Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19-01-2025 01:12
General
-
Target
rat test xworm.exe
-
Size
65KB
-
MD5
fbe7f61c52a1754815d5da441a4fb469
-
SHA1
5540bfc30a9b05f1972d896283bd1f107db18987
-
SHA256
5d8c53e451c55ce6969cfe254e0c22a3c48915c1400c66fc9dc806d7ad824f24
-
SHA512
e524006b40df8d3a677f20928d6fb5f31d08197d351bcfcdb30bd08cf041500794998728397119775d584f4f3f4359e7d881deea4aec9f9cc9add524454d4635
-
SSDEEP
1536:axvYQ2kEC1wXbFDGTRwZrt6UxKQO7U/1iI:ahYeLKbRTLO7U95
Malware Config
Extracted
xworm
127.0.0.1:21252
land-long.gl.at.ply.gg:21252
-
Install_directory
%Userprofile%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 4 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 6 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\rat test xworm.exe"C:\Users\Admin\AppData\Local\Temp\rat test xworm.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\rat test xworm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'rat test xworm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\svchost.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\unzner.exe"C:\Users\Admin\AppData\Local\Temp\unzner.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\GooseDesktop.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\GooseDesktop.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\caaqay.exe"C:\Users\Admin\AppData\Local\Temp\caaqay.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {54A502F7-8838-4220-9771-4115A43C572E} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5a01⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD55436e6aebabf071c1d832071a01b8bcd
SHA1c7b19e1afcaaea7cc2db55d4ef74f25c0f3603e2
SHA2562bf822b86e4adabce83a796de15fbbfeb75ff82c3bc1ed2a0f5286962915d362
SHA512dd1851bb2d6ea5217f59974270ed59b0d7c758c862a333dcf455d43e03ba4c4484a86596c4a7b1ed46c3c671da5ede356ff5c4f7f9d93746d119f4d4332fd204
-
Filesize
5KB
MD5db2b7cf36003b2b653df6f3ca986e007
SHA1d61a94c7b965dec3daa6351d849fa22f646edf8b
SHA25656a240ddfbb494a6cb5c02a1271b5cc9a79217c53b481d9d3240b4973808d65b
SHA5123c5ba0484567bd520334837c54df160b26d3a3be952474aedf23a946369bada58241dc43a471d8e9e652e0b682599f1c5dbd03e39fe8c1f6182b806b6939eef3
-
Filesize
11KB
MD53b86bf25cd702a3a071590f088fabf64
SHA131b279bca59916ba8202b029e7b7b808981a52be
SHA2567c8864e0b63969e2469c2d80cd855648044cd15fd89dbabd275954efb7ef6879
SHA512b63b24259b6a2acb01f7d066fa10c5ddf4237b0deebab4e4389a40ee677ffb232baa0f3029f47e388eb1f6fbcf97f4a640e41b594ce9f0c41a841b97e471e214
-
Filesize
3KB
MD59b24558524e7f3ec1dd7d123d10541fc
SHA1d373cc754817870f18d640c6fa04627c74e8f518
SHA25646aea3ca7321989695db5b15f7997802a6266512d6fe298a26dee9dd6a98ba87
SHA512e6e0c4e77143e778599b4952c0e0741b8cd092d08179c4b4f1b63698562ec3bcf362888585e253cb53113d3c51b6225d8d4e43cd95b7122c7c2881828d392397
-
Filesize
13KB
MD5b2354d238829d09c54e272d8b4f60189
SHA15a2731c04c50903d41f65d9fe5528a66cbefa289
SHA256d5281ba99731fe3c443b6b2d18960a49e74b5b407956d3e1a3cde360f86573ba
SHA512aafbc687b5eac32fe1b4d838ab1ac88103d7f59d0b5f51519845abdd9ae37147e73143e6039719c3d06915107397e3e0a666d0cb1677cdbe05bccebea69ecaf9
-
Filesize
68B
MD57bbce054f64616da370f0fc6cf661a6f
SHA161dd7c3a010490f0efa5adb4fdc32f09d82552d5
SHA256f31a7a2625336d98c15da64675ceda25da223b596bc2b3d3183f6e0acf7b02a3
SHA512a8469f5708db7d83fe7e8af662e3d52b6e0c8ffec941dfcde1cfa114155d26760254d7af78c1ec744ba30155a74931c2d7cfd6c2695ab0a5400641d9ce6b63f0
-
Filesize
16KB
MD56f6c8f80d6c36739147b38016bd4b469
SHA1bf0f81a00ccc595242620b15ade2a0661424d9e3
SHA256fba607ccfd47e2b6ba04d449f1de10e3b66ba35b7d0e96f71e7c61d0c10486f4
SHA5121b3d6da8eedc140f3836c60eadc5251870d01db99e72d33ec0b2a585e2e4b2f7e643e2a12ad42f8e6d8704e8af67ca1df728acdbe18c614a1b8f6746d0c3fbc6
-
Filesize
25KB
MD55e0ccb3bd78be9cd539fef6e4005e47a
SHA19a28756dffdef59d36bf42cb9cc8e02e454026d2
SHA2564e4eb668831c91756eb030045d118ebd069fda0b0e0065ee2467c4c1c382cdd8
SHA5124c58e1d9d77c42500c3d91314257f563a6b3af627ae0d5ec257b38a8b8008b47ad10b8b3a0661bc72a12bdaf549a33453a971802542f5c719fc979fa9f6c1372
-
Filesize
16KB
MD59eb11041f2f11d939074e26b4b554088
SHA150deec7591fcc5db40939543fc9bf92109f2df05
SHA256efa31df7ab1394092395365805f913dd023cdcd21796603f133641524fb9ad79
SHA5122d07f40f56ae0dcaba51bc65e4617a0bfd67be13be5156fd7c2850645a461f87b97e46b2c596c21752df2aa488f6e6c329534a523bd7f88234be956b8af13bd1
-
Filesize
282B
MD5b94e70870a0eeb74114901e963c43df5
SHA11f076b90104bd691106f8bf9484ea6b855277352
SHA256d1b4736f6240b12e3338f702eab96d4b9e3cd1f7fa6ca1e52baa6a0ee1b8cca5
SHA512d4ac736807b7f74d3e2696764b678dca19acca733b87f26521421790784589b11970aafd96377da5dee09b765fc4d21e135e22278d80664f03ff8ec13588d1da
-
Filesize
6KB
MD52aea27b056354f507176190c33a2b679
SHA123a103bac45bd0d090a959fe4f524d112aea5b24
SHA256b11a92c2961b6b3da9ca54ce8bf866980913f3a5df2969f809e5cd4fcc734663
SHA51262336fa72f093bf73114dc140d461b7684e966624484651d1821a210b73016cc525c2d949d4d43947219af18c0c776184a127a4a2a57c1ff13f3daf117f57514
-
Filesize
4.3MB
MD5ae58df2846bbdd6b5b568e137e5cbf20
SHA173f42fb6a3ae8b8d226e08ba0a571d9eb22c251f
SHA256fac7256242f8e52cef36836b62cadf16edfde227cf31580b8a86444cba598c35
SHA512db4a2220266c8b6d4967391c7db315324c8f41b6d56e474fdfc5a04adc1073d6e17b5f499a9617bbee858a753352bb7a2ebb8aa459d862247a2608638e2520a5
-
Filesize
7KB
MD5d3a6851e594cd8c7c0b60ff2d474f503
SHA17401613e81bb9426ce7d9aae99f92151eabbb1f9
SHA2564fffbf63799beb404dca7b93cc717caef0d5b2313bbd31266d068cf7d92e1b8f
SHA51227b49a9852c96ab2dc251aa5cbea7770e0037012a3574b62c7641990baec6d1014a2427420d358ddb81ce0c0ed5713e480b3bfc733915009eff39b0415b95cee
-
Filesize
65KB
MD5fbe7f61c52a1754815d5da441a4fb469
SHA15540bfc30a9b05f1972d896283bd1f107db18987
SHA2565d8c53e451c55ce6969cfe254e0c22a3c48915c1400c66fc9dc806d7ad824f24
SHA512e524006b40df8d3a677f20928d6fb5f31d08197d351bcfcdb30bd08cf041500794998728397119775d584f4f3f4359e7d881deea4aec9f9cc9add524454d4635
-
Filesize
221KB
MD5bc8dc78f2c81ec0b9b20725ab46edefa
SHA1117c516c1bb6fb85442170345854f896b023a088
SHA25690aee2294e68cb4771dddf2c303845c61fb344743e5a3d2322bf81002a7500db
SHA51221a407e52a754b8fe1960bdd12606b9165f7ae6c911f42bfa16e7d0248272d7aef90e076e4f443cdec4d3925cb52e841c5659fc0244831b2790d83c470932def
-
Filesize
88KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
40KB
-
Filesize
248KB