Analysis

  • max time kernel
    44s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2024 18:32

General

  • Target

    Xworm V5.1-V5.2 installer.exe

  • Size

    60.5MB

  • MD5

    b73b67a67327b19636c5f4dcdfca6e6d

  • SHA1

    17e034c0bd5ea7d9ad9fd034393d439131e77e2b

  • SHA256

    20b9ba2ee8130e7429e60d96866ead0162827d5b55260dfd4c37b3e0bb509984

  • SHA512

    6d06500798d5d03cb5f4a04d3414c0c8134e663ada30fa02e0c264b97397b99e27037f0fafba90f34988b65e8c0fd24157af05b18dd05379dfac17118b3e5f0b

  • SSDEEP

    1572864:4kBBFYEeY/J7z9ZKx+1s1iEVekGqaAVn+8:fPFYEhN9ZK0cVdGR2nT

Malware Config

Extracted

Family

xworm

Version

5.0

C2

camera-leadership.gl.at.ply.gg:48241

Mutex

xfoLhSSL3ZKAFHgp

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7517837255:AAG0nEVWhvscgRKAU7DCjZPeuglJdFmcYws/sendMessage?chat_id=7538845070

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 6 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Xworm V5.1-V5.2 installer.exe
    "C:\Users\Admin\AppData\Local\Temp\Xworm V5.1-V5.2 installer.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2336
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:580
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System User'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1516
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2024
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\Admin\AppData\Roaming\System User"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2372
    • C:\Users\Admin\AppData\Roaming\MAL.exe
      "C:\Users\Admin\AppData\Roaming\MAL.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Users\Admin\AppData\Roaming\MAL.exe
        "C:\Users\Admin\AppData\Roaming\MAL.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2760
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\XWorm_v5.1-5.2.7z
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\XWorm_v5.1-5.2.7z
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2976
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\XWorm_v5.1-5.2.7z
          4⤵
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1116
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\XWorm_v5.1-5.2.7z
            5⤵
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1044
            • C:\Windows\system32\rundll32.exe
              "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\XWorm_v5.1-5.2.7z
              6⤵
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2248
              • C:\Windows\system32\rundll32.exe
                "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\XWorm_v5.1-5.2.7z
                7⤵
                • Modifies registry class
                PID:1560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI13642\python310.dll

    Filesize

    1.4MB

    MD5

    178a0f45fde7db40c238f1340a0c0ec0

    SHA1

    dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

    SHA256

    9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

    SHA512

    4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    1f96b91fb49f9f8b5f65ebaab027321e

    SHA1

    48d1a76b7b3be69bf1b654ba2898cf41a900c85a

    SHA256

    424bd8c92fc67da34f26efcf6eb961328ba54a543274db822aeff986dd6f4514

    SHA512

    9f340ec450bf25d9b7f878e34f0efb9de3e2f3bb20c17acaf911b134411cc391e34c38c649524b9ecc1cf9a0accccf9a8d76d588a9312f01740393c78cbf1c9f

  • C:\Users\Admin\AppData\Roaming\XClient.exe

    Filesize

    58KB

    MD5

    96876c85b8d3576dddadf8da920fdb84

    SHA1

    c8fa3c8f44e13623e26ac91f5d658ea63d541d12

    SHA256

    8d31334e331796c6fd64e09e2ff75b175ce98a8495807c8175cd79c9e858b030

    SHA512

    a7be884f7820b26191aad4ab9085ab8a8797780d789ea971425978f3347c2ddaa1d38221a953e0787d9fa4fb992059b3893722399dd959e28907a4dbae2dbffb

  • \Users\Admin\AppData\Roaming\MAL.exe

    Filesize

    6.0MB

    MD5

    d3ee3274fbca59750c65a339899fc20a

    SHA1

    c00e033488adb248a66564e4bdf7b6d282211308

    SHA256

    fad76babccde97b63de77e123d2e4f6cfcc2c205f9bd288a017e0e3769e8b750

    SHA512

    935c777105a1461ce4a463e39344e63d1ad7ffc9b540f1e05f3bafd263486428164819bfec0f5b47621bf7c7a3f709d1bfb656521d7c85f52686cab537a2bd6a

  • memory/580-54-0x000000001B710000-0x000000001B9F2000-memory.dmp

    Filesize

    2.9MB

  • memory/580-55-0x00000000027A0000-0x00000000027A8000-memory.dmp

    Filesize

    32KB

  • memory/868-1-0x00000000010D0000-0x0000000004D5C000-memory.dmp

    Filesize

    60.5MB

  • memory/868-0-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmp

    Filesize

    4KB

  • memory/2336-47-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

    Filesize

    2.9MB

  • memory/2336-48-0x0000000001F00000-0x0000000001F08000-memory.dmp

    Filesize

    32KB

  • memory/2760-40-0x000007FEF2630000-0x000007FEF2A9E000-memory.dmp

    Filesize

    4.4MB

  • memory/3016-9-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

    Filesize

    9.9MB

  • memory/3016-42-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

    Filesize

    9.9MB

  • memory/3016-7-0x0000000000CC0000-0x0000000000CD4000-memory.dmp

    Filesize

    80KB

  • memory/3016-71-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

    Filesize

    9.9MB

  • memory/3016-73-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

    Filesize

    9.9MB