xworm | cc95c0db419de3ca25709f4c1abc74ebdb72947b1d4d7e35b4ab6c36ffdee484

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/02/2025, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quarantine/JhOTKwS.exe
Size

2.1MB
MD5

8940bae456acc0c645a7214d5dbea2e0
SHA1

2fa738795294f52d17aa11d82e9196627e9e6a59
SHA256

87e091406c822e25163cf36de51112a543d191786890c82fa6580fca7cb3ac92
SHA512

4cba088bbd234129344171baa4e027a36ffa058a511ad0c5624fb9cedee88282d9176a00159539b55ada662ca2b7340b3deed27e6af256f315f888514380e8c5
SSDEEP

49152:nEg8nw5HlVc2wz6NtZ1ouOTLLWm/GZm3OEq:nE05FVcH63PFOTLCHm3O

Score

10^/10

xworm discovery rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

37.235.55.68:1987

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral13/memory/2652-16-0x0000000000400000-0x000000000060C000-memory.dmp	family_xworm
behavioral13/files/0x0007000000012118-20.dat	family_xworm
behavioral13/memory/2652-33-0x0000000000400000-0x000000000060C000-memory.dmp	family_xworm
behavioral13/memory/2652-31-0x0000000000400000-0x000000000060C000-memory.dmp	family_xworm
behavioral13/memory/2784-34-0x0000000000BC0000-0x0000000000BD2000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
2784	iWCLKpajPR.exe
2608	SNOEoANfJ3.exe

Loads dropped DLL 3 IoCs

pid	Process
2652	JhOTKwS.exe
2652	JhOTKwS.exe
2652	JhOTKwS.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 62 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
31	raw.githubusercontent.com
44	raw.githubusercontent.com
45	raw.githubusercontent.com
67	raw.githubusercontent.com
14	raw.githubusercontent.com
25	raw.githubusercontent.com
56	raw.githubusercontent.com
71	raw.githubusercontent.com
12	raw.githubusercontent.com
47	raw.githubusercontent.com
52	raw.githubusercontent.com
8	raw.githubusercontent.com
19	raw.githubusercontent.com
58	raw.githubusercontent.com
30	raw.githubusercontent.com
32	raw.githubusercontent.com
9	raw.githubusercontent.com
17	raw.githubusercontent.com
22	raw.githubusercontent.com
63	raw.githubusercontent.com
69	raw.githubusercontent.com
70	raw.githubusercontent.com
65	raw.githubusercontent.com
21	raw.githubusercontent.com
24	raw.githubusercontent.com
28	raw.githubusercontent.com
54	raw.githubusercontent.com
55	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
39	raw.githubusercontent.com
48	raw.githubusercontent.com
59	raw.githubusercontent.com
72	raw.githubusercontent.com
20	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com
49	raw.githubusercontent.com
51	raw.githubusercontent.com
42	raw.githubusercontent.com
43	raw.githubusercontent.com
61	raw.githubusercontent.com
62	raw.githubusercontent.com
64	raw.githubusercontent.com
66	raw.githubusercontent.com
13	raw.githubusercontent.com
15	raw.githubusercontent.com
53	raw.githubusercontent.com
16	raw.githubusercontent.com
34	raw.githubusercontent.com
35	raw.githubusercontent.com
37	raw.githubusercontent.com
50	raw.githubusercontent.com
68	raw.githubusercontent.com
29	raw.githubusercontent.com
18	raw.githubusercontent.com
38	raw.githubusercontent.com
40	raw.githubusercontent.com
41	raw.githubusercontent.com
46	raw.githubusercontent.com
57	raw.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2980 set thread context of 2652	2980	JhOTKwS.exe	30

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2740	2980	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JhOTKwS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JhOTKwS.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe
2608	SNOEoANfJ3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2608	SNOEoANfJ3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	iWCLKpajPR.exe
Token: SeDebugPrivilege	2608	SNOEoANfJ3.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2652	2980	JhOTKwS.exe	30
PID 2980 wrote to memory of 2652	2980	JhOTKwS.exe	30
PID 2980 wrote to memory of 2652	2980	JhOTKwS.exe	30
PID 2980 wrote to memory of 2652	2980	JhOTKwS.exe	30
PID 2980 wrote to memory of 2652	2980	JhOTKwS.exe	30
PID 2980 wrote to memory of 2652	2980	JhOTKwS.exe	30
PID 2980 wrote to memory of 2652	2980	JhOTKwS.exe	30
PID 2980 wrote to memory of 2652	2980	JhOTKwS.exe	30
PID 2980 wrote to memory of 2652	2980	JhOTKwS.exe	30
PID 2980 wrote to memory of 2652	2980	JhOTKwS.exe	30
PID 2980 wrote to memory of 2652	2980	JhOTKwS.exe	30
PID 2980 wrote to memory of 2740	2980	JhOTKwS.exe	31
PID 2980 wrote to memory of 2740	2980	JhOTKwS.exe	31
PID 2980 wrote to memory of 2740	2980	JhOTKwS.exe	31
PID 2980 wrote to memory of 2740	2980	JhOTKwS.exe	31
PID 2652 wrote to memory of 2784	2652	JhOTKwS.exe	32
PID 2652 wrote to memory of 2784	2652	JhOTKwS.exe	32
PID 2652 wrote to memory of 2784	2652	JhOTKwS.exe	32
PID 2652 wrote to memory of 2784	2652	JhOTKwS.exe	32
PID 2652 wrote to memory of 2608	2652	JhOTKwS.exe	33
PID 2652 wrote to memory of 2608	2652	JhOTKwS.exe	33
PID 2652 wrote to memory of 2608	2652	JhOTKwS.exe	33
PID 2652 wrote to memory of 2608	2652	JhOTKwS.exe	33

C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
  "C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Users\Admin\AppData\Roaming\iWCLKpajPR.exe
    "C:\Users\Admin\AppData\Roaming\iWCLKpajPR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- - C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe
    "C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 524
  2⤵
  - Program crash
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar26F8.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qOHqs19ozf

Filesize
92KB

MD5
ae2cd96016ba8a9d0c675d9d9badbee7

SHA1
fd9df8750aacb0e75b2463c285c09f3bbd518a69

SHA256
dd0ea2f02d850df691183602f62284445e4871e26a61d9ea72ff1c23c0b0ba04

SHA512
7e0e86980b7f928ea847a097545fa07b0c554617768760d4db9afe448568b97d1536a824b7a1b6c1f3fb1bf14153be07ef32676f878fb63a167d47e3136b5d1d

Download Submit
C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe

Filesize
1.8MB

MD5
4761ea2568c231143ed81463fdf8e01d

SHA1
6c821733e1487e79499e374b97464de323a9be5c

SHA256
37f54e6b882a55e2b461807c3d82eef458a92b3a0eb509096777d3a75e074e7e

SHA512
542dd6e12402f3b0510ee5cd04e1d277177cbce09a532b92714cfa02f5c9dcdbfbfd333b9ca9e5af8e2d697825104178535572c54a44f4084ef50009e7924ea5

Download Submit
\Users\Admin\AppData\Roaming\iWCLKpajPR.exe

Filesize
45KB

MD5
8522913829a30ad563871e12fdd07707

SHA1
6d4fc1b91909a5b267e4cd4f581068fe77e44e6f

SHA256
dcb40abf5ad8a692a62ac722866eb14664d7951b1fa9498091d46a0af0b6813c

SHA512
3fe8eb66c3273a743f97293306cf1eaf30264b6fa187af62d6db533335691867eee51a206341c1b97ec6fd59d6d2c99f44e4958e869e98b9f62bc8a56074f80f

Download Submit
memory/2608-42-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/2608-35-0x00000000011B0000-0x0000000001384000-memory.dmp

Filesize
1.8MB

Download
memory/2608-39-0x0000000000460000-0x000000000047C000-memory.dmp

Filesize
112KB

Download
memory/2608-40-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/2608-44-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2608-37-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/2652-8-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2652-14-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2652-4-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2652-16-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2652-33-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2652-7-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2652-31-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2652-3-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2652-13-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2652-12-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2652-9-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2652-6-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2652-5-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2784-34-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

Filesize
72KB

Download
memory/2980-15-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/2980-45-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/2980-0-0x0000000073F1E000-0x0000000073F1F000-memory.dmp

Filesize
4KB

Download
memory/2980-1-0x00000000012F0000-0x0000000001504000-memory.dmp

Filesize
2.1MB

Download