xworm | 30beca0bcbc02bf77acdfdd698f38068699b06106aba6a05bdf83cab12572b64

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

munchenclient.exe
Size

7.1MB
MD5

84236243dcb77d4936dd6654575b1f6b
SHA1

4f0629caaed54ed3e5a73a1c88dec0c8a42d654e
SHA256

30beca0bcbc02bf77acdfdd698f38068699b06106aba6a05bdf83cab12572b64
SHA512

2838e47dde2e7fbe96d966de46491aa9955bd5bcbb567de474de71ab556dfa5335f796df6ec029d4d6b9e25c4be6e7a73d47552f1d1402859509827303c9eb7b
SSDEEP

196608:Pii9mneDatAEYUpkkAq0YmUjp5NHNpYUxx44:bAnmI/kk3mUjp59Nx

Score

10^/10

xworm defense_evasion discovery execution persistence rat trojan upx

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

uIevzGILIGd901ZV

Attributes

Install_directory
%AppData%
install_file
OneDrive Updater.exe
telegram
https://api.telegram.org/bot6813820189:AAEnLy9XOrfoO1MDfwUwZrxxour8yypLOhE

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016cfd-10.dat	family_xworm
behavioral1/memory/892-40-0x00000000011F0000-0x0000000001218000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1092	powershell.exe
2272	powershell.exe
2808	powershell.exe
768	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
1720	groyper.exe
892	OneDrive.exe
2956	groyper.exe
1200	Process not Found

Loads dropped DLL 5 IoCs

pid	Process
2116	munchenclient.exe
2116	munchenclient.exe
1720	groyper.exe
2956	groyper.exe
1200	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive Updater = "C:\\Users\\Admin\\AppData\\Roaming\\OneDrive Updater.exe"	OneDrive.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00050000000195f7-37.dat	upx
behavioral1/memory/2956-39-0x000007FEF32B0000-0x000007FEF3898000-memory.dmp	upx
behavioral1/memory/2956-67-0x000007FEF32B0000-0x000007FEF3898000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	munchenclient.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1036	powershell.exe
2272	powershell.exe
2808	powershell.exe
768	powershell.exe
1092	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	892	OneDrive.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1036	2116	munchenclient.exe	30
PID 2116 wrote to memory of 1036	2116	munchenclient.exe	30
PID 2116 wrote to memory of 1036	2116	munchenclient.exe	30
PID 2116 wrote to memory of 1036	2116	munchenclient.exe	30
PID 2116 wrote to memory of 1720	2116	munchenclient.exe	32
PID 2116 wrote to memory of 1720	2116	munchenclient.exe	32
PID 2116 wrote to memory of 1720	2116	munchenclient.exe	32
PID 2116 wrote to memory of 1720	2116	munchenclient.exe	32
PID 2116 wrote to memory of 892	2116	munchenclient.exe	33
PID 2116 wrote to memory of 892	2116	munchenclient.exe	33
PID 2116 wrote to memory of 892	2116	munchenclient.exe	33
PID 2116 wrote to memory of 892	2116	munchenclient.exe	33
PID 1720 wrote to memory of 2956	1720	groyper.exe	34
PID 1720 wrote to memory of 2956	1720	groyper.exe	34
PID 1720 wrote to memory of 2956	1720	groyper.exe	34
PID 892 wrote to memory of 2272	892	OneDrive.exe	35
PID 892 wrote to memory of 2272	892	OneDrive.exe	35
PID 892 wrote to memory of 2272	892	OneDrive.exe	35
PID 892 wrote to memory of 2808	892	OneDrive.exe	37
PID 892 wrote to memory of 2808	892	OneDrive.exe	37
PID 892 wrote to memory of 2808	892	OneDrive.exe	37
PID 892 wrote to memory of 768	892	OneDrive.exe	39
PID 892 wrote to memory of 768	892	OneDrive.exe	39
PID 892 wrote to memory of 768	892	OneDrive.exe	39
PID 892 wrote to memory of 1092	892	OneDrive.exe	41
PID 892 wrote to memory of 1092	892	OneDrive.exe	41
PID 892 wrote to memory of 1092	892	OneDrive.exe	41
PID 892 wrote to memory of 2884	892	OneDrive.exe	43
PID 892 wrote to memory of 2884	892	OneDrive.exe	43
PID 892 wrote to memory of 2884	892	OneDrive.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\munchenclient.exe
"C:\Users\Admin\AppData\Local\Temp\munchenclient.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAaQB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdQBhACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAcwBpACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Users\Admin\AppData\Local\Temp\groyper.exe
  "C:\Users\Admin\AppData\Local\Temp\groyper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\groyper.exe
    "C:\Users\Admin\AppData\Local\Temp\groyper.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2956
- C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive Updater.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive Updater.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1092
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive Updater" /tr "C:\Users\Admin\AppData\Roaming\OneDrive Updater.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2884

C:\Windows\system32\taskeng.exe
taskeng.exe {DDA63895-9A11-4054-A621-CB0D4165E213} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
1⤵
PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OneDrive.exe

Filesize
141KB

MD5
b8cfd486ae90e2bcfbae6ef42baa7fff

SHA1
34dd61af2e3ed15223d0ad0e4a7e4719cb080f81

SHA256
acec8c3dc9a857c90f66e75c5da50f6473903896de5810762c0342a45b2b4925

SHA512
a2327843295161b110d32ae7eb39f242f8de6f09518891a4a4b3daa2cbae4e45b2b36425f0621894e66fed947516fa5c640e89fa3d94db00edab9a3fe7f4aa60

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17202\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8S135CEM0UAXVQS9Y8F5.temp

Filesize
7KB

MD5
d8437e1ef5b0b371cd1291490e59b9ac

SHA1
88da34174e4d06c615b1b55d444d51f68610bc9c

SHA256
5255b04954a252bd987fe7a0ba1462a5cc8ba80c2360a107bae4a87da9355431

SHA512
fa574bc2cd98f9a3c55cbe1de10d90d185da1359aed427e228dc192617c34194e640ffb93fce12611266baabaf310b0be22681372ee447c1e47f34a3d47a143f

Download Submit
\Users\Admin\AppData\Local\Temp\groyper.exe

Filesize
6.9MB

MD5
5583b323b1df8c930da5f591e4726d51

SHA1
e52dc8038af6801d40417e556536c000b8cf7590

SHA256
32d4e7271a3e169796115785d47ddd5aefaebd551cbc8a151ea5d4d3d70619d6

SHA512
2b4819ae0a001f41e015692785d77b933f5c0b575663286642b44b0507f9b3c5060dc59e20a16a9843aa88c6442e76642847a5733c0e4af6dd2ef4518b5b56dc

Download Submit
memory/892-40-0x00000000011F0000-0x0000000001218000-memory.dmp

Filesize
160KB

Download
memory/2272-45-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/2272-46-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/2808-52-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2808-53-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2956-39-0x000007FEF32B0000-0x000007FEF3898000-memory.dmp

Filesize
5.9MB

Download
memory/2956-67-0x000007FEF32B0000-0x000007FEF3898000-memory.dmp

Filesize
5.9MB

Download