xworm | f21d3e6de139de0d92d8cdc675d7aa5693d375b1f075dee9deb664bf9961bacd

Analysis

max time kernel
130s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/01/2025, 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.exe
Size

8.7MB
MD5

1e936fe7c00a13a03d258247220333cb
SHA1

0625868fe5e8541dca00a87b9dbc76e85a76a7a9
SHA256

f21d3e6de139de0d92d8cdc675d7aa5693d375b1f075dee9deb664bf9961bacd
SHA512

2f809796ebec18540570d9658742a91fb1ae42f44cd0193d7cd020a67f07dfc2f94740ed05aa1a12234063aa2173719953ee74203a794b94c7fc41a8037c5661
SSDEEP

196608:yt20YhrbhcaAKkkdGDJtvMGn7+LCOGeosHnZouA7q:e2trlIKtdGDJCGgjBoEZouA

Score

10^/10

xworm execution persistence pyinstaller rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

45.141.26.126:7000

Mutex

njhjW6ZcD4uLoqX9

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015d2e-11.dat	family_xworm
behavioral1/memory/2764-12-0x0000000000B30000-0x0000000000B40000-memory.dmp	family_xworm
behavioral1/memory/2752-41-0x0000000000990000-0x00000000009A0000-memory.dmp	family_xworm
behavioral1/memory/2940-101-0x0000000000DA0000-0x0000000000DB0000-memory.dmp	family_xworm
behavioral1/memory/1580-104-0x0000000001080000-0x0000000001090000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1820	powershell.exe
2172	powershell.exe
1756	powershell.exe
1948	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sorillusexe.lnk	ตั่.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sorillusexe.lnk	ตั่.exe

Executes dropped EXE 7 IoCs

pid	Process
2684	GEN18+.exe
2764	ตั่.exe
2820	GEN18+.exe
2752	ตั่.exe
2860	GEN18+.exe
2940	Sorillusexe
1580	Sorillusexe

Loads dropped DLL 2 IoCs

pid	Process
2684	GEN18+.exe
2860	GEN18+.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sorillusexe = "C:\\Users\\Admin\\AppData\\Roaming\\Sorillusexe"	ตั่.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0032000000015cfa-17.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1820	powershell.exe
2172	powershell.exe
1756	powershell.exe
1948	powershell.exe
2764	ตั่.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	ตั่.exe
Token: SeDebugPrivilege	2752	ตั่.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	2764	ตั่.exe
Token: SeDebugPrivilege	2940	Sorillusexe
Token: SeDebugPrivilege	1580	Sorillusexe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2764	ตั่.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2684	3004	.exe	30
PID 3004 wrote to memory of 2684	3004	.exe	30
PID 3004 wrote to memory of 2684	3004	.exe	30
PID 3004 wrote to memory of 2764	3004	.exe	31
PID 3004 wrote to memory of 2764	3004	.exe	31
PID 3004 wrote to memory of 2764	3004	.exe	31
PID 2684 wrote to memory of 2820	2684	GEN18+.exe	32
PID 2684 wrote to memory of 2820	2684	GEN18+.exe	32
PID 2684 wrote to memory of 2820	2684	GEN18+.exe	32
PID 2684 wrote to memory of 2752	2684	GEN18+.exe	34
PID 2684 wrote to memory of 2752	2684	GEN18+.exe	34
PID 2684 wrote to memory of 2752	2684	GEN18+.exe	34
PID 2820 wrote to memory of 2860	2820	GEN18+.exe	35
PID 2820 wrote to memory of 2860	2820	GEN18+.exe	35
PID 2820 wrote to memory of 2860	2820	GEN18+.exe	35
PID 2764 wrote to memory of 1820	2764	ตั่.exe	37
PID 2764 wrote to memory of 1820	2764	ตั่.exe	37
PID 2764 wrote to memory of 1820	2764	ตั่.exe	37
PID 2764 wrote to memory of 2172	2764	ตั่.exe	39
PID 2764 wrote to memory of 2172	2764	ตั่.exe	39
PID 2764 wrote to memory of 2172	2764	ตั่.exe	39
PID 2764 wrote to memory of 1756	2764	ตั่.exe	41
PID 2764 wrote to memory of 1756	2764	ตั่.exe	41
PID 2764 wrote to memory of 1756	2764	ตั่.exe	41
PID 2764 wrote to memory of 1948	2764	ตั่.exe	43
PID 2764 wrote to memory of 1948	2764	ตั่.exe	43
PID 2764 wrote to memory of 1948	2764	ตั่.exe	43
PID 2764 wrote to memory of 1616	2764	ตั่.exe	45
PID 2764 wrote to memory of 1616	2764	ตั่.exe	45
PID 2764 wrote to memory of 1616	2764	ตั่.exe	45
PID 1412 wrote to memory of 2940	1412	taskeng.exe	48
PID 1412 wrote to memory of 2940	1412	taskeng.exe	48
PID 1412 wrote to memory of 2940	1412	taskeng.exe	48
PID 1412 wrote to memory of 1580	1412	taskeng.exe	50
PID 1412 wrote to memory of 1580	1412	taskeng.exe	50
PID 1412 wrote to memory of 1580	1412	taskeng.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\.exe
"C:\Users\Admin\AppData\Local\Temp\.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Roaming\GEN18+.exe
  "C:\Users\Admin\AppData\Roaming\GEN18+.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Public\GEN18+.exe
    "C:\Users\Public\GEN18+.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Public\GEN18+.exe
      "C:\Users\Public\GEN18+.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2860
- - C:\Users\Public\ตั่.exe
    "C:\Users\Public\ตั่.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- C:\Users\Admin\AppData\Roaming\ตั่.exe
  "C:\Users\Admin\AppData\Roaming\ตั่.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ตั่.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ตั่.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Sorillusexe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Sorillusexe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Sorillusexe" /tr "C:\Users\Admin\AppData\Roaming\Sorillusexe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1616

C:\Windows\system32\taskeng.exe
taskeng.exe {FEFF0FE2-F435-4DF1-A0D6-74B429D577BF} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\AppData\Roaming\Sorillusexe
  C:\Users\Admin\AppData\Roaming\Sorillusexe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Users\Admin\AppData\Roaming\Sorillusexe
  C:\Users\Admin\AppData\Roaming\Sorillusexe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI28202\python312.dll

Filesize
6.6MB

MD5
d521654d889666a0bc753320f071ef60

SHA1
5fd9b90c5d0527e53c199f94bad540c1e0985db6

SHA256
21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

SHA512
7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

Download Submit
C:\Users\Admin\AppData\Roaming\GEN18+.exe

Filesize
8.6MB

MD5
f05ed8b398245fe8f94d3227dd9a3bd6

SHA1
d9d33c82725d02ac98c958acf34d03a9ef98b3c9

SHA256
87a0882cd5f227f8e223381c4f4d1f5a9eafed619e442f16b98b18bb7a1481cd

SHA512
2f4052266c0ca780aec481091ae0ef5946acae95398d61eb73b18d50f9072821e8fb437d6e5f229b8b7af94bec0df59fd04378c264320cfa0f0daf05832412d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
43288e0b7b7d58f4fa62c91db9c89939

SHA1
5f2992a953d7afa2f81bd18fd866be3c77248ee1

SHA256
b511140af5b5f9174e4b8e2face945a22fdd2267c2be0646db608889184431c7

SHA512
fb0e46589c2e3405bc540e4a6c804cc0d0b6e49c56e88fe4eeda45715ee1f3101e4e74e60eb24e8fd7188e04aa8f5628fb8b5af485d8e1f6284b6d40077a2168

Download Submit
C:\Users\Admin\AppData\Roaming\ตั่.exe

Filesize
41KB

MD5
949ed9fe677149c42d2a77d3f14dfc7d

SHA1
6aeb5488f1664c08b6463658679409e6f66bb46c

SHA256
0c96ec60c154ccb2bdba2a35bd96672383a8bc84566a02d8856900368712d93a

SHA512
392dab1ada16b5d3a76a611c319586831c8593c7866ff99b6b3e232efe65fa49074485979a43e47fed9c8fe2bba4ad1baf4b6b10d91fe886439b52d891e984c5

Download Submit
\Users\Public\GEN18+.exe

Filesize
8.6MB

MD5
6b83f00de4a3333f9e87dfe1fb5ed6c5

SHA1
73c5e6db6530d1dfc27b6c7cc5b2bb93ae48512c

SHA256
6b89f78d271319c542e204b3f79308a9557c5e87957a8fb52afa4878f61657c0

SHA512
0cd16a98fbaef79594d78dffb4a5a4c481706ffaed3e384580b5b5adda29ad2d671a00eecf9e3755f97b11c617ce9d250bdd7564c34bc0182630a7999b783030

Download Submit
memory/1580-104-0x0000000001080000-0x0000000001090000-memory.dmp

Filesize
64KB

Download
memory/1820-57-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1820-56-0x000000001B8D0000-0x000000001BBB2000-memory.dmp

Filesize
2.9MB

Download
memory/2172-64-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/2172-63-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2684-15-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2684-40-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2684-13-0x0000000001300000-0x0000000001BAC000-memory.dmp

Filesize
8.7MB

Download
memory/2752-41-0x0000000000990000-0x00000000009A0000-memory.dmp

Filesize
64KB

Download
memory/2764-12-0x0000000000B30000-0x0000000000B40000-memory.dmp

Filesize
64KB

Download
memory/2940-101-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/3004-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

Filesize
4KB

Download
memory/3004-1-0x0000000000860000-0x000000000111A000-memory.dmp

Filesize
8.7MB

Download