xworm | d85a5c0fecaca2bea8850f166dd29dcbc4e007ab34ee7d8ec4a37d80368c1767

Analysis

max time kernel
26s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-01-2025 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm_V5.6.rar
Size

22.7MB
MD5

0ba35875f8c027f4e5e2b3026d6e77f0
SHA1

94343c17f309dfe58424610cc3907213cfd75c65
SHA256

d85a5c0fecaca2bea8850f166dd29dcbc4e007ab34ee7d8ec4a37d80368c1767
SHA512

ff425f0f70dadf1ea52fcad7024c31e7e1f4504eb01e12aa3c7f7d73199b6c43ac09495bb4f9801d77eaf34ad14928d9cb30b25536d31a1221384e5f7e275225
SSDEEP

393216:XQF38cJlfLW9VdrlB09QCOJnyodRh8IGMryjJ28AeqzquS69S6Vr1M8h6vcQavYQ:XO38Kf6VdrqQCcCMryjJCe4quZE6VxYm

Score

10^/10

xworm execution rat trojan

Malware Config

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00190000000055b1-29.dat	family_xworm
behavioral1/memory/2692-31-0x0000000001190000-0x00000000011C4000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2780	powershell.exe

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x0016000000018657-10.dat	net_reactor
behavioral1/files/0x00190000000055b1-29.dat	net_reactor
behavioral1/memory/2692-31-0x0000000001190000-0x00000000011C4000-memory.dmp	net_reactor

Executes dropped EXE 3 IoCs

pid	Process
2940	XwormLoader.exe
2364	Xworm V5.6.exe
2692	taskhostw.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\taskhostw.exe	XwormLoader.exe
File opened for modification	C:\Windows\taskhostw.exe	XwormLoader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2612	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2692	taskhostw.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2780	powershell.exe
2552	7zFM.exe
2692	taskhostw.exe
2552	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2552	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	2552	7zFM.exe
Token: 35	2552	7zFM.exe
Token: SeSecurityPrivilege	2552	7zFM.exe
Token: SeDebugPrivilege	2940	XwormLoader.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2692	taskhostw.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2552	7zFM.exe
2552	7zFM.exe
2552	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2692	taskhostw.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2940	2552	7zFM.exe	31
PID 2552 wrote to memory of 2940	2552	7zFM.exe	31
PID 2552 wrote to memory of 2940	2552	7zFM.exe	31
PID 2940 wrote to memory of 2364	2940	XwormLoader.exe	33
PID 2940 wrote to memory of 2364	2940	XwormLoader.exe	33
PID 2940 wrote to memory of 2364	2940	XwormLoader.exe	33
PID 2940 wrote to memory of 2780	2940	XwormLoader.exe	34
PID 2940 wrote to memory of 2780	2940	XwormLoader.exe	34
PID 2940 wrote to memory of 2780	2940	XwormLoader.exe	34
PID 2940 wrote to memory of 2612	2940	XwormLoader.exe	36
PID 2940 wrote to memory of 2612	2940	XwormLoader.exe	36
PID 2940 wrote to memory of 2612	2940	XwormLoader.exe	36
PID 2940 wrote to memory of 2692	2940	XwormLoader.exe	38
PID 2940 wrote to memory of 2692	2940	XwormLoader.exe	38
PID 2940 wrote to memory of 2692	2940	XwormLoader.exe	38
PID 2364 wrote to memory of 1744	2364	Xworm V5.6.exe	39
PID 2364 wrote to memory of 1744	2364	Xworm V5.6.exe	39
PID 2364 wrote to memory of 1744	2364	Xworm V5.6.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm_V5.6.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\7zO8F9B1DC6\XwormLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8F9B1DC6\XwormLoader.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\7zO8F9B1DC6\Xworm V5.6.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8F9B1DC6\Xworm V5.6.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2364 -s 732
      4⤵
      PID:1744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\taskhostw.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "taskhostw" /SC ONLOGON /TR "C:\Windows\taskhostw.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2612
- - C:\Windows\taskhostw.exe
    "C:\Windows\taskhostw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO8F9B1DC6\Xworm V5.6.exe

Filesize
14.9MB

MD5
cac67604904dce94d230953f170d4391

SHA1
9ea639f23a5699bb66ca5da55b2458347aed6f13

SHA256
64e5b7463d340b9a8b9d911860b4d635b0cf68afbe3593ed3cc6cbb13db0b27b

SHA512
af358008abb47a345a53dab222a01ab6c0ed10185fca8d2be9af2892161f150c8cc8a7f75272d1eb1acd17b49f32d3531adbc1cfdd153cc7c3e90841cabe766a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8F9B1DC6\XwormLoader.exe

Filesize
7.9MB

MD5
004c566cb64a9b99f4422a767c072a22

SHA1
ab709644ce1f58b4a1874351a7971dd3fb9466a6

SHA256
d0c67ff5fa0ac161777a95d150fa523e0b26ea106144f99c32de8716a880236e

SHA512
9c0d2fa2bb5137e2d5934ff985c710a371c8f74d67f92a914da0ece44c2660d8abca5d90188ac5088e885d7e197c4ebb3488faf01516435e9e781c367f6bcc65

Download Submit
C:\Windows\taskhostw.exe

Filesize
183KB

MD5
31207a3ec25c1530f368a0298d108a09

SHA1
e80b4ef16a1f3df9764e6e9ae92a5372276a3a83

SHA256
7063531cc8e3c206a2f5c23c033d382dd1f2296650196179f8c64d68588288c8

SHA512
861538173fed16fbadd131659bc4289cd72f0a716d2d84bd9918a2b8c565e1cfdd4656cc40463d4c17356d6b9ab290f5fb0d323bfce9f3ed194993fc7f4fc523

Download Submit
memory/2364-23-0x0000000000A80000-0x0000000001968000-memory.dmp

Filesize
14.9MB

Download
memory/2692-31-0x0000000001190000-0x00000000011C4000-memory.dmp

Filesize
208KB

Download
memory/2780-22-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2780-24-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download