xworm | 3d418b43b753aa207aa32e87d3aac20cb5cb1498852a3d2c310196c7d668fb80

Analysis

max time kernel
118s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper_v2.3.exe
Size

3.0MB
MD5

7744ab1b77f1c5204aacbcc67f80f5bc
SHA1

a1af80b9ca1310167c4f8e772c3959fdf4167f32
SHA256

3d418b43b753aa207aa32e87d3aac20cb5cb1498852a3d2c310196c7d668fb80
SHA512

6760ad3682c7a5eae25c7ec934a0131b13e02f621d4ed4580300aab4659a4601afbcdfe1ada11155a8085be6b0759c38aa810587559a074d4d61ec281566771c
SSDEEP

49152:VmjfxLrv43xqsknxiEgcbMSYKlUgmFLH7G7g569awPsD9sOBfXVfRQ8kQ79u:Vedrg3xTkx3rUNG7a69vPsS6/VfRbksU

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

75.80.209.66:8080

Attributes

Install_directory
%Userprofile%
install_file
RealtekAudioDG.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012102-5.dat	family_xworm
behavioral1/memory/2348-7-0x0000000001160000-0x000000000117A000-memory.dmp	family_xworm
behavioral1/memory/1588-64-0x0000000001090000-0x00000000010AA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2644	powershell.exe
1180	powershell.exe
2708	powershell.exe
2596	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RealtekAudioDG.lnk	Bootstrapper_v2.2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RealtekAudioDG.lnk	Bootstrapper_v2.2.exe

Executes dropped EXE 5 IoCs

pid	Process
2348	Bootstrapper_v2.2.exe
1864	BootstrapperNew (1).exe
1212	Process not Found
1588	RealtekAudioDG.exe
1544	RealtekAudioDG.exe

Loads dropped DLL 1 IoCs

pid	Process
2512	Bootstrapper_v2.3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\RealtekAudioDG = "C:\\Users\\Admin\\RealtekAudioDG.exe"	Bootstrapper_v2.2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2708	powershell.exe
2596	powershell.exe
2644	powershell.exe
1180	powershell.exe
2348	Bootstrapper_v2.2.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	Bootstrapper_v2.2.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	2348	Bootstrapper_v2.2.exe
Token: SeDebugPrivilege	1588	RealtekAudioDG.exe
Token: SeDebugPrivilege	1544	RealtekAudioDG.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2348	Bootstrapper_v2.2.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2348	2512	Bootstrapper_v2.3.exe	30
PID 2512 wrote to memory of 2348	2512	Bootstrapper_v2.3.exe	30
PID 2512 wrote to memory of 2348	2512	Bootstrapper_v2.3.exe	30
PID 2512 wrote to memory of 1864	2512	Bootstrapper_v2.3.exe	31
PID 2512 wrote to memory of 1864	2512	Bootstrapper_v2.3.exe	31
PID 2512 wrote to memory of 1864	2512	Bootstrapper_v2.3.exe	31
PID 2348 wrote to memory of 2708	2348	Bootstrapper_v2.2.exe	32
PID 2348 wrote to memory of 2708	2348	Bootstrapper_v2.2.exe	32
PID 2348 wrote to memory of 2708	2348	Bootstrapper_v2.2.exe	32
PID 2348 wrote to memory of 2596	2348	Bootstrapper_v2.2.exe	34
PID 2348 wrote to memory of 2596	2348	Bootstrapper_v2.2.exe	34
PID 2348 wrote to memory of 2596	2348	Bootstrapper_v2.2.exe	34
PID 2348 wrote to memory of 2644	2348	Bootstrapper_v2.2.exe	36
PID 2348 wrote to memory of 2644	2348	Bootstrapper_v2.2.exe	36
PID 2348 wrote to memory of 2644	2348	Bootstrapper_v2.2.exe	36
PID 2348 wrote to memory of 1180	2348	Bootstrapper_v2.2.exe	38
PID 2348 wrote to memory of 1180	2348	Bootstrapper_v2.2.exe	38
PID 2348 wrote to memory of 1180	2348	Bootstrapper_v2.2.exe	38
PID 2348 wrote to memory of 2000	2348	Bootstrapper_v2.2.exe	40
PID 2348 wrote to memory of 2000	2348	Bootstrapper_v2.2.exe	40
PID 2348 wrote to memory of 2000	2348	Bootstrapper_v2.2.exe	40
PID 2608 wrote to memory of 1588	2608	taskeng.exe	45
PID 2608 wrote to memory of 1588	2608	taskeng.exe	45
PID 2608 wrote to memory of 1588	2608	taskeng.exe	45
PID 2608 wrote to memory of 1544	2608	taskeng.exe	46
PID 2608 wrote to memory of 1544	2608	taskeng.exe	46
PID 2608 wrote to memory of 1544	2608	taskeng.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Bootstrapper_v2.3.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper_v2.3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\Bootstrapper_v2.2.exe
  "C:\Users\Admin\Bootstrapper_v2.2.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Bootstrapper_v2.2.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Bootstrapper_v2.2.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\RealtekAudioDG.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RealtekAudioDG.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1180
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RealtekAudioDG" /tr "C:\Users\Admin\RealtekAudioDG.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2000
- C:\Users\Admin\BootstrapperNew (1).exe
  "C:\Users\Admin\BootstrapperNew (1).exe"
  2⤵
  - Executes dropped EXE
  PID:1864

C:\Windows\system32\taskeng.exe
taskeng.exe {10E3A92E-22C9-439B-ADE2-AB31FC433091} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Users\Admin\RealtekAudioDG.exe
  C:\Users\Admin\RealtekAudioDG.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Users\Admin\RealtekAudioDG.exe
  C:\Users\Admin\RealtekAudioDG.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d194bf050c457b2dc6b80cc007295550

SHA1
672302a7283cf21e443daa55632f3483c33ce6cb

SHA256
83a2f2c48f78b0dd33f81df81289509739908eaf0eff45655ed7e33457ac5fb7

SHA512
146b039b25961923ac6070dd7555f9de5c10fadd27412a46b9b72c21688aad6aca7db4616261ee094b7af9736632f7479c3925d8554430c3d400c5c86acf73a9

Download Submit
C:\Users\Admin\Bootstrapper_v2.2.exe

Filesize
78KB

MD5
e237ba50d7c4c0d84f956a5168a78b49

SHA1
d61a3b653ba7b93e93b7e390e4dd1dda487b1e0d

SHA256
8b9f724111d915222ae03f66af3a00bcc4273dbe3474bd702bf34a067c256956

SHA512
ddd7f4c4f02a277c3227d575c09d66f2056ccbee50fd9ccd9901cf221638909ab865244c8e0f41e8ad3c2d33ece03da06f7472b4148186b7b563661cae60f759

Download Submit
\Users\Admin\BootstrapperNew (1).exe

Filesize
2.9MB

MD5
f227cdfd423b3cc03bb69c49babf4da3

SHA1
3db5a97d9b0f2545e7ba97026af6c28512200441

SHA256
cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8

SHA512
b10afd03b02a928545c16fad39a6ae46b68b1e1a2477a6990803ce80008e7161fb2ebc9380ba15a1b074bb436aa34bcd6c94a922933d438b1c22489717e1e10e

Download Submit
memory/1588-64-0x0000000001090000-0x00000000010AA000-memory.dmp

Filesize
104KB

Download
memory/1864-24-0x0000000002AD0000-0x0000000002AE6000-memory.dmp

Filesize
88KB

Download
memory/1864-26-0x0000000000EB0000-0x0000000000EBA000-memory.dmp

Filesize
40KB

Download
memory/1864-17-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/1864-16-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/1864-18-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/1864-20-0x000000001CEE0000-0x000000001CFE0000-memory.dmp

Filesize
1024KB

Download
memory/1864-21-0x0000000001380000-0x000000000138A000-memory.dmp

Filesize
40KB

Download
memory/1864-22-0x0000000001390000-0x00000000013B6000-memory.dmp

Filesize
152KB

Download
memory/1864-23-0x0000000002AC0000-0x0000000002AC8000-memory.dmp

Filesize
32KB

Download
memory/1864-59-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/1864-25-0x0000000002AB0000-0x0000000002ABA000-memory.dmp

Filesize
40KB

Download
memory/1864-15-0x00000000013C0000-0x00000000016A2000-memory.dmp

Filesize
2.9MB

Download
memory/1864-27-0x0000000002AF0000-0x0000000002AF8000-memory.dmp

Filesize
32KB

Download
memory/2348-14-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-7-0x0000000001160000-0x000000000117A000-memory.dmp

Filesize
104KB

Download
memory/2348-57-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-58-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-60-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2512-0-0x000007FEF5393000-0x000007FEF5394000-memory.dmp

Filesize
4KB

Download
memory/2512-1-0x0000000000B50000-0x0000000000E4A000-memory.dmp

Filesize
3.0MB

Download
memory/2596-40-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2596-41-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2708-33-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2708-34-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download