xworm | 3c2bfb840a89298362078051b0b0090acb291298cfa3189572ecdc954baaed0f

Resubmissions

22-01-2025 15:48

250122-s86egsvkhk 10

22-01-2025 14:37

250122-ry8w7a1kds 10

Analysis

max time kernel
57s
max time network
56s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

real shit/SamsungCommisionExternal.exe
Size

63KB
MD5

6f30a565049364df3068b5bc88fd36d6
SHA1

2ca485eb96156bfc561acd69649cf3339da6c610
SHA256

e65d7f5beb1f383e07917e867fb3b18a59a597319d152ad148b37a8924b8780d
SHA512

c01edc2fe4e5ad26b9511cc0bc114221878cf961b436a091a79611ce27da69ce7cf58afdcc71d295ad25f08701b1eb16c0c298fd22fbcb69004f760ea2b89ffe
SSDEEP

1536:9VbfG3pj8mIfpubPOggHEyj26+6POhjV5yD/9:/fGZrIf0bPDgkyjnPOhp5U9

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:24707

modified-begun.gl.at.ply.gg:24707

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral3/memory/2896-1-0x00000000012B0000-0x00000000012C6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2812	powershell.exe
1916	powershell.exe
2240	powershell.exe
892	powershell.exe

Deletes itself 1 IoCs

pid	Process
2236	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smasmug.lnk	SamsungCommisionExternal.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smasmug.lnk	SamsungCommisionExternal.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Smasmug = "C:\\Users\\Admin\\AppData\\Roaming\\Smasmug"	SamsungCommisionExternal.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2324	timeout.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2812	powershell.exe
1916	powershell.exe
2240	powershell.exe
892	powershell.exe
2896	SamsungCommisionExternal.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	SamsungCommisionExternal.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	2896	SamsungCommisionExternal.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2896	SamsungCommisionExternal.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2812	2896	SamsungCommisionExternal.exe	31
PID 2896 wrote to memory of 2812	2896	SamsungCommisionExternal.exe	31
PID 2896 wrote to memory of 2812	2896	SamsungCommisionExternal.exe	31
PID 2896 wrote to memory of 1916	2896	SamsungCommisionExternal.exe	33
PID 2896 wrote to memory of 1916	2896	SamsungCommisionExternal.exe	33
PID 2896 wrote to memory of 1916	2896	SamsungCommisionExternal.exe	33
PID 2896 wrote to memory of 2240	2896	SamsungCommisionExternal.exe	35
PID 2896 wrote to memory of 2240	2896	SamsungCommisionExternal.exe	35
PID 2896 wrote to memory of 2240	2896	SamsungCommisionExternal.exe	35
PID 2896 wrote to memory of 892	2896	SamsungCommisionExternal.exe	37
PID 2896 wrote to memory of 892	2896	SamsungCommisionExternal.exe	37
PID 2896 wrote to memory of 892	2896	SamsungCommisionExternal.exe	37
PID 2896 wrote to memory of 2236	2896	SamsungCommisionExternal.exe	39
PID 2896 wrote to memory of 2236	2896	SamsungCommisionExternal.exe	39
PID 2896 wrote to memory of 2236	2896	SamsungCommisionExternal.exe	39
PID 2236 wrote to memory of 2324	2236	cmd.exe	41
PID 2236 wrote to memory of 2324	2236	cmd.exe	41
PID 2236 wrote to memory of 2324	2236	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\real shit\SamsungCommisionExternal.exe
"C:\Users\Admin\AppData\Local\Temp\real shit\SamsungCommisionExternal.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\real shit\SamsungCommisionExternal.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SamsungCommisionExternal.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Smasmug'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Smasmug'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7EA2.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7EA2.tmp.bat

Filesize
186B

MD5
3b4a1fd14c50a36db16c265e48cee2fd

SHA1
a6b4e59a9e0cbfa344269d1d3b4495bbf3f9ca2c

SHA256
69f78fe38e327512528618b06ba65201320602d7d805a427517727b65b2d5dc6

SHA512
f82909f36399225eabfdf3001718f1cb3b97ad69aa32b6e025f7a477be2a1b2752c73db4687dc93cbb76b4be8e82284125fd4cc45a11c1bc99189a99d54bb2f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7a4888690eb6b43f35cb096dab6dc37c

SHA1
721ff3d6126e184761d0b54cf3c5e4be6e37322b

SHA256
654fed02b3ef651f733e16818fc2558d734272e5745814acbf30c0db781b7073

SHA512
1a2de2356dc621e43d30ff45e08322880039d240438439f14671a5ca93e0a7bc0c8bd0344abc4b8e25229621c0addd76c75eaa70910b7455cdd322606fcf1da0

Download Submit
memory/1916-15-0x000000001B870000-0x000000001BB52000-memory.dmp

Filesize
2.9MB

Download
memory/1916-16-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/2812-7-0x0000000002D50000-0x0000000002DD0000-memory.dmp

Filesize
512KB

Download
memory/2812-8-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2812-9-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2896-2-0x000007FEF63C0000-0x000007FEF6DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2896-0-0x000007FEF63C3000-0x000007FEF63C4000-memory.dmp

Filesize
4KB

Download
memory/2896-28-0x000007FEF63C3000-0x000007FEF63C4000-memory.dmp

Filesize
4KB

Download
memory/2896-33-0x000007FEF63C0000-0x000007FEF6DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2896-1-0x00000000012B0000-0x00000000012C6000-memory.dmp

Filesize
88KB

Download
memory/2896-45-0x000007FEF63C0000-0x000007FEF6DAC000-memory.dmp

Filesize
9.9MB

Download