xworm | 30c6dca8d7298ad8b76d2b4fb29ba10778537df7552e5aeafaad63ffa7287807

Analysis

max time kernel
145s
max time network
131s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Skype.exe
Size

74KB
MD5

ab7fe54a2dff556af9d0f6524169f305
SHA1

cfd61fb50874d48900f8a058f2f2500aa4caafeb
SHA256

1947f33f50a76eb1093d5bdbc01979f086dbe1f3e9b8501afc4547ed14ea8b5c
SHA512

e7b054fa38fdce9283dcd2fa8f9e8d0cfae813825a6626582aeb089d53e2fe9bb50a18c145d938006f88b2d87e936600db24ba41d480eb49e8a31b26ada6be8c
SSDEEP

1536:A6hZ2mK295bW4yZWalfT/T+bFXQMRYYPp6+B+ORSH5DWoYd2E:AK995qrZT+bNQzSBB+ORSZDWozE

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:7521

chf35s6.localto.net:7521

Attributes

Install_directory
%LocalAppData%
install_file
System.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral7/memory/2580-1-0x0000000001250000-0x0000000001268000-memory.dmp	family_xworm
behavioral7/files/0x000d0000000165c7-34.dat	family_xworm
behavioral7/memory/1788-36-0x0000000000D40000-0x0000000000D58000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2488	powershell.exe
2764	powershell.exe
2928	powershell.exe
2912	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	Skype.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	Skype.exe

Executes dropped EXE 3 IoCs

pid	Process
1788	System.exe
2232	System.exe
1472	System.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\System.exe"	Skype.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2700	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2488	powershell.exe
2764	powershell.exe
2928	powershell.exe
2912	powershell.exe
2580	Skype.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	Skype.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2580	Skype.exe
Token: SeDebugPrivilege	1788	System.exe
Token: SeDebugPrivilege	2232	System.exe
Token: SeDebugPrivilege	1472	System.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2580	Skype.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2488	2580	Skype.exe	30
PID 2580 wrote to memory of 2488	2580	Skype.exe	30
PID 2580 wrote to memory of 2488	2580	Skype.exe	30
PID 2580 wrote to memory of 2764	2580	Skype.exe	32
PID 2580 wrote to memory of 2764	2580	Skype.exe	32
PID 2580 wrote to memory of 2764	2580	Skype.exe	32
PID 2580 wrote to memory of 2928	2580	Skype.exe	34
PID 2580 wrote to memory of 2928	2580	Skype.exe	34
PID 2580 wrote to memory of 2928	2580	Skype.exe	34
PID 2580 wrote to memory of 2912	2580	Skype.exe	36
PID 2580 wrote to memory of 2912	2580	Skype.exe	36
PID 2580 wrote to memory of 2912	2580	Skype.exe	36
PID 2580 wrote to memory of 2700	2580	Skype.exe	39
PID 2580 wrote to memory of 2700	2580	Skype.exe	39
PID 2580 wrote to memory of 2700	2580	Skype.exe	39
PID 1596 wrote to memory of 1788	1596	taskeng.exe	42
PID 1596 wrote to memory of 1788	1596	taskeng.exe	42
PID 1596 wrote to memory of 1788	1596	taskeng.exe	42
PID 1596 wrote to memory of 2232	1596	taskeng.exe	43
PID 1596 wrote to memory of 2232	1596	taskeng.exe	43
PID 1596 wrote to memory of 2232	1596	taskeng.exe	43
PID 1596 wrote to memory of 1472	1596	taskeng.exe	44
PID 1596 wrote to memory of 1472	1596	taskeng.exe	44
PID 1596 wrote to memory of 1472	1596	taskeng.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Skype.exe
"C:\Users\Admin\AppData\Local\Temp\Skype.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Skype.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Skype.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\Admin\AppData\Local\System.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2700

C:\Windows\system32\taskeng.exe
taskeng.exe {C4C74966-9B6F-4109-ADAE-BA6EB678A1E6} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Users\Admin\AppData\Local\System.exe
  C:\Users\Admin\AppData\Local\System.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Users\Admin\AppData\Local\System.exe
  C:\Users\Admin\AppData\Local\System.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Users\Admin\AppData\Local\System.exe
  C:\Users\Admin\AppData\Local\System.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\System.exe

Filesize
74KB

MD5
ab7fe54a2dff556af9d0f6524169f305

SHA1
cfd61fb50874d48900f8a058f2f2500aa4caafeb

SHA256
1947f33f50a76eb1093d5bdbc01979f086dbe1f3e9b8501afc4547ed14ea8b5c

SHA512
e7b054fa38fdce9283dcd2fa8f9e8d0cfae813825a6626582aeb089d53e2fe9bb50a18c145d938006f88b2d87e936600db24ba41d480eb49e8a31b26ada6be8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X1VE9CQC0MOO98MAVB8A.temp

Filesize
7KB

MD5
825e2c3781c9a8c7381d7b97dfe2c87c

SHA1
b1b47ff605a991167a25fece35788a31776292f2

SHA256
babde752c845ef6ab5b1d6e70322c6c2e1be970bd92ea4d0ae3a4ad52e2ff380

SHA512
18e757268481c0f3b6b1a0ec55de52c342250f751a89c5c978a26d389be511e07ef95aec417073bcf5c49f06a2b8c60a76b8370d44ae67f46fe9d40bbb971cca

Download Submit
memory/1788-36-0x0000000000D40000-0x0000000000D58000-memory.dmp

Filesize
96KB

Download
memory/2488-6-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2488-7-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2488-8-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/2580-31-0x000000001B300000-0x000000001B380000-memory.dmp

Filesize
512KB

Download
memory/2580-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/2580-32-0x000000001B300000-0x000000001B380000-memory.dmp

Filesize
512KB

Download
memory/2580-1-0x0000000001250000-0x0000000001268000-memory.dmp

Filesize
96KB

Download
memory/2764-15-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2764-14-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download