387

Download Submit
C:\Users\Admin\AppData\Local\Temp\Recommend

Filesize
38KB

MD5
b4846fc055fd6618816cd8950b89cfaf

SHA1
de4c53b9712cb320bc43a267b513fc39cd0ee88f

SHA256
12ca1a185f79ad2c5ae0ebb538c26aad889ca9c49f79b70c2ae70e41ed65bbe4

SHA512
6e91cfd7805e119c827e9e07c80c7cbb44d371a3d97b7f3597ae7f0bbb9a0efdae43f33aa21868a556b721beff4eba5bf650559b7ffaff47a4ab9a5397b0391b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Soil

Filesize
866KB

MD5
63cda6f02502a4aa6822c7a9c344d077

SHA1
1c6277a07104352fad10d42178cd79d0c32b0bc4

SHA256
79f6daad6457007d5f971686654e4c513443631ba0af2beb27b69625fd68c655

SHA512
339993b783bf839b11bb6e3537553ef7a1bc229e1d8e03300a3d8ec32eb248f8fb20bad2fdb46c91cd861b40e674b72a2cabd4c744a481e5f65047f68b66cf61

Download Submit
memory/116-29-0x0000000001140000-0x0000000001150000-memory.dmp

Filesize
64KB

Download
memory/116-32-0x0000000005750000-0x00000000057EC000-memory.dmp

Filesize
624KB

Download
memory/116-33-0x00000000061D0000-0x0000000006774000-memory.dmp

Filesize
5.6MB

Download
memory/116-34-0x0000000006100000-0x0000000006192000-memory.dmp

Filesize
584KB

Download
memory/116-35-0x00000000060C0000-0x00000000060CA000-memory.dmp

Filesize
40KB

Download
memory/116-36-0x0000000006A50000-0x0000000006AB6000-memory.dmp

Filesize
408KB

Download