xworm | b31d01d8e826ea4773cd7cfdbfca3712287024c03463acb374b5040af27fae71

Analysis

max time kernel
59s
max time network
36s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17-11-2024 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VmxCheats.exe
Size

39KB
MD5

640194b0d51307f362b74fd4a4a1761d
SHA1

8e623f6ba2c87803f079b85578289359d71c6c90
SHA256

b31d01d8e826ea4773cd7cfdbfca3712287024c03463acb374b5040af27fae71
SHA512

7631827a014041c8066e334584116db7a3320de4fbbae285c9c87bccc53381ddc525add1f031e5920e01450155aa22b1550de2725ff213ea9fbb3e5c26118dc2
SSDEEP

768:feMIxy4cStkT1MfdDtVISFp9ITOMhkbF:feMIxnmpM5X3Fp9ITOMiJ

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

perfect-invest.gl.at.ply.gg:61586

Mutex

vnCrrKpdlb0ooKNR

Attributes

Install_directory
%AppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7602273147:AAGPHHPgO8DxUDOWK0ZCgtSD_Rua_8wVzrE/sendMessage?chat_id=6589427579

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/3052-1-0x0000000000CC0000-0x0000000000CD0000-memory.dmp	family_xworm
behavioral1/files/0x00280000000450df-21.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	VmxCheats.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	VmxCheats.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	VmxCheats.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3228	timeout.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
3052	VmxCheats.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	VmxCheats.exe
Token: SeDebugPrivilege	2240	taskmgr.exe
Token: SeSystemProfilePrivilege	2240	taskmgr.exe
Token: SeCreateGlobalPrivilege	2240	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe
2240	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3052	VmxCheats.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2440	3052	VmxCheats.exe	93
PID 3052 wrote to memory of 2440	3052	VmxCheats.exe	93
PID 2440 wrote to memory of 3228	2440	cmd.exe	95
PID 2440 wrote to memory of 3228	2440	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\VmxCheats.exe
"C:\Users\Admin\AppData\Local\Temp\VmxCheats.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3228

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.bat

Filesize
160B

MD5
d2d3c456e40b08429df0867e22178764

SHA1
fa7d0d87e2f1fead1c515f5878f095e289e8ef98

SHA256
547b2d1585d3b4e4c7bcacc2785750b75a21830239df8f2cd9423153106b3e32

SHA512
9b7cde1050e02f88e048f2de80281a82dce715b7d737663b46d31d58b6863c05fa0879e9c7bf07b3cfda666d12b35415a7e0fe13e2cbe36344a030b8fdd66459

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Filesize
771B

MD5
7aca4d4ef1f3877187763d46f39cba99

SHA1
8763d60920e8f51828cd1bb7a4e5215778316afa

SHA256
fe5f271f633008c75bea257a932ae1a6acf876e78ce88648662803b94f9da21f

SHA512
90109c84715dbce682627f2328c89ed10b7f016a7ee0b47b279933dec83e3f9292733d597d713cea40a8c401c286d54da6858284902ccca94253c975870d1e47

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
39KB

MD5
640194b0d51307f362b74fd4a4a1761d

SHA1
8e623f6ba2c87803f079b85578289359d71c6c90

SHA256
b31d01d8e826ea4773cd7cfdbfca3712287024c03463acb374b5040af27fae71

SHA512
7631827a014041c8066e334584116db7a3320de4fbbae285c9c87bccc53381ddc525add1f031e5920e01450155aa22b1550de2725ff213ea9fbb3e5c26118dc2

Download Submit
memory/2240-17-0x000001E74EBA0000-0x000001E74EBA1000-memory.dmp

Filesize
4KB

Download
memory/2240-15-0x000001E74EBA0000-0x000001E74EBA1000-memory.dmp

Filesize
4KB

Download
memory/2240-7-0x000001E74EBA0000-0x000001E74EBA1000-memory.dmp

Filesize
4KB

Download
memory/2240-19-0x000001E74EBA0000-0x000001E74EBA1000-memory.dmp

Filesize
4KB

Download
memory/2240-18-0x000001E74EBA0000-0x000001E74EBA1000-memory.dmp

Filesize
4KB

Download
memory/2240-9-0x000001E74EBA0000-0x000001E74EBA1000-memory.dmp

Filesize
4KB

Download
memory/2240-16-0x000001E74EBA0000-0x000001E74EBA1000-memory.dmp

Filesize
4KB

Download
memory/2240-8-0x000001E74EBA0000-0x000001E74EBA1000-memory.dmp

Filesize
4KB

Download
memory/2240-14-0x000001E74EBA0000-0x000001E74EBA1000-memory.dmp

Filesize
4KB

Download
memory/2240-13-0x000001E74EBA0000-0x000001E74EBA1000-memory.dmp

Filesize
4KB

Download
memory/3052-0-0x00007FF8853E3000-0x00007FF8853E5000-memory.dmp

Filesize
8KB

Download
memory/3052-6-0x00007FF8853E0000-0x00007FF885EA2000-memory.dmp

Filesize
10.8MB

Download
memory/3052-22-0x00007FF8853E0000-0x00007FF885EA2000-memory.dmp

Filesize
10.8MB

Download
memory/3052-26-0x00007FF8853E0000-0x00007FF885EA2000-memory.dmp

Filesize
10.8MB

Download
memory/3052-1-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

Filesize
64KB

Download