Analysis
-
max time kernel
44s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 18:32
Static task
static1
Behavioral task
behavioral1
Sample
Xworm V5.1-V5.2 installer.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Xworm V5.1-V5.2 installer.exe
Resource
win10v2004-20241007-en
General
-
Target
Xworm V5.1-V5.2 installer.exe
-
Size
60.5MB
-
MD5
b73b67a67327b19636c5f4dcdfca6e6d
-
SHA1
17e034c0bd5ea7d9ad9fd034393d439131e77e2b
-
SHA256
20b9ba2ee8130e7429e60d96866ead0162827d5b55260dfd4c37b3e0bb509984
-
SHA512
6d06500798d5d03cb5f4a04d3414c0c8134e663ada30fa02e0c264b97397b99e27037f0fafba90f34988b65e8c0fd24157af05b18dd05379dfac17118b3e5f0b
-
SSDEEP
1572864:4kBBFYEeY/J7z9ZKx+1s1iEVekGqaAVn+8:fPFYEhN9ZK0cVdGR2nT
Malware Config
Extracted
xworm
5.0
camera-leadership.gl.at.ply.gg:48241
xfoLhSSL3ZKAFHgp
-
Install_directory
%AppData%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot7517837255:AAG0nEVWhvscgRKAU7DCjZPeuglJdFmcYws/sendMessage?chat_id=7538845070
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000012281-5.dat family_xworm behavioral1/memory/3016-7-0x0000000000CC0000-0x0000000000CD4000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2024 powershell.exe 2336 powershell.exe 580 powershell.exe 1516 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk XClient.exe -
Executes dropped EXE 4 IoCs
pid Process 3016 XClient.exe 1364 MAL.exe 2760 MAL.exe 1208 Process not Found -
Loads dropped DLL 4 IoCs
pid Process 868 Xworm V5.1-V5.2 installer.exe 1364 MAL.exe 2760 MAL.exe 1208 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\System User = "C:\\Users\\Admin\\AppData\\Roaming\\System User" XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
resource yara_rule behavioral1/files/0x00050000000195e6-38.dat upx behavioral1/memory/2760-40-0x000007FEF2630000-0x000007FEF2A9E000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings rundll32.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2372 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3016 XClient.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2336 powershell.exe 580 powershell.exe 1516 powershell.exe 2024 powershell.exe 3016 XClient.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3016 XClient.exe Token: SeDebugPrivilege 2336 powershell.exe Token: SeDebugPrivilege 580 powershell.exe Token: SeDebugPrivilege 1516 powershell.exe Token: SeDebugPrivilege 2024 powershell.exe Token: SeDebugPrivilege 3016 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3016 XClient.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 868 wrote to memory of 3016 868 Xworm V5.1-V5.2 installer.exe 31 PID 868 wrote to memory of 3016 868 Xworm V5.1-V5.2 installer.exe 31 PID 868 wrote to memory of 3016 868 Xworm V5.1-V5.2 installer.exe 31 PID 868 wrote to memory of 1364 868 Xworm V5.1-V5.2 installer.exe 32 PID 868 wrote to memory of 1364 868 Xworm V5.1-V5.2 installer.exe 32 PID 868 wrote to memory of 1364 868 Xworm V5.1-V5.2 installer.exe 32 PID 1364 wrote to memory of 2760 1364 MAL.exe 33 PID 1364 wrote to memory of 2760 1364 MAL.exe 33 PID 1364 wrote to memory of 2760 1364 MAL.exe 33 PID 868 wrote to memory of 2784 868 Xworm V5.1-V5.2 installer.exe 34 PID 868 wrote to memory of 2784 868 Xworm V5.1-V5.2 installer.exe 34 PID 868 wrote to memory of 2784 868 Xworm V5.1-V5.2 installer.exe 34 PID 2784 wrote to memory of 2976 2784 rundll32.exe 36 PID 2784 wrote to memory of 2976 2784 rundll32.exe 36 PID 2784 wrote to memory of 2976 2784 rundll32.exe 36 PID 3016 wrote to memory of 2336 3016 XClient.exe 37 PID 3016 wrote to memory of 2336 3016 XClient.exe 37 PID 3016 wrote to memory of 2336 3016 XClient.exe 37 PID 3016 wrote to memory of 580 3016 XClient.exe 39 PID 3016 wrote to memory of 580 3016 XClient.exe 39 PID 3016 wrote to memory of 580 3016 XClient.exe 39 PID 3016 wrote to memory of 1516 3016 XClient.exe 41 PID 3016 wrote to memory of 1516 3016 XClient.exe 41 PID 3016 wrote to memory of 1516 3016 XClient.exe 41 PID 3016 wrote to memory of 2024 3016 XClient.exe 43 PID 3016 wrote to memory of 2024 3016 XClient.exe 43 PID 3016 wrote to memory of 2024 3016 XClient.exe 43 PID 3016 wrote to memory of 2372 3016 XClient.exe 45 PID 3016 wrote to memory of 2372 3016 XClient.exe 45 PID 3016 wrote to memory of 2372 3016 XClient.exe 45 PID 2976 wrote to memory of 1116 2976 rundll32.exe 47 PID 2976 wrote to memory of 1116 2976 rundll32.exe 47 PID 2976 wrote to memory of 1116 2976 rundll32.exe 47 PID 1116 wrote to memory of 1044 1116 rundll32.exe 48 PID 1116 wrote to memory of 1044 1116 rundll32.exe 48 PID 1116 wrote to memory of 1044 1116 rundll32.exe 48 PID 1044 wrote to memory of 2248 1044 rundll32.exe 49 PID 1044 wrote to memory of 2248 1044 rundll32.exe 49 PID 1044 wrote to memory of 2248 1044 rundll32.exe 49 PID 2248 wrote to memory of 1560 2248 rundll32.exe 50 PID 2248 wrote to memory of 1560 2248 rundll32.exe 50 PID 2248 wrote to memory of 1560 2248 rundll32.exe 50 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Xworm V5.1-V5.2 installer.exe"C:\Users\Admin\AppData\Local\Temp\Xworm V5.1-V5.2 installer.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Users\Admin\AppData\Roaming\XClient.exe"C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System User'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\Admin\AppData\Roaming\System User"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2372
-
-
-
C:\Users\Admin\AppData\Roaming\MAL.exe"C:\Users\Admin\AppData\Roaming\MAL.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Roaming\MAL.exe"C:\Users\Admin\AppData\Roaming\MAL.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\XWorm_v5.1-5.2.7z2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\XWorm_v5.1-5.2.7z3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\XWorm_v5.1-5.2.7z4⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\XWorm_v5.1-5.2.7z5⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\XWorm_v5.1-5.2.7z6⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\XWorm_v5.1-5.2.7z7⤵
- Modifies registry class
PID:1560
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5178a0f45fde7db40c238f1340a0c0ec0
SHA1dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe
SHA2569fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed
SHA5124b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51f96b91fb49f9f8b5f65ebaab027321e
SHA148d1a76b7b3be69bf1b654ba2898cf41a900c85a
SHA256424bd8c92fc67da34f26efcf6eb961328ba54a543274db822aeff986dd6f4514
SHA5129f340ec450bf25d9b7f878e34f0efb9de3e2f3bb20c17acaf911b134411cc391e34c38c649524b9ecc1cf9a0accccf9a8d76d588a9312f01740393c78cbf1c9f
-
Filesize
58KB
MD596876c85b8d3576dddadf8da920fdb84
SHA1c8fa3c8f44e13623e26ac91f5d658ea63d541d12
SHA2568d31334e331796c6fd64e09e2ff75b175ce98a8495807c8175cd79c9e858b030
SHA512a7be884f7820b26191aad4ab9085ab8a8797780d789ea971425978f3347c2ddaa1d38221a953e0787d9fa4fb992059b3893722399dd959e28907a4dbae2dbffb
-
Filesize
6.0MB
MD5d3ee3274fbca59750c65a339899fc20a
SHA1c00e033488adb248a66564e4bdf7b6d282211308
SHA256fad76babccde97b63de77e123d2e4f6cfcc2c205f9bd288a017e0e3769e8b750
SHA512935c777105a1461ce4a463e39344e63d1ad7ffc9b540f1e05f3bafd263486428164819bfec0f5b47621bf7c7a3f709d1bfb656521d7c85f52686cab537a2bd6a