xworm | ddfe0cfb0d6ff02a67de60e59a1f212403d075eb1afebccb7e21e094d463a33a

Resubmissions

18-11-2024 09:56

241118-lybc2atndv 10

18-11-2024 09:53

241118-lw2r7sypfn 10

Analysis

max time kernel
30s
max time network
19s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
18-11-2024 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Admin Tools.rar.exe
Size

11.8MB
MD5

ddcffb7143bb8073f53391fd44159950
SHA1

e55cfccc6eefd6c8079f6e18459a3eb509107bd2
SHA256

ddfe0cfb0d6ff02a67de60e59a1f212403d075eb1afebccb7e21e094d463a33a
SHA512

1538f3ee18787485e727904eeac50ea6dbf207ff5aa61620223a33aa5c7c743d17c1ab9c499f04cb6e3954c28434f0dd01ef94412e2a62a94e77d9f996a8db27
SSDEEP

196608:lQXFWvrR+RBZuLVESPp94EMtwBVxCS8ns71EWradV3qAo5QiPZbdBD8h5sf0IfvB:l/URsVz2Z6BVxGmbeV3qc35sfFRf

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

FDifYDumKCtsXZEN

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0028000000045063-11.dat	family_xworm
behavioral1/memory/708-22-0x0000000000540000-0x000000000054E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Admin Tools.rar.exe

Executes dropped EXE 1 IoCs

pid	Process
708	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings	Admin Tools.rar.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	708	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2828	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3112 wrote to memory of 708	3112	Admin Tools.rar.exe	83
PID 3112 wrote to memory of 708	3112	Admin Tools.rar.exe	83

C:\Users\Admin\AppData\Local\Temp\Admin Tools.rar.exe
"C:\Users\Admin\AppData\Local\Temp\Admin Tools.rar.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:708

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Admin Tools.rar

Filesize
11.8MB

MD5
e1ea29674dd974b512bcbce795125c36

SHA1
692eb95e5ebd143e52469de9881468c84cfa716a

SHA256
42160df9a104bb4a287477af00672753be7bdec93badce0c766fafd88da0af3f

SHA512
a3659c3d6021f86af1cf8c4f35247e71c30cc5944c5029477636da6f384233b9d6babc82bf3fa92ae3374d91a0fe71be9b84fbf69fdfc2138e621e3d839de0a9

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
32KB

MD5
c8adc1201433e732c762f4cca0ef59d5

SHA1
0ef49322427eee1735d2cd943d645453edbbc173

SHA256
0a66ae70b388aaa6ca8228d829345728739b631586440672faf0f9dd894cb994

SHA512
8f5d476a637da21a37f6b160b7a6281bc2aa952905ef06a61aa8b2851c5edf67b1528a7c46b6295856751b79de079aa05aea371cb7211074adcd97b3e537295e

Download Submit
memory/708-22-0x0000000000540000-0x000000000054E000-memory.dmp

Filesize
56KB

Download
memory/3112-0-0x00007FF9C30F3000-0x00007FF9C30F5000-memory.dmp

Filesize
8KB

Download
memory/3112-1-0x00000000006D0000-0x00000000012AC000-memory.dmp

Filesize
11.9MB

Download