xworm | b21970eb9efd571d0244356f6b6a96a612527e20b416747e8572c52d30ea5b57

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7.exe
Size

302KB
MD5

ad169b56eca575c76b5c8662eaafe750
SHA1

8856d6a0532b62af6e6f8e1f6d86bb9433ea12d2
SHA256

b21970eb9efd571d0244356f6b6a96a612527e20b416747e8572c52d30ea5b57
SHA512

cb12c03c6f37e4853349f59470caf763c21dea36d189fb46a85178779df844f6e057080c5804b6441e3a7fbcc881bf60972a88d335a0db5d4fed0997bed5387b
SSDEEP

1536:AQPS0VyRe/kqne5mcDf2c+oH5FlZn2AniQuLvyQIs+oitUKw71nztWGlSBSdkxLZ:AZ0dcEhPorlFeVABf9vtrjxlDE4

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

feb-arrested.gl.at.ply.gg:17830

Attributes

Install_directory
%Temp%
install_file
svchost.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012255-5.dat	family_xworm
behavioral1/memory/2748-8-0x0000000000030000-0x0000000000064000-memory.dmp	family_xworm
behavioral1/memory/3056-59-0x0000000001140000-0x0000000001174000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2256	powershell.exe
2224	powershell.exe
1152	powershell.exe
2340	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2748	Cloud.exe
3056	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe"	Cloud.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1300	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	rundll32.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1284	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2748	Cloud.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2256	powershell.exe
2224	powershell.exe
1152	powershell.exe
2340	powershell.exe
2748	Cloud.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2996	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	Cloud.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	2748	Cloud.exe
Token: SeDebugPrivilege	3056	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2996	AcroRd32.exe
2996	AcroRd32.exe
2748	Cloud.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2748	2428	7.exe	30
PID 2428 wrote to memory of 2748	2428	7.exe	30
PID 2428 wrote to memory of 2748	2428	7.exe	30
PID 2428 wrote to memory of 2936	2428	7.exe	31
PID 2428 wrote to memory of 2936	2428	7.exe	31
PID 2428 wrote to memory of 2936	2428	7.exe	31
PID 2748 wrote to memory of 2256	2748	Cloud.exe	33
PID 2748 wrote to memory of 2256	2748	Cloud.exe	33
PID 2748 wrote to memory of 2256	2748	Cloud.exe	33
PID 2936 wrote to memory of 2996	2936	rundll32.exe	35
PID 2936 wrote to memory of 2996	2936	rundll32.exe	35
PID 2936 wrote to memory of 2996	2936	rundll32.exe	35
PID 2936 wrote to memory of 2996	2936	rundll32.exe	35
PID 2748 wrote to memory of 2224	2748	Cloud.exe	36
PID 2748 wrote to memory of 2224	2748	Cloud.exe	36
PID 2748 wrote to memory of 2224	2748	Cloud.exe	36
PID 2748 wrote to memory of 1152	2748	Cloud.exe	38
PID 2748 wrote to memory of 1152	2748	Cloud.exe	38
PID 2748 wrote to memory of 1152	2748	Cloud.exe	38
PID 2748 wrote to memory of 2340	2748	Cloud.exe	40
PID 2748 wrote to memory of 2340	2748	Cloud.exe	40
PID 2748 wrote to memory of 2340	2748	Cloud.exe	40
PID 2748 wrote to memory of 1284	2748	Cloud.exe	42
PID 2748 wrote to memory of 1284	2748	Cloud.exe	42
PID 2748 wrote to memory of 1284	2748	Cloud.exe	42
PID 2412 wrote to memory of 3056	2412	taskeng.exe	46
PID 2412 wrote to memory of 3056	2412	taskeng.exe	46
PID 2412 wrote to memory of 3056	2412	taskeng.exe	46
PID 2748 wrote to memory of 2076	2748	Cloud.exe	47
PID 2748 wrote to memory of 2076	2748	Cloud.exe	47
PID 2748 wrote to memory of 2076	2748	Cloud.exe	47
PID 2748 wrote to memory of 984	2748	Cloud.exe	49
PID 2748 wrote to memory of 984	2748	Cloud.exe	49
PID 2748 wrote to memory of 984	2748	Cloud.exe	49
PID 984 wrote to memory of 1300	984	cmd.exe	51
PID 984 wrote to memory of 1300	984	cmd.exe	51
PID 984 wrote to memory of 1300	984	cmd.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7.exe
"C:\Users\Admin\AppData\Local\Temp\7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Roaming\Cloud.exe
  "C:\Users\Admin\AppData\Roaming\Cloud.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Cloud.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Cloud.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1284
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "svchost"
    3⤵
    PID:2076
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4099.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:984
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1300
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\uCRT.props
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\uCRT.props"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2996

C:\Windows\system32\taskeng.exe
taskeng.exe {4E3D5B3C-2F4E-429F-A1EC-4E1BA37AFCF3} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4099.tmp.bat

Filesize
154B

MD5
b0ba125f0c3612df4d5498d6be5517ce

SHA1
0866597e25122b8a0bf5c010c6ae65df45bab0f8

SHA256
2f9573ed927d96adef5f4ff7d4f2c09ccf64c05001541e4f673a80445a162eee

SHA512
bbbcb6b9fcd77c4129e0a0fff91e04d0522eb99aebb76d7a49a9c8254a6b9e06d961d985e93adbeea3e8820d444356ee2cbf47539677a774982fa5935a04111c

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
bdd4b1f3c885ab576a833a183021d0c8

SHA1
34c3a1a50c299ae4329299550ccf6d7b65ff6cbf

SHA256
92b28d1aef36fabb1d9b5d3442be481450c4d16632e1501f3df64c9c5071c819

SHA512
814591c4d731dbcfc5c41fb28a89865a5ab52a633d633da25fe4fbfe9c580266601f342e7b2a1ab0ef5bcd8e4e451a31e61ed5e7eec13f500d26a4d5d3a52f46

Download Submit
C:\Users\Admin\AppData\Roaming\Cloud.exe

Filesize
186KB

MD5
bea3a6d3fe25fde4a5837129ff579eff

SHA1
90ab2a9b6692a7efeec4cad65bc449d6134087d9

SHA256
6bb2751248b7d9bf1076139d5abaee7bb6473e7375827052e68b6726cd6b80b8

SHA512
34f45e59d7587ff54c45d75d6df63109cc7c886ffb3de7820ac1db8236dafa5ad489c11338314121ba9829a7803d366aeea3833fbd0e99e02cc4a1cde0ae84c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
38b2d6583e0a37b378f43d0781d24bfd

SHA1
ff0673a0eb1a729944883bc0d59b3670b3c3df42

SHA256
1948c11029f61efa2726db0d1397cf1c75e9e06bba5b0ec5882433616752aff3

SHA512
88f0627c06fb5caefa9d6f99d8b121d4bac0cdf41abd6e3699cc9299cedc9fcab6d987cfc439e5b1f2ffbeccc6800bd82c35693676dd2d180361a3a30c2abaef

Download Submit
C:\Users\Admin\AppData\Roaming\uCRT.props

Filesize
1KB

MD5
8cac1e1cb5d67bffb3fb41970f8c67e6

SHA1
49c023a0b05c3ee689279be4a317daefbbd81577

SHA256
f41047413edf769db446309de1b83cebfe908ca82b50388b38bf575a19089316

SHA512
4421cb02e07851b2e3c050cf875c02d6b271309dc8db05e0ea8cb3d2cc21c533b77de091eac80d2f44e95ee88166edef313140383fc9515318e81412dfa59587

Download Submit
memory/1152-30-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/1152-29-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2224-22-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2224-23-0x00000000022B0000-0x00000000022B8000-memory.dmp

Filesize
32KB

Download
memory/2256-15-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/2256-14-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2428-0-0x000007FEF5073000-0x000007FEF5074000-memory.dmp

Filesize
4KB

Download
memory/2428-1-0x0000000000030000-0x0000000000080000-memory.dmp

Filesize
320KB

Download
memory/2748-9-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-38-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-8-0x0000000000030000-0x0000000000064000-memory.dmp

Filesize
208KB

Download
memory/2748-68-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

Filesize
9.9MB

Download
memory/3056-59-0x0000000001140000-0x0000000001174000-memory.dmp

Filesize
208KB

Download