xworm | 132936f10f4245a94e6fc13084b5cbecf2c5462bd9217050dabfb65e17605869

Analysis

max time kernel
129s
max time network
140s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18/11/2024, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows Shell Experience Host.exe
Size

86KB
MD5

17f122079462e212871a1e2eb20eaff9
SHA1

349e4b54323acce835916a2bbe40dc9c5d30931f
SHA256

f483197df60b8767d23fa820efaab0c6bcc3a4b02ebee3c8f1290ef699f6697e
SHA512

95548cb30e9e45c4024be181253200d2188b622754158f6268fa09e41327dbb8468399a1b5ddd9d868413638bf1b9b18f6814586530f2c6a0a6cbd6311234e94
SSDEEP

768:NG9nICDiZGhCMhOB0s1SbiFG9Ox7h86BOMhUL02dC+IHZK:NgICDiZQRhVeFG9e7h86BOM+Nd6c

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

147.185.221.20:65300

Mutex

RMe1pa1UgjNcB2Un

Attributes

Install_directory
%AppData%
install_file
Windows Shell Experience Host.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral13/memory/2252-1-0x0000000000D10000-0x0000000000D2A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2868	powershell.exe
2568	powershell.exe
1160	powershell.exe
2992	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Shell Experience Host.lnk	Windows Shell Experience Host.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Shell Experience Host.lnk	Windows Shell Experience Host.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Shell Experience Host = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Shell Experience Host.exe"	Windows Shell Experience Host.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2868	powershell.exe
2568	powershell.exe
1160	powershell.exe
2992	powershell.exe
2252	Windows Shell Experience Host.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	Windows Shell Experience Host.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2252	Windows Shell Experience Host.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2868	2252	Windows Shell Experience Host.exe	31
PID 2252 wrote to memory of 2868	2252	Windows Shell Experience Host.exe	31
PID 2252 wrote to memory of 2868	2252	Windows Shell Experience Host.exe	31
PID 2252 wrote to memory of 2568	2252	Windows Shell Experience Host.exe	33
PID 2252 wrote to memory of 2568	2252	Windows Shell Experience Host.exe	33
PID 2252 wrote to memory of 2568	2252	Windows Shell Experience Host.exe	33
PID 2252 wrote to memory of 1160	2252	Windows Shell Experience Host.exe	35
PID 2252 wrote to memory of 1160	2252	Windows Shell Experience Host.exe	35
PID 2252 wrote to memory of 1160	2252	Windows Shell Experience Host.exe	35
PID 2252 wrote to memory of 2992	2252	Windows Shell Experience Host.exe	37
PID 2252 wrote to memory of 2992	2252	Windows Shell Experience Host.exe	37
PID 2252 wrote to memory of 2992	2252	Windows Shell Experience Host.exe	37

C:\Users\Admin\AppData\Local\Temp\Windows Shell Experience Host.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Shell Experience Host.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Shell Experience Host.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Shell Experience Host.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Shell Experience Host.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Shell Experience Host.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0b89800a733741228c4d4ac89db55af0

SHA1
2ee0ba86f2a30c84b0fbd8063a367bcda5f2cd58

SHA256
478bbdd91f9d4642ffdeb8caebcf4e66b6f40bdf0e95f4c19f4bf60fd77e4d50

SHA512
1e710b7e6e7817892dbc7691dd140b9d52befffc82a2bb921414fa25875256d7ff6cc6f245ba3045fc06023da21d9fc6af4fe67a7dd9b851e4107631af8a30b4

Download Submit
memory/2252-0-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

Filesize
4KB

Download
memory/2252-1-0x0000000000D10000-0x0000000000D2A000-memory.dmp

Filesize
104KB

Download
memory/2252-2-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2252-17-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

Filesize
4KB

Download
memory/2252-33-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2568-15-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/2568-16-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/2868-7-0x0000000002B70000-0x0000000002BF0000-memory.dmp

Filesize
512KB

Download
memory/2868-8-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2868-9-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download