xworm | fea9620c907c32bef37b6e5a08699eae88ecc0ee014e52495a39a46312d4766f

Analysis

max time kernel
28s
max time network
29s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-01-2025 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader.exe
Size

2.6MB
MD5

2b45969ccbd973f5bc6a10716093e00b
SHA1

596467ce3d6a3a3a80abaca3b8df30a52c95ccab
SHA256

fea9620c907c32bef37b6e5a08699eae88ecc0ee014e52495a39a46312d4766f
SHA512

b985d5a73027e07519d8f180b6b87e1b95f6a5185dc279db783f3c6f5e788b0bb9279f74bd4bb1a52fb766970d34a0e2a3a67446fd825f70d68981ef77264578
SSDEEP

49152:Uhsk/i2lNbPzoc9MmJdW8zo7UqT31p+/JLD9bC8N1FIZfIUzon0KW6My0+:gni2lRoNYo7DT3m/JL5bCCEbo0KW6

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

185.94.29.228:4444

Attributes

Install_directory
%Temp%
install_file
Spotify.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001225a-5.dat	family_xworm
behavioral1/memory/2416-7-0x0000000001160000-0x0000000001176000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2652	powershell.exe
2792	powershell.exe
2984	powershell.exe
2692	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Spotify.lnk	spotify.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Spotify.lnk	spotify.exe

Executes dropped EXE 3 IoCs

pid	Process
2416	spotify.exe
2156	loaderr.exe
2184	loaderr.exe

Loads dropped DLL 2 IoCs

pid	Process
2176	loader.exe
2156	loaderr.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2156	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2652	powershell.exe
2792	powershell.exe
2984	powershell.exe
2692	powershell.exe
2416	spotify.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe
2184	loaderr.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	spotify.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2416	spotify.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2416	spotify.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2416	2176	loader.exe	30
PID 2176 wrote to memory of 2416	2176	loader.exe	30
PID 2176 wrote to memory of 2416	2176	loader.exe	30
PID 2176 wrote to memory of 2156	2176	loader.exe	31
PID 2176 wrote to memory of 2156	2176	loader.exe	31
PID 2176 wrote to memory of 2156	2176	loader.exe	31
PID 2156 wrote to memory of 2184	2156	loaderr.exe	32
PID 2156 wrote to memory of 2184	2156	loaderr.exe	32
PID 2156 wrote to memory of 2184	2156	loaderr.exe	32
PID 2184 wrote to memory of 2748	2184	loaderr.exe	34
PID 2184 wrote to memory of 2748	2184	loaderr.exe	34
PID 2184 wrote to memory of 2748	2184	loaderr.exe	34
PID 2416 wrote to memory of 2652	2416	spotify.exe	37
PID 2416 wrote to memory of 2652	2416	spotify.exe	37
PID 2416 wrote to memory of 2652	2416	spotify.exe	37
PID 2416 wrote to memory of 2792	2416	spotify.exe	39
PID 2416 wrote to memory of 2792	2416	spotify.exe	39
PID 2416 wrote to memory of 2792	2416	spotify.exe	39
PID 2416 wrote to memory of 2984	2416	spotify.exe	41
PID 2416 wrote to memory of 2984	2416	spotify.exe	41
PID 2416 wrote to memory of 2984	2416	spotify.exe	41
PID 2416 wrote to memory of 2692	2416	spotify.exe	43
PID 2416 wrote to memory of 2692	2416	spotify.exe	43
PID 2416 wrote to memory of 2692	2416	spotify.exe	43
PID 2184 wrote to memory of 1676	2184	loaderr.exe	45
PID 2184 wrote to memory of 1676	2184	loaderr.exe	45
PID 2184 wrote to memory of 1676	2184	loaderr.exe	45
PID 2184 wrote to memory of 2012	2184	loaderr.exe	46
PID 2184 wrote to memory of 2012	2184	loaderr.exe	46
PID 2184 wrote to memory of 2012	2184	loaderr.exe	46

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Public\spotify.exe
  "C:\Users\Public\spotify.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\spotify.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'spotify.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Spotify.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Spotify.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- C:\Users\Public\loaderr.exe
  "C:\Users\Public\loaderr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Public\loaderr.exe
    "C:\Users\Public\loaderr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
862d4ca50900fb84afbeea4e2c2e447e

SHA1
43c8803435b74b5331709b2e0da4a702f02b9758

SHA256
f306c3369a671ad0f3cc5a794417051271f9279af8450fb5139910368e691bb3

SHA512
f4a1d9a5ca0418b5528c3954f60a40c8e97e648334218692dc0c2094881ad15e724c99523a1ffc9eeeae4e5909c5f5f11e209264fd5dcc49816148a2840c6e7e

Download Submit
C:\Users\Public\loaderr.exe

Filesize
2.6MB

MD5
70fe91a0c5f9296f4308747688d8ab23

SHA1
6373f4d14fdfd86e331aea70e992ce34c7042352

SHA256
d0044db239a246c9f854c9a0d3fff9fad04a5f4d2af570d259d39462d2842332

SHA512
0f23e322325ef03a270389cf44ac0caa162780f076e28da487f2ede7cc1c0a6c2ae23e3ea376cc0674f49c64849bbaa891e9a1d4ae2c8276ac90680b2267bb32

Download Submit
C:\Users\Public\spotify.exe

Filesize
64KB

MD5
170e58907106b43016812cecfe258605

SHA1
eee4342a64a84bbc386656b332ba4c4790be6fdd

SHA256
918f973b0d444685b0d85469a76bc0f4a6c75345b68aa2ea80206b280ba50eb4

SHA512
b39262ffab616fffbcfd4f276e44e72dad99f5463d6d9ae262cd7a5b96aa66d07d20e2429fc230a140110c01ba1d397abb9e1c8c265e3b76e8a3debb31d058e2

Download Submit
memory/2176-1-0x0000000001180000-0x0000000001428000-memory.dmp

Filesize
2.7MB

Download
memory/2176-0-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

Filesize
4KB

Download
memory/2416-7-0x0000000001160000-0x0000000001176000-memory.dmp

Filesize
88KB

Download
memory/2416-17-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2416-16-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2416-45-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2416-46-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-22-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2652-23-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/2792-29-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download
memory/2792-30-0x00000000021A0000-0x00000000021A8000-memory.dmp

Filesize
32KB

Download