xworm | f056b8a8aa21ea9fda55f3437fdbc493a0c9b5f341cc92f53e0ef962d4811315

Analysis

max time kernel
131s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-12-2024 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm_V5.6.rar
Size

22.7MB
MD5

7cc04f4750fbcc52368b58baca67c915
SHA1

c3d2935b4ecfb9caa86bfbc7a3b0082a34edf447
SHA256

f056b8a8aa21ea9fda55f3437fdbc493a0c9b5f341cc92f53e0ef962d4811315
SHA512

c92e8dd1ad87cf92915444239bf5b3041a0753be6c34a6291761d4ac875965514b9e460b27b0a0835980bffa807bbb5e3eaaaaad57417cbd890259afc8ccf23c
SSDEEP

393216:phBT2GKhaSl9luSkfZseOatwwKMMTdBxgs1ZLqU95n2+bGsj10vdrP9aTqf:12pkalDeBKMMTZJH9t2ej0V9a+

Score

10^/10

xworm execution rat trojan

Malware Config

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2796-25-0x0000000001050000-0x0000000001096000-memory.dmp	family_xworm
behavioral1/files/0x0007000000018c1a-24.dat	family_xworm
behavioral1/memory/1508-54-0x0000000000E40000-0x0000000000E86000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2924	powershell.exe
1300	powershell.exe
536	powershell.exe
3012	powershell.exe

.NET Reactor proctector 4 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x00350000000174a2-5.dat	net_reactor
behavioral1/memory/2796-25-0x0000000001050000-0x0000000001096000-memory.dmp	net_reactor
behavioral1/files/0x0007000000018c1a-24.dat	net_reactor
behavioral1/memory/1508-54-0x0000000000E40000-0x0000000000E86000-memory.dmp	net_reactor

Executes dropped EXE 4 IoCs

pid	Process
2044	XwormLoader.exe
3000	Xworm V5.6.exe
2796	msedge.exe
1508	msedge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
316	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2796	msedge.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2648	7zFM.exe
2924	powershell.exe
1300	powershell.exe
536	powershell.exe
3012	powershell.exe
2796	msedge.exe
2648	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2648	7zFM.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	2648	7zFM.exe
Token: 35	2648	7zFM.exe
Token: SeSecurityPrivilege	2648	7zFM.exe
Token: SeDebugPrivilege	2796	msedge.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	1508	msedge.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2648	7zFM.exe
2648	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2796	msedge.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2044	2648	7zFM.exe	30
PID 2648 wrote to memory of 2044	2648	7zFM.exe	30
PID 2648 wrote to memory of 2044	2648	7zFM.exe	30
PID 2044 wrote to memory of 3000	2044	XwormLoader.exe	31
PID 2044 wrote to memory of 3000	2044	XwormLoader.exe	31
PID 2044 wrote to memory of 3000	2044	XwormLoader.exe	31
PID 2044 wrote to memory of 2796	2044	XwormLoader.exe	32
PID 2044 wrote to memory of 2796	2044	XwormLoader.exe	32
PID 2044 wrote to memory of 2796	2044	XwormLoader.exe	32
PID 2796 wrote to memory of 2924	2796	msedge.exe	33
PID 2796 wrote to memory of 2924	2796	msedge.exe	33
PID 2796 wrote to memory of 2924	2796	msedge.exe	33
PID 2796 wrote to memory of 1300	2796	msedge.exe	35
PID 2796 wrote to memory of 1300	2796	msedge.exe	35
PID 2796 wrote to memory of 1300	2796	msedge.exe	35
PID 2796 wrote to memory of 536	2796	msedge.exe	37
PID 2796 wrote to memory of 536	2796	msedge.exe	37
PID 2796 wrote to memory of 536	2796	msedge.exe	37
PID 2796 wrote to memory of 3012	2796	msedge.exe	39
PID 2796 wrote to memory of 3012	2796	msedge.exe	39
PID 2796 wrote to memory of 3012	2796	msedge.exe	39
PID 3000 wrote to memory of 3020	3000	Xworm V5.6.exe	41
PID 3000 wrote to memory of 3020	3000	Xworm V5.6.exe	41
PID 3000 wrote to memory of 3020	3000	Xworm V5.6.exe	41
PID 2796 wrote to memory of 316	2796	msedge.exe	42
PID 2796 wrote to memory of 316	2796	msedge.exe	42
PID 2796 wrote to memory of 316	2796	msedge.exe	42
PID 2220 wrote to memory of 1508	2220	taskeng.exe	45
PID 2220 wrote to memory of 1508	2220	taskeng.exe	45
PID 2220 wrote to memory of 1508	2220	taskeng.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm_V5.6.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\7zO85AE8DB8\XwormLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO85AE8DB8\XwormLoader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\7zO85AE8DB8\Xworm V5.6.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO85AE8DB8\Xworm V5.6.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3000 -s 728
      4⤵
      PID:3020
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\msedge.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3012
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\ProgramData\msedge.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:316

C:\Windows\system32\taskeng.exe
taskeng.exe {0ACE9923-E4B3-46FE-9C3F-A9F21A386C2A} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2220
- C:\ProgramData\msedge.exe
  C:\ProgramData\msedge.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO85AE8DB8\Xworm V5.6.exe

Filesize
14.9MB

MD5
cac67604904dce94d230953f170d4391

SHA1
9ea639f23a5699bb66ca5da55b2458347aed6f13

SHA256
64e5b7463d340b9a8b9d911860b4d635b0cf68afbe3593ed3cc6cbb13db0b27b

SHA512
af358008abb47a345a53dab222a01ab6c0ed10185fca8d2be9af2892161f150c8cc8a7f75272d1eb1acd17b49f32d3531adbc1cfdd153cc7c3e90841cabe766a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO85AE8DB8\XwormLoader.exe

Filesize
7.9MB

MD5
e54c5c52d61e8ac84de0734e3bd6a5ae

SHA1
5e5b17324299db66a190b045e1bb82eca41925c2

SHA256
9f4bc9e76161ebf56529144557af326d8a10c3dc294bc807d261bb8947e8a686

SHA512
e5488141617ba6d12250527c71c44719885895d92ee51298ca04618ca0a16cdfd6e16b901ad63dc3a8a0b377ee32faf47ffac96f864dba76f12501b9bb89a71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge.exe

Filesize
259KB

MD5
0819c29b98a1109734309488f0c750d6

SHA1
ef8b24c2f73f6ea03210569eefdcd9fa66f3da9f

SHA256
3ad00630e82b94fe1e2cc1c5ec235dced73afef540ae1d551a4c74add3f872cb

SHA512
f606e0c0f9be376016c3fc4a4f8f0820e54b3f0a4c03b992acf8e4acbef3caf0b85d88b442eea8560407a4f4afc3f2870fe13a9d32601ba7b3517af294326d8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a6796e5661e71a63791793aca8ba568b

SHA1
30172c8083ca4af2b4b13e4a0250af468c302b6a

SHA256
faaa1367ec959eb7bf891eb9a576a9b18edd82f02f9e51f9321d07d76d9a71d3

SHA512
7ceb348e275343b0591f91badce5aa9a6747cbe0198fcb3ec384a8a375b623d583b45ab1252b83d089434d2c2462c9dc286ade965e5fbae3008d8c871f509664

Download Submit
memory/1300-38-0x000000001B930000-0x000000001BC12000-memory.dmp

Filesize
2.9MB

Download
memory/1300-39-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1508-54-0x0000000000E40000-0x0000000000E86000-memory.dmp

Filesize
280KB

Download
memory/2796-25-0x0000000001050000-0x0000000001096000-memory.dmp

Filesize
280KB

Download
memory/2924-30-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2924-31-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/3000-21-0x0000000000B50000-0x0000000001A38000-memory.dmp

Filesize
14.9MB

Download