xworm | 1f27ead1385d2bd425b05765ba7d2f34ae480e97c6dfa288c8860fc1826260c1

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f27ead1385d2bd425b05765ba7d2f34ae480e97c6dfa288c8860fc1826260c1.exe
Size

302KB
MD5

98c38e2a2e6fed11878664c62ceee304
SHA1

d9798077b4582ca595c2b1facad1c95d0c356897
SHA256

1f27ead1385d2bd425b05765ba7d2f34ae480e97c6dfa288c8860fc1826260c1
SHA512

d61811977670fb25578b15af111c0385ad20b265f21066f6efe6aa82f30e3ab33edf9bebd22168ee69ce7a75605ad8ef2f9e3efc14d341c559a66e094e430156
SSDEEP

6144:olLwDPhjGNtxZJBs6enQLVYpFZsTv0kzMPP/GtKGLGfye4INK1FkEI:6UDPhjGdjSlAV2FarH4ut9GfyWQ1+EI

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

soon-console.gl.at.ply.gg:60222

Mutex

6TmnQVeEYZF4Sp6V

Attributes

Install_directory
%AppData%
install_file
Windows.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0033000000016e73-10.dat	family_xworm
behavioral1/memory/2684-13-0x0000000000310000-0x0000000000320000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2164	powershell.exe
2056	powershell.exe
1404	powershell.exe
2940	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2832	Crack.exe
2684	BOOT_FPS.exe

Loads dropped DLL 2 IoCs

pid	Process
2688	1f27ead1385d2bd425b05765ba7d2f34ae480e97c6dfa288c8860fc1826260c1.exe
2116	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Windows.exe"	BOOT_FPS.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2164	powershell.exe
2056	powershell.exe
1404	powershell.exe
2940	powershell.exe
2684	BOOT_FPS.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	BOOT_FPS.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2684	BOOT_FPS.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2684	BOOT_FPS.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2832	2688	1f27ead1385d2bd425b05765ba7d2f34ae480e97c6dfa288c8860fc1826260c1.exe	31
PID 2688 wrote to memory of 2832	2688	1f27ead1385d2bd425b05765ba7d2f34ae480e97c6dfa288c8860fc1826260c1.exe	31
PID 2688 wrote to memory of 2832	2688	1f27ead1385d2bd425b05765ba7d2f34ae480e97c6dfa288c8860fc1826260c1.exe	31
PID 2688 wrote to memory of 2684	2688	1f27ead1385d2bd425b05765ba7d2f34ae480e97c6dfa288c8860fc1826260c1.exe	32
PID 2688 wrote to memory of 2684	2688	1f27ead1385d2bd425b05765ba7d2f34ae480e97c6dfa288c8860fc1826260c1.exe	32
PID 2688 wrote to memory of 2684	2688	1f27ead1385d2bd425b05765ba7d2f34ae480e97c6dfa288c8860fc1826260c1.exe	32
PID 2832 wrote to memory of 2768	2832	Crack.exe	34
PID 2832 wrote to memory of 2768	2832	Crack.exe	34
PID 2832 wrote to memory of 2768	2832	Crack.exe	34
PID 2768 wrote to memory of 108	2768	cmd.exe	35
PID 2768 wrote to memory of 108	2768	cmd.exe	35
PID 2768 wrote to memory of 108	2768	cmd.exe	35
PID 2768 wrote to memory of 2696	2768	cmd.exe	36
PID 2768 wrote to memory of 2696	2768	cmd.exe	36
PID 2768 wrote to memory of 2696	2768	cmd.exe	36
PID 2768 wrote to memory of 2724	2768	cmd.exe	37
PID 2768 wrote to memory of 2724	2768	cmd.exe	37
PID 2768 wrote to memory of 2724	2768	cmd.exe	37
PID 2832 wrote to memory of 2636	2832	Crack.exe	38
PID 2832 wrote to memory of 2636	2832	Crack.exe	38
PID 2832 wrote to memory of 2636	2832	Crack.exe	38
PID 2636 wrote to memory of 2728	2636	cmd.exe	39
PID 2636 wrote to memory of 2728	2636	cmd.exe	39
PID 2636 wrote to memory of 2728	2636	cmd.exe	39
PID 2684 wrote to memory of 2164	2684	BOOT_FPS.exe	41
PID 2684 wrote to memory of 2164	2684	BOOT_FPS.exe	41
PID 2684 wrote to memory of 2164	2684	BOOT_FPS.exe	41
PID 2684 wrote to memory of 2056	2684	BOOT_FPS.exe	43
PID 2684 wrote to memory of 2056	2684	BOOT_FPS.exe	43
PID 2684 wrote to memory of 2056	2684	BOOT_FPS.exe	43
PID 2684 wrote to memory of 1404	2684	BOOT_FPS.exe	45
PID 2684 wrote to memory of 1404	2684	BOOT_FPS.exe	45
PID 2684 wrote to memory of 1404	2684	BOOT_FPS.exe	45
PID 2684 wrote to memory of 2940	2684	BOOT_FPS.exe	47
PID 2684 wrote to memory of 2940	2684	BOOT_FPS.exe	47
PID 2684 wrote to memory of 2940	2684	BOOT_FPS.exe	47

C:\Users\Admin\AppData\Local\Temp\1f27ead1385d2bd425b05765ba7d2f34ae480e97c6dfa288c8860fc1826260c1.exe
"C:\Users\Admin\AppData\Local\Temp\1f27ead1385d2bd425b05765ba7d2f34ae480e97c6dfa288c8860fc1826260c1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\Crack.exe
  "C:\Users\Admin\AppData\Local\Temp\Crack.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Crack.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Crack.exe" MD5
      4⤵
      PID:108
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:2696
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:2724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mode 80,15
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\system32\mode.com
      mode 80,15
      4⤵
      PID:2728
- C:\Users\Admin\AppData\Local\Temp\BOOT_FPS.exe
  "C:\Users\Admin\AppData\Local\Temp\BOOT_FPS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BOOT_FPS.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BOOT_FPS.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BOOT_FPS.exe

Filesize
40KB

MD5
bca0eedabdf246ddc3b2c156eaf46af1

SHA1
38a51efbcdbe67b64b0e4a0893660933f93d39fd

SHA256
5ed950a27ce029f74813dba796d34496e770339aabbbe813d179283fd67cbf1d

SHA512
9c5e90910daeeda438b26495d37b59c3f90e580014a2e7bb6ce1bb5895b00133be69c114840ffe9e2fb66dcfc9dc9ca9a6ca8fbd2265a86b32f59dedb770cdea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I4FLPDJKMEPJ7ASTSW3Z.temp

Filesize
7KB

MD5
c705b92d56bc459f534f1819718c3e73

SHA1
4c293869ccda782e845448009ed5103f0f22308c

SHA256
a47cc6961ec6016f43e0e0900f6aeacce67023243415a802ac33eaf0d32db703

SHA512
aa7ba4a596d223e01add8f893014b3fc5b8b3eea872383ccf7e313582971bd09d9e79beeba88ee73fff6fa03ced8d88c2582416c32cb300791e18aba229a043a

Download Submit
\Users\Admin\AppData\Local\Temp\Crack.exe

Filesize
540KB

MD5
49546520ae6822c5e45906c4bfd4577a

SHA1
7bd8c2dbcdba84bd005137703a3631ff3e18fb13

SHA256
8246e42c9161da82d25c43c923a09ac93f7a025ad4a8cacf2049e04eac525875

SHA512
846eab1be0fb8a0f20311c29a0304e8ae6f8037e009398fd0e7e9432a73b62844dffd5203054367370e95d9c2b97d38c5115e81d64de6dcc61a746f7d01cfa17

Download Submit
memory/2056-30-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2056-29-0x000000001B820000-0x000000001BB02000-memory.dmp

Filesize
2.9MB

Download
memory/2164-23-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2164-22-0x000000001B830000-0x000000001BB12000-memory.dmp

Filesize
2.9MB

Download
memory/2684-17-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2684-15-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2684-13-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/2684-43-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2684-44-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2688-0-0x000007FEF52E3000-0x000007FEF52E4000-memory.dmp

Filesize
4KB

Download
memory/2688-14-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2688-1-0x0000000000890000-0x00000000008E2000-memory.dmp

Filesize
328KB

Download