xworm | 734583184759ee71d9a25e037f25e409f2f1c7adfd1927bf6838bbfb62f2195e

Resubmissions

18/01/2025, 02:54

250118-dd9fbs1ncr 10

18/01/2025, 02:49

250118-da9a6azrcz 10

18/01/2025, 02:47

250118-c9v25s1mcq 10

Analysis

max time kernel
94s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2025, 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Update.exe
Size

61KB
MD5

6afe04684a757675a359e7152592e644
SHA1

d436a89ed573a6f5cb5d9b5f5d971cc12ac09e7b
SHA256

734583184759ee71d9a25e037f25e409f2f1c7adfd1927bf6838bbfb62f2195e
SHA512

25d29d6ceb7d2aaf57d689dba5bad64268151cad17d989b34dadb5146a10f6e15e9a424c927a453d2cdc0e78e0561c348d78e98c1250fc590420ad21b3bed94a
SSDEEP

1536:wmtWxjhNJeaJXi+btWeYpive5scO3yKWRC6:wPjhNwaJXi+bw3EqhO3yKWU6

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:18889

147.185.221.25:18889

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1100-1-0x0000000000F90000-0x0000000000FA6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	mspaint.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
1644	WINWORD.EXE
1644	WINWORD.EXE
2328	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1100	Update.exe
4860	mspaint.exe
4860	mspaint.exe
3364	mspaint.exe
3364	mspaint.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1100	Update.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
1100	Update.exe
1644	WINWORD.EXE
1644	WINWORD.EXE
1644	WINWORD.EXE
1644	WINWORD.EXE
1644	WINWORD.EXE
1644	WINWORD.EXE
1644	WINWORD.EXE
2328	EXCEL.EXE
2328	EXCEL.EXE
2328	EXCEL.EXE
2328	EXCEL.EXE
2328	EXCEL.EXE
2328	EXCEL.EXE
2328	EXCEL.EXE
2328	EXCEL.EXE
2328	EXCEL.EXE
2328	EXCEL.EXE
2328	EXCEL.EXE
2328	EXCEL.EXE
4860	mspaint.exe
4860	mspaint.exe
4860	mspaint.exe
4860	mspaint.exe
3364	mspaint.exe
1976	OpenWith.exe

C:\Users\Admin\AppData\Local\Temp\Update.exe
"C:\Users\Admin\AppData\Local\Temp\Update.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1100

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\SyncRepair.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1644

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\UnpublishPublish.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2328

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ResetRead.wmf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4564

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\SyncUnregister.png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:3656

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
5c54ee719e01654209c86c09dfe1cf21

SHA1
16d2c85fabb3ad83f32437233388a56deb4056df

SHA256
c04ccfe6625fda78e5d2c1c9db663b8ddbecf22109d398643ca5a6f7abaa9488

SHA512
4d5975bf7288fef89b876651d0adb9fbb7fcbc933efb224e5bc984aba2552841cffee08bd3a4b99c05483061e1d298038bc429dafce28b6c7c0ec77ad100b359

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
8551ebd3b621099fb27e7a8e30332f18

SHA1
8fcf14f2e9c7a8f5717fa4169a40fc311d7abbfb

SHA256
08cb44246f5b68e6964dfa23ef202d3cad8cdc4bd5af107d48764ff8c67bf4e3

SHA512
956cd35695f9c28cea0c6332f2241031ec255b2fa218a3031d31fd8454c9cd952cb0240d534ed17f5f48fd3a226eb9ee30841204b0e18f9569d9343bef303886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\0252BF3E-A9E8-487C-A4D9-E96B440409F0

Filesize
177KB

MD5
a14f0cdffc4d503985d4789383ee6069

SHA1
ef7b5f3d06df587afc92ec920c93633eee14f95b

SHA256
7ab17469823d72d287528c56131380578a6c0786ac8962171a9902b1d487b558

SHA512
1218368a933ac6c7d148e032fab30956ac3d6e0e0a693b5012e5b4f52a2ceae3987f8e4c1c1c43fb5008f48045c482e24a55e7aa4cdd6db1e4aa597f2aa7b2da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
12KB

MD5
65dcb9a65e402750e55768d44c3860c3

SHA1
21339bc41808ee79892717d81ed0a9cf1919f94e

SHA256
284a4aa08aa40bb90a8ceee70e3a05d2d75d935a5a5bb0286e86e5b27384fd92

SHA512
fa130378e4063e06fe42b833d99ca99883efee56a657813a0eaf287b9d057fdd3f4ae621cd012b4220c170ad37c25d6b12816c7302cd44b870e30b74bd08aa1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
6884708b2fd29df9c182830d848db11b

SHA1
c14cc82aafe7fbccc6e985693b9776efc8ff931b

SHA256
8e2f228b247df521c28dabd01b4937dc269c164a5a8dd5896fd9df5407525604

SHA512
b02292ea2a32f6202ca99fb403af3acf8ef335338742d79e76784fdf9a9a73edd00032e9776273eef06f494596cdbbe6558a1b1084f3ce57cb57c50783b9a98f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
89958a545e01e3df51be40a41f2b64d4

SHA1
3803d3ff499ad0ee5b1622f5a0f18ad3f6917ca6

SHA256
3cb38dbaa21e1d694c58a31f0003ae0124e56ebcc2ede74b833b4e428d4dd308

SHA512
f4fb20470462c4dcb3d6605b77008ae8c2fe0d64627290942e27b3b4aa34b484f45d9228ad2b3ba7ec02681a5da43f1de84ab958963f9c9b85c64a2c6c6a23cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
392B

MD5
e32a5fdfa7649cfdcda9e35f6a03f9d4

SHA1
05bd41119a1176de5d45c18239995a65225d0c92

SHA256
d8801f2b824fc5bd87024bc609fd08374a1d2a1e30ab11133e7c01b12e47df01

SHA512
ec7c8df78c59e479039fb4778a521b8668957d983d7b5f563cf0e0f7b712f1101d343dcf1d0ac897fe1f95774c7f8c9419ab5ae52a47561aacc1913d5121cd43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
386B

MD5
53ca37f71cc8941a50dc502472b52976

SHA1
023b592459bf61a6742eea366d6f17d1e6e7d17a

SHA256
5c59acb879e802ea6a6c3ad3f5b3ce84cff93afd66c08f2f7cca9b259bf6f4e7

SHA512
034bd2336817cf07ee67e85fa52e649a10ee56546bdbc41521c464c082eeea89f31575d5ef755484f95362098e115ae2d44e58119704dff159edb15d73f1b72c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
4KB

MD5
39bfdabce4d44a0d7c8093d41c5d3fa5

SHA1
5a1bddc1d4447da2bf99f85fa15c95eb93512853

SHA256
2413f4b9e992485ed492c592a3eec3056d9c8d57d3f04438884e4a8c0bfd945c

SHA512
6960f16afa79f5806a996a62b988378dd94d8de1228a745f888693b99439c67d6f858a6fce5b6d87f1f942ac87c57f9e928a5cb4a196415ed28b59ef670f71f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
4KB

MD5
9191a3bf1e455c35b7a7d99512b4b8c7

SHA1
fa26e806e96e67f168985cd12f349d9f97897945

SHA256
7cee3bc7914d425480216795606dee7f1c95f776d00dab5b41acf53c49eb5327

SHA512
69edeaaaa47ef34291026ad241dff63627012b272b7a81df4afb9b3cee54a069ccec9b0c8919ca849682b16ea92bd8a21ce6bde63ac0bb4c11294c81d140060e

Download Submit
memory/1100-0-0x00007FFFC1E73000-0x00007FFFC1E75000-memory.dmp

Filesize
8KB

Download
memory/1100-1-0x0000000000F90000-0x0000000000FA6000-memory.dmp

Filesize
88KB

Download
memory/1100-2-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/1100-3-0x00007FFFC1E73000-0x00007FFFC1E75000-memory.dmp

Filesize
8KB

Download
memory/1100-4-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/1100-5-0x000000001CB00000-0x000000001CB0C000-memory.dmp

Filesize
48KB

Download
memory/1644-15-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-9-0x00007FFFE056D000-0x00007FFFE056E000-memory.dmp

Filesize
4KB

Download
memory/1644-16-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-11-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-21-0x00007FFF9DD30000-0x00007FFF9DD40000-memory.dmp

Filesize
64KB

Download
memory/1644-12-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp

Filesize
64KB

Download
memory/1644-10-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp

Filesize
64KB

Download
memory/1644-58-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-17-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-18-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-97-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp

Filesize
64KB

Download
memory/1644-96-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp

Filesize
64KB

Download
memory/1644-94-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp

Filesize
64KB

Download
memory/1644-95-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp

Filesize
64KB

Download
memory/1644-98-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-8-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp

Filesize
64KB

Download
memory/1644-7-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp

Filesize
64KB

Download
memory/1644-20-0x00007FFF9DD30000-0x00007FFF9DD40000-memory.dmp

Filesize
64KB

Download
memory/1644-6-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp

Filesize
64KB

Download
memory/1644-19-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-13-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-14-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/2328-105-0x00007FFF9DD30000-0x00007FFF9DD40000-memory.dmp

Filesize
64KB

Download
memory/2328-104-0x00007FFF9DD30000-0x00007FFF9DD40000-memory.dmp

Filesize
64KB

Download
memory/3656-142-0x00000197C1160000-0x00000197C1170000-memory.dmp

Filesize
64KB

Download
memory/3656-146-0x00000197C11A0000-0x00000197C11B0000-memory.dmp

Filesize
64KB

Download
memory/3656-153-0x00000197C9460000-0x00000197C9461000-memory.dmp

Filesize
4KB

Download
memory/3656-155-0x00000197C94E0000-0x00000197C94E1000-memory.dmp

Filesize
4KB

Download
memory/3656-159-0x00000197C9570000-0x00000197C9571000-memory.dmp

Filesize
4KB

Download
memory/3656-158-0x00000197C9570000-0x00000197C9571000-memory.dmp

Filesize
4KB

Download
memory/3656-157-0x00000197C94E0000-0x00000197C94E1000-memory.dmp

Filesize
4KB

Download
memory/3656-160-0x00000197C9580000-0x00000197C9581000-memory.dmp

Filesize
4KB

Download
memory/3656-161-0x00000197C9580000-0x00000197C9581000-memory.dmp

Filesize
4KB

Download