xworm | ddfe0cfb0d6ff02a67de60e59a1f212403d075eb1afebccb7e21e094d463a33a

Analysis

max time kernel
146s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2024, 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AdminTools.rar.exe
Size

11.8MB
MD5

ddcffb7143bb8073f53391fd44159950
SHA1

e55cfccc6eefd6c8079f6e18459a3eb509107bd2
SHA256

ddfe0cfb0d6ff02a67de60e59a1f212403d075eb1afebccb7e21e094d463a33a
SHA512

1538f3ee18787485e727904eeac50ea6dbf207ff5aa61620223a33aa5c7c743d17c1ab9c499f04cb6e3954c28434f0dd01ef94412e2a62a94e77d9f996a8db27
SSDEEP

196608:lQXFWvrR+RBZuLVESPp94EMtwBVxCS8ns71EWradV3qAo5QiPZbdBD8h5sf0IfvB:l/URsVz2Z6BVxGmbeV3qc35sfFRf

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

FDifYDumKCtsXZEN

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cb4-8.dat	family_xworm
behavioral2/memory/3680-16-0x0000000000B50000-0x0000000000B5E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	AdminTools.rar.exe

Executes dropped EXE 1 IoCs

pid	Process
3680	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	AdminTools.rar.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3680	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3636	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 3680	544	AdminTools.rar.exe	86
PID 544 wrote to memory of 3680	544	AdminTools.rar.exe	86

C:\Users\Admin\AppData\Local\Temp\AdminTools.rar.exe
"C:\Users\Admin\AppData\Local\Temp\AdminTools.rar.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:544
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3680

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
32KB

MD5
c8adc1201433e732c762f4cca0ef59d5

SHA1
0ef49322427eee1735d2cd943d645453edbbc173

SHA256
0a66ae70b388aaa6ca8228d829345728739b631586440672faf0f9dd894cb994

SHA512
8f5d476a637da21a37f6b160b7a6281bc2aa952905ef06a61aa8b2851c5edf67b1528a7c46b6295856751b79de079aa05aea371cb7211074adcd97b3e537295e

Download Submit
memory/544-0-0x00007FF814CB3000-0x00007FF814CB5000-memory.dmp

Filesize
8KB

Download
memory/544-1-0x0000000000490000-0x000000000106C000-memory.dmp

Filesize
11.9MB

Download
memory/3680-16-0x0000000000B50000-0x0000000000B5E000-memory.dmp

Filesize
56KB

Download