Overview

overview

10

Static

static

3

c1378ff7aa...cN.exe

windows7-x64

10

c1378ff7aa...cN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2025 04:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1378ff7aaacea446762f5878ec501260bcdeb869e06a8f0a25845845183395cN.exe

  • Size

    159KB

  • MD5

    f3b25838fa8d402f6c93ddd23979b810

  • SHA1

    3935445639b0373ff59c5406315a480678e80f9e

  • SHA256

    c1378ff7aaacea446762f5878ec501260bcdeb869e06a8f0a25845845183395c

  • SHA512

    a66f7dbb3726a6fd116f6cb9229fb9f06879bdf9e5a550bd64582fded71d9d9433fbf71b754f598f550436badfdae62a6d6ff7e1ac91c41c203162280c583715

  • SSDEEP

    3072:0325N7aVopufIeZuVGoFkfAylFYOKYoGCllFhdoH3hZ9Roe2eX9px:j1U8peZuVDRkClAXhT2eF9

Score
10/10
xwormdefense_evasionexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

indian-tall.gl.at.ply.gg:65520

Attributes
  • Install_directory

    %Temp%

  • install_file

    XClient.exe

  • pastebin_url

    https://pastebin.com/raw/wXYjM7Vm

Signatures

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 4 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 26 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1378ff7aaacea446762f5878ec501260bcdeb869e06a8f0a25845845183395cN.exe
    "C:\Users\Admin\AppData\Local\Temp\c1378ff7aaacea446762f5878ec501260bcdeb869e06a8f0a25845845183395cN.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAcgB0ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHcAeAB5ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAHIAbwByAF8AYwBvAGQAZQBfADAAeAAxACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwB2AHcAZwAjAD4A"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2804
    • C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
      "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2336
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:400
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XwormLoader.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2952
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3016
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2780
    • C:\Users\Admin\AppData\Local\Temp\xclient.exe
      "C:\Users\Admin\AppData\Local\Temp\xclient.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\xclient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2052
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'xclient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2548
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\keyauth.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1608
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'keyauth.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1532
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "keyauth" /tr "C:\Users\Admin\AppData\Roaming\keyauth.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1816
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {50DE7CDB-6C44-4294-A681-6719A86C9670} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Users\Admin\AppData\Roaming\keyauth.exe
      C:\Users\Admin\AppData\Roaming\keyauth.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1752
    • C:\Users\Admin\AppData\Roaming\keyauth.exe
      C:\Users\Admin\AppData\Roaming\keyauth.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
    Filesize

    77KB

    MD5

    e7525a2d46d78f6ea17a3c32815cc1a2

    SHA1

    734b924697ddfd032ae0f2467b404b91650d72f3

    SHA256

    c388c156025273419447629bfb28728b32c785a47968c7bce227adb31a66ffa3

    SHA512

    cb38565d63a429517493a5093ab93861744b4584594221c7fb558e9f5832b3feaf3f52f902079f7e7299ce2008fa03cb1ff59118469ce6461d9319ae2d5b2d34

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xclient.exe
    Filesize

    74KB

    MD5

    8f0fab5837f63b48e3d0bf98013ecde6

    SHA1

    03e392b90a808f77595f571dd01c8ce864e87d2c

    SHA256

    703c26b59e5eefc02cc93db1f440a7ed273cdb8928f082105f41120adc41964d

    SHA512

    d980674a3343c51c77b8a05b264e2c01a38f8e4ffa300763dbb2ff11e66dcce0555437e5b4ced5a6fffd0793577c9c816403987b5affccf1639bbf1338f7884d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LDJ702ZYTT54VAPSFX58.temp
    Filesize

    7KB

    MD5

    8954f7e36e09c07a7c1a68649ea3e0c3

    SHA1

    0191cdba848e54054e90f6e4f7a1a929674300e0

    SHA256

    e7c59356526f1f6ae1cf0defda3247634857895bcdb7b1699bcf0d954808d135

    SHA512

    f7e7d144b6fb302944043c0344c06f6176d83983fc91e4e2cf34205acfecf719356632821d1fc009c94ee3ca4011de96e12146a2a0b051e1432af81c3b4aa823

    Download Submit

  • memory/1752-74-0x0000000001150000-0x0000000001168000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2336-10-0x00000000000A0000-0x00000000000BA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2740-21-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2740-0-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2740-2-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2740-1-0x00000000000C0000-0x00000000000EE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2764-18-0x00000000003F0000-0x0000000000408000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2804-19-0x000000001B620000-0x000000001B902000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2804-20-0x00000000020D0000-0x00000000020D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2952-32-0x000000001B530000-0x000000001B812000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2952-33-0x0000000002810000-0x0000000002818000-memory.dmp

    Filesize

    32KB

    Download