Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

XWorm-5.6-main.zip

windows10-ltsc 2021-x64

10

XWorm-5.6-main.zip

windows11-21h2-x64

1

Resubmissions

30/12/2024, 14:26

241230-rsar7sxkhl 10

30/12/2024, 14:22

241230-rp3ntaxkdj 10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    30/12/2024, 14:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XWorm-5.6-main.zip

  • Size

    25.1MB

  • MD5

    95c1c4a3673071e05814af8b2a138be4

  • SHA1

    4c08b79195e0ff13b63cfb0e815a09dc426ac340

  • SHA256

    7c270da2506ba3354531e0934096315422ee719ad9ea16cb1ee86a7004a9ce27

  • SHA512

    339a47ecfc6d403beb55d51128164a520c4bea63733be3cfd47aec47953fbf2792aa4e150f4122994a7620122b0e0fc20c1eeb2f9697cf5578df08426820fecd

  • SSDEEP

    786432:Ty5jMDNnx2+4NYobtH8VVtKqi9+i514XZ/pjYlp0:MMDNnxV4iobxibiIi5MpjYv0

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

ztzWORSYUJhMLDSY

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

xworm

C2

127.0.0.1:7000

Attributes
  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 27 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 32 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2868
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3144
    • C:\Users\Admin\Desktop\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe
      "C:\Users\Admin\Desktop\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe"
      1⤵
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5480
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wtcoixka\wtcoixka.cmdline"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2168
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB07.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9600983F18234287BD691BA914E2486.TMP"
          3⤵
            PID:5956
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
          PID:3588
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x44c 0x2d4
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4676
        • C:\Users\Admin\Desktop\XWorm-5.6-main\XWorm-5.6-main\XClient.exe
          "C:\Users\Admin\Desktop\XWorm-5.6-main\XWorm-5.6-main\XClient.exe"
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:6064
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XWorm-5.6-main\XWorm-5.6-main\XClient.exe'
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2248
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3540
        • C:\Users\Admin\Desktop\XWorm-5.6-main\XWorm-5.6-main\XClient.exe
          "C:\Users\Admin\Desktop\XWorm-5.6-main\XWorm-5.6-main\XClient.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2420

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          3KB

          MD5

          3eb3833f769dd890afc295b977eab4b4

          SHA1

          e857649b037939602c72ad003e5d3698695f436f

          SHA256

          c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

          SHA512

          c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          7451d65fa212ac5aa698a76cc857e36d

          SHA1

          08a6f0eedea364699ebe276204161b92584b1c84

          SHA256

          98fa016ca13ba1441462ebb9f773317e741ef0af34dd717025840a14a4851e81

          SHA512

          f6633b704e7f0bc4e53c788f17f4e373e1e3c16bb94da42121756e72b878266dc38912b6dd3fdc111c2a3d2055904760dbe16076b0b8d6c6715f273d28f3045d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RESCB07.tmp
          Filesize

          1KB

          MD5

          06d57749e79c663a73dd0c7915e45b4e

          SHA1

          9c39fb80d8c7b777feee04a7e30feaccd1b6f4a0

          SHA256

          e1724f1fbd652165c22c2db532d2d850f583ac0b168506e799f32c03082f7f56

          SHA512

          fd1e2473bd729d7d46cb5a443b21d119c3b071e986bf8d7f7e9fe094ea2b9612e72916cc3a54cf6bc4c922004bac694b68f8d22f1e6b53b45d9f786116ae0c84

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fj05ihlv.s5m.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\vbc9600983F18234287BD691BA914E2486.TMP
          Filesize

          1KB

          MD5

          d40c58bd46211e4ffcbfbdfac7c2bb69

          SHA1

          c5cf88224acc284a4e81bd612369f0e39f3ac604

          SHA256

          01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

          SHA512

          48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wtcoixka\wtcoixka.0.vb
          Filesize

          78KB

          MD5

          72bba8c8d0795e7503a7ca94b7ac0d61

          SHA1

          a1fb3a7cbc8841d79d0e6027b2c292540a2617c5

          SHA256

          484c67a3dfdaa0f9c1f9905bbe1021a1f287ff7c780b806819a0fe37b0647063

          SHA512

          36efc8aad857ec43f2e27a5fda605c3ef357f2c57ee449f1bee5bb37dad1f99519ac83a46559e8c02b6e1e6d8ba62c654ae73c2102c38da6d1dda47dc34531b7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wtcoixka\wtcoixka.cmdline
          Filesize

          320B

          MD5

          def97caac22636d13d444b2990f09100

          SHA1

          91fa7ec2bd84a3349a3e4471f141a26d7072ef58

          SHA256

          7ae816f747a336b9e3ad9d6f1abf6e76e24a6ebff2aa6a0017a15b9c0c32efa7

          SHA512

          9d63c88fbb7e953bb0407480af1c9f5c03496ec9595ac5f8bb00de9cca6d31ce024aa5f20497d938340325de1ad7fc8451b1e98f83e9e8263cdbf1eb0da37be6

          Download Submit

        • C:\Users\Admin\Desktop\XWorm-5.6-main\XWorm-5.6-main\XClient.exe
          Filesize

          39KB

          MD5

          eb739fa1e1960edafc6a9c86d8675ad5

          SHA1

          4304cdc58e4bbe3aecd80c195bbf6fb70663911a

          SHA256

          00783f24bd4e18692efbbcfa3b456797ce79ae40f072d137a8443524508feecf

          SHA512

          2211788282a80440e9ebb96b5ea1059fa52d3d458e3e38c2eede242b2d72e9e08adb6bafef363f821711efe44a1bba9bbbe79a9d3c94c25255d1ca7269f5eaea

          Download Submit

        • C:\Users\Admin\Desktop\XWorm-5.6-main\XWorm-5.6-main\XClient.exe
          Filesize

          71KB

          MD5

          15ac5cd463852ec8a1953f842e47eeb4

          SHA1

          e8f96c5aaf25f822a04fa16cf43720dc47f0e69b

          SHA256

          250ff7a7c616c4b3d2d48e59b76b9239f38402c6d5c8c8e8dbb76e39a8fd5500

          SHA512

          7dc2bacb6681ed836a3ce74549150e43d859b3d9eecd2243da3f07ee296f560498170c4396458e1fa30a738e8a2bb04cec4018016036693b1bcadc62564602f9

          Download Submit

        • C:\Users\Admin\Desktop\XWorm-5.6-main\XWorm-5.6-main\XwormLoader.exe
          Filesize

          490KB

          MD5

          9c9245810bad661af3d6efec543d34fd

          SHA1

          93e4f301156d120a87fe2c4be3aaa28b9dfd1a8d

          SHA256

          f5f14b9073f86da926a8ed319b3289b893442414d1511e45177f6915fb4e5478

          SHA512

          90d9593595511e722b733a13c53d2e69a1adc9c79b3349350deead2c1cdfed615921fb503597950070e9055f6df74bb64ccd94a60d7716822aa632699c70b767

          Download Submit

        • memory/2248-35-0x000002B949130000-0x000002B949152000-memory.dmp

          Filesize

          136KB

          Download

        • memory/5480-3-0x000002D82FA00000-0x000002D82FBF4000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5480-4-0x00007FF9332E3000-0x00007FF9332E5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/5480-6-0x000002D836F50000-0x000002D8370B8000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/5480-2-0x000002D811A50000-0x000002D812938000-memory.dmp

          Filesize

          14.9MB

          Download

        • memory/5480-1-0x00007FF9332E3000-0x00007FF9332E5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/5480-52-0x000002D82EBC0000-0x000002D82EC42000-memory.dmp

          Filesize

          520KB

          Download

        • memory/5480-53-0x000002D82EB60000-0x000002D82EB8C000-memory.dmp

          Filesize

          176KB

          Download

        • memory/5480-54-0x000002D8373B0000-0x000002D837692000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/5480-55-0x000002D8370C0000-0x000002D837172000-memory.dmp

          Filesize

          712KB

          Download

        • memory/6064-25-0x0000000000F30000-0x0000000000F48000-memory.dmp

          Filesize

          96KB

          Download