Overview

overview

10

Static

static

10

XWorm_V5.6...rm.exe

windows7-x64

10

XWorm_V5.6...rm.exe

windows10-2004-x64

10

XWorm_V5.6...ox.dll

windows7-x64

1

XWorm_V5.6...ox.dll

windows10-2004-x64

1

XWorm_V5.6...er.bat

windows7-x64

1

XWorm_V5.6...er.bat

windows10-2004-x64

1

XWorm_V5.6...re.dll

windows7-x64

1

XWorm_V5.6...re.dll

windows10-2004-x64

1

XWorm_V5.6...ms.dll

windows7-x64

1

XWorm_V5.6...ms.dll

windows10-2004-x64

1

XWorm_V5.6...I2.dll

windows7-x64

1

XWorm_V5.6...I2.dll

windows10-2004-x64

1

XWorm_V5.6...or.dll

windows7-x64

1

XWorm_V5.6...or.dll

windows10-2004-x64

1

XWorm_V5.6...io.dll

windows7-x64

1

XWorm_V5.6...io.dll

windows10-2004-x64

1

XWorm_V5.6...on.dll

windows7-x64

1

XWorm_V5.6...on.dll

windows10-2004-x64

1

XWorm_V5.6...ws.dll

windows7-x64

1

XWorm_V5.6...ws.dll

windows10-2004-x64

1

XWorm_V5.6...at.dll

windows7-x64

1

XWorm_V5.6...at.dll

windows10-2004-x64

1

XWorm_V5.6...um.dll

windows7-x64

1

XWorm_V5.6...um.dll

windows10-2004-x64

1

XWorm_V5.6...rd.dll

windows7-x64

1

XWorm_V5.6...rd.dll

windows10-2004-x64

1

XWorm_V5.6...ss.dll

windows7-x64

1

XWorm_V5.6...ss.dll

windows10-2004-x64

1

XWorm_V5.6...er.dll

windows7-x64

1

XWorm_V5.6...er.dll

windows10-2004-x64

1

XWorm_V5.6...er.dll

windows7-x64

1

XWorm_V5.6...er.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-01-2025 13:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XWorm_V5.6/XWorm V5.6/._cache_Xworm.exe

  • Size

    75KB

  • MD5

    f63d6c11422e7e0ca83981e8dae62f96

  • SHA1

    c9c6088a764b07e7d438ad603a8bfcd9972f2b06

  • SHA256

    7ed1b4c14c9dfc97094ac40c5fb6c1fe109e4bfcbc953f2ba4331686388be531

  • SHA512

    b4dc1037a4fa38482e355aa3f4ac8288aa926dd7c24ee5cd260b5418ebd9ba6a53ef41f3e862eaa71795a2d0b7407fc9d700ec9a224d45f4b7af1e2063f991d9

  • SSDEEP

    1536:GMSF34nJN7Z6/hv0beO3cCv6pDZOQlW3TDsdiv:RLjE/hv0b/DmOQlW3fXv

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

simply-exotic.gl.at.ply.gg:27183

Attributes
  • Install_directory

    %Temp%

  • install_file

    Windows.exe

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Deletes itself 1 IoCs
  • Drops startup file 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWorm_V5.6\XWorm V5.6\._cache_Xworm.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm_V5.6\XWorm V5.6\._cache_Xworm.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:340
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm_V5.6\XWorm V5.6\._cache_Xworm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2764
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_Xworm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3044
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\User'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2432
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'User'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2688
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "User" /tr "C:\Users\Admin\AppData\Local\Temp\User"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:844
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "User"
      2⤵
        PID:1768
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2230.tmp.bat""
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:2076
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:1792
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {563259E1-474B-462A-B337-06FF9327134E} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Users\Admin\AppData\Local\Temp\User
        C:\Users\Admin\AppData\Local\Temp\User
        2⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1044
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\User'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1280
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'User'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1348
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\User'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:680
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'User'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:936
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "User" /tr "C:\Users\Admin\AppData\Local\Temp\User"
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:788
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /delete /f /tn "User"
          3⤵
            PID:2168
          • C:\Windows\system32\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp69CB.tmp.bat""
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2240
            • C:\Windows\system32\timeout.exe
              timeout 3
              4⤵
              • Delays execution with timeout.exe
              PID:2460

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\User
        Filesize

        75KB

        MD5

        f63d6c11422e7e0ca83981e8dae62f96

        SHA1

        c9c6088a764b07e7d438ad603a8bfcd9972f2b06

        SHA256

        7ed1b4c14c9dfc97094ac40c5fb6c1fe109e4bfcbc953f2ba4331686388be531

        SHA512

        b4dc1037a4fa38482e355aa3f4ac8288aa926dd7c24ee5cd260b5418ebd9ba6a53ef41f3e862eaa71795a2d0b7407fc9d700ec9a224d45f4b7af1e2063f991d9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp2230.tmp.bat
        Filesize

        187B

        MD5

        afcbb5d9be239a7c65f8c725d8bf27ce

        SHA1

        382b9f10fd94417a3ef4c95edf1e872f07bad4b0

        SHA256

        d6c618c951c4a69cf09fe7310b8c890348d5f4313d344dcaf4777fdbe313d040

        SHA512

        ff0fe3a61d1e2453d21ef0a68bfaf28a15be9d670f6a1788dc49f028a8f1e9206cc2f18488b72ec72f7fbe7fe71d00a631be0ea4668af0aec99dbfd9805e8359

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp69CB.tmp.bat
        Filesize

        152B

        MD5

        f6504e4dc34849f251a2ce1b85184430

        SHA1

        2340bf1164b1ca7a911e307872a18ace634c4fe6

        SHA256

        f1d31caebf61956eff35e21f581603358d7bc1321c731bcbd47f2e9964c797ca

        SHA512

        749292c90d80ef2f16cba43a05bb2900f6011104613825931c17e9ef4af0867422cb78a5a646c15cd1ace2b58c48b1495de138a6cf3a71a723fe8805ce058215

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        382eafa09d3648d5185342528de323fc

        SHA1

        74ba59e527f5832dcbc10fae19d6a6bb5a2e63cd

        SHA256

        fa36f285ed80733447badf233ffbfd1501f03eee8a794ba9b389025b81edd3c8

        SHA512

        9899e841db2f3e5dd33ba1079fa0c64ed1e4df560d4cf712137f3c064c5690bc379ca119b3d9af5e87ebac8f9fdb5df6c1cd1f1e2926371aed1afd988f66f275

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        1a09a99ccb456488ba3e33967281220e

        SHA1

        c6faa30ebab2056cdf73d0da106e036cf3b5b2ac

        SHA256

        858dcebc0d935ef33834712d691c8f97f4482b29c3c16ab866469a9a414d2e26

        SHA512

        b65ed786c4b7a49211d22cd8dd19c66841f104ff6973766aea092c002ad534f982210ba98aed72b60d6757cd78947dcdb896ce909f1e3ca4c6852e4afd3e5a52

        Download Submit

      • memory/340-0-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/340-48-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/340-2-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/340-28-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/340-33-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/340-1-0x00000000000B0000-0x00000000000CA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1044-37-0x0000000000E80000-0x0000000000E9A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2764-8-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2764-9-0x0000000002A70000-0x0000000002A78000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2764-7-0x0000000002870000-0x00000000028F0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/3044-16-0x0000000002310000-0x0000000002318000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3044-15-0x000000001B660000-0x000000001B942000-memory.dmp

        Filesize

        2.9MB

        Download