xworm | 132936f10f4245a94e6fc13084b5cbecf2c5462bd9217050dabfb65e17605869

Analysis

max time kernel
134s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/11/2024, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Realtek HD Audio Universal Service.exe
Size

40KB
MD5

a29cf6541896f5be39c930c3737ff80c
SHA1

526d9571e0368b6d02130d98af32561024fdb803
SHA256

75abe13c29ec2a3a864d07299830be43502cb654bc1309b20e94c786fcc38631
SHA512

e883bce9aabd5999ba363eeb7260dedd08e5e7099a27d6132b93e1c1f83358613c1aea34ad90656f53c36295c1fab3eda2cfa75cb5bf1048813ad586d6ba8b3b
SSDEEP

768:QBj78fx6MooenBjJfDUbtRFH9OKw6BOMhtL05jP:U78p6MLeBjJfIbDFH93w6BOMTkjP

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

147.185.221.23:53638

Mutex

Itj6uNzPbdGmJ8JP

Attributes

Install_directory
%LocalAppData%
install_file
Realtek HD Audio Universal Service.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral7/memory/2168-1-0x00000000000E0000-0x00000000000F0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2860	powershell.exe
2576	powershell.exe
1480	powershell.exe
2524	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Realtek HD Audio Universal Service.lnk	Realtek HD Audio Universal Service.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Realtek HD Audio Universal Service.lnk	Realtek HD Audio Universal Service.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2860	powershell.exe
2576	powershell.exe
1480	powershell.exe
2524	powershell.exe
2168	Realtek HD Audio Universal Service.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	Realtek HD Audio Universal Service.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2168	Realtek HD Audio Universal Service.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2860	2168	Realtek HD Audio Universal Service.exe	31
PID 2168 wrote to memory of 2860	2168	Realtek HD Audio Universal Service.exe	31
PID 2168 wrote to memory of 2860	2168	Realtek HD Audio Universal Service.exe	31
PID 2168 wrote to memory of 2576	2168	Realtek HD Audio Universal Service.exe	33
PID 2168 wrote to memory of 2576	2168	Realtek HD Audio Universal Service.exe	33
PID 2168 wrote to memory of 2576	2168	Realtek HD Audio Universal Service.exe	33
PID 2168 wrote to memory of 1480	2168	Realtek HD Audio Universal Service.exe	35
PID 2168 wrote to memory of 1480	2168	Realtek HD Audio Universal Service.exe	35
PID 2168 wrote to memory of 1480	2168	Realtek HD Audio Universal Service.exe	35
PID 2168 wrote to memory of 2524	2168	Realtek HD Audio Universal Service.exe	37
PID 2168 wrote to memory of 2524	2168	Realtek HD Audio Universal Service.exe	37
PID 2168 wrote to memory of 2524	2168	Realtek HD Audio Universal Service.exe	37

C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe
"C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Realtek HD Audio Universal Service.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
81b73080837d7c1fe21b2fd0123df197

SHA1
cdf1c200be99f9821b2c039fac38d59c71627103

SHA256
024cc5907069dba3392479739bfb242145e6fcfec01cd780f8e82ffb1e0781e4

SHA512
4eedc0ac688c481d16fd89b32f7776a8a2524a785828eb0d1d591eb59b7b3db662942385520345bff034a566160319cfa05f6273c69f85e58407ea580b9303a2

Download Submit
memory/2168-0-0x000007FEF50C3000-0x000007FEF50C4000-memory.dmp

Filesize
4KB

Download
memory/2168-1-0x00000000000E0000-0x00000000000F0000-memory.dmp

Filesize
64KB

Download
memory/2168-2-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/2168-15-0x000007FEF50C3000-0x000007FEF50C4000-memory.dmp

Filesize
4KB

Download
memory/2168-33-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/2576-16-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2576-17-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2860-7-0x0000000002BD0000-0x0000000002C50000-memory.dmp

Filesize
512KB

Download
memory/2860-8-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2860-9-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download