Overview

overview

10

Static

static

7

XwormLoader.exe

windows7-x64

10

XwormLoader.exe

windows10-2004-x64

10

XwormLoader.exe

windows10-ltsc 2021-x64

10

XwormLoader.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    17-11-2024 17:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XwormLoader.exe

  • Size

    7.9MB

  • MD5

    5b757c6d0af650a77ba1bf7edea18b36

  • SHA1

    c2ee4e12ff4b70511dbcab25dbf8b0d45f2d52b3

  • SHA256

    c2a9fefda9159dd2712510c1c9077a1885d0ebc45251285dad95ba7184b98856

  • SHA512

    93ca04887c63c3a0a4a5d42c48d0f4f7cc7fe7f6dad4dd45136ac048639d2edab66a2d2459779b9a2a075fa8981ea40567b34e5ed0535c1deecfe5e838385960

  • SSDEEP

    196608:T7b4C6XrL5HfZBEhl3xZi5OslC9+PWbXooVl41u1mMFsr5:T7yvRZBEP3xZi5Oso+PWbXooL4Sa

Score
10/10
xwormexecutionrattrojan

Malware Config

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • .NET Reactor proctector 4 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:572
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1948
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2204
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2432
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1856
    • C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
      "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2860 -s 732
        3⤵
          PID:1516
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7A8D.tmp.bat""
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:1192
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:2732
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {4243573B-9D04-41BC-BE1F-39E4075BAB86} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\ProgramData\svchost.exe
        C:\ProgramData\svchost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1428
      • C:\ProgramData\svchost.exe
        C:\ProgramData\svchost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2564
      • C:\ProgramData\svchost.exe
        C:\ProgramData\svchost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3024

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
      Filesize

      14.9MB

      MD5

      db51a102eab752762748a2dec8f7f67a

      SHA1

      194688ec1511b83063f7b0167ae250764b7591d1

      SHA256

      93e5e7f018053c445c521b010caff89e61f61743635db3500aad32d6e495abb2

      SHA512

      fb2fb6605a17fedb65e636cf3716568e85b8ea423c23e0513eb87f3a3441e2cabc4c3e6346225a9bf7b81e97470f3ab516feea649a7afb5cdf02faff8d7f09a5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      Filesize

      144KB

      MD5

      4b90399888a12fb85ccc3d0190d5a1d3

      SHA1

      3326c027bac28b9480b0c7f621481a6cc033db4e

      SHA256

      cede03d0ef98d200bd5b68f6ca4e0d74e2a62fc430a38083663c3031dbb1c77f

      SHA512

      899ec2df2f5d70716ad5d0686bfe0a6c66ccbcf7f0485efbdfc0615f90b3526cd3d31069fa66c7c6ae8bba6ce92200836c50da40a3731888b7326b970d93216a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp7A8D.tmp.bat
      Filesize

      163B

      MD5

      86e686d255a32c5e47ee1bab6ac74e38

      SHA1

      39480c2bf1f881e4cf2f10569d7763828ae709ff

      SHA256

      47988848e29989d75fdb76dab7cb85126132a375f247288e3f53d70b459282b2

      SHA512

      fedaa08448e8f1d3e2f59d5c22db495aa6a9738967a25fc4ab660568dedc5ba0b00c4684eb9b3886c2493f22ca462c7af47c8ad3e27af6c8b719f8e94742814a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OLWBPHVUNUDGWZJRLSE5.temp
      Filesize

      7KB

      MD5

      3cad15286daf263d8ec4a9f36aaab466

      SHA1

      0a69d0dd9e7ad7073b9807a71e2036248c2be72e

      SHA256

      7d98e16aecfbb8506ca1b66f4049e9be7bfa199dc90ff360e318c57faa123bce

      SHA512

      9d254ed6694c26017b3887403e489b63b64bf9f1f52c5073fd5029b8595546344d0935ab1653fdc16218f75ad3411015e223ea992bc1a69bea30e177b337d9f7

      Download Submit

    • memory/572-36-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/572-35-0x000000001B670000-0x000000001B952000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1428-60-0x00000000010A0000-0x00000000010CA000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1948-42-0x000000001B500000-0x000000001B7E2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1948-43-0x00000000026E0000-0x00000000026E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2204-50-0x0000000002290000-0x0000000002298000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2204-49-0x000000001B520000-0x000000001B802000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2800-15-0x000007FEF2D53000-0x000007FEF2D54000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2800-16-0x0000000000EC0000-0x0000000000EEA000-memory.dmp

      Filesize

      168KB

      Download

    • memory/2816-9-0x000007FEF5050000-0x000007FEF59ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2816-29-0x000007FEF5050000-0x000007FEF59ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2816-6-0x000007FEF5050000-0x000007FEF59ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2816-3-0x000007FEF5050000-0x000007FEF59ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2816-2-0x000007FEF5050000-0x000007FEF59ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2816-0-0x000007FEF530E000-0x000007FEF530F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2816-13-0x000007FEF5050000-0x000007FEF59ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2816-12-0x000007FEF5050000-0x000007FEF59ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2816-1-0x000007FEF5050000-0x000007FEF59ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2860-30-0x0000000001340000-0x0000000002228000-memory.dmp

      Filesize

      14.9MB

      Download

    • memory/3024-63-0x0000000000220000-0x000000000024A000-memory.dmp

      Filesize

      168KB

      Download