xworm | 3d418b43b753aa207aa32e87d3aac20cb5cb1498852a3d2c310196c7d668fb80

Analysis

max time kernel
128s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper_v2.3.exe
Size

3.0MB
MD5

7744ab1b77f1c5204aacbcc67f80f5bc
SHA1

a1af80b9ca1310167c4f8e772c3959fdf4167f32
SHA256

3d418b43b753aa207aa32e87d3aac20cb5cb1498852a3d2c310196c7d668fb80
SHA512

6760ad3682c7a5eae25c7ec934a0131b13e02f621d4ed4580300aab4659a4601afbcdfe1ada11155a8085be6b0759c38aa810587559a074d4d61ec281566771c
SSDEEP

49152:VmjfxLrv43xqsknxiEgcbMSYKlUgmFLH7G7g569awPsD9sOBfXVfRQ8kQ79u:Vedrg3xTkx3rUNG7a69vPsS6/VfRbksU

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

75.80.209.66:8080

Attributes

Install_directory
%Userprofile%
install_file
RealtekAudioDG.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0003000000012000-5.dat	family_xworm
behavioral1/memory/2812-7-0x0000000000200000-0x000000000021A000-memory.dmp	family_xworm
behavioral1/memory/1264-64-0x0000000001140000-0x000000000115A000-memory.dmp	family_xworm
behavioral1/memory/920-66-0x00000000011F0000-0x000000000120A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2624	powershell.exe
580	powershell.exe
2396	powershell.exe
1720	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RealtekAudioDG.lnk	Bootstrapper_v2.2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RealtekAudioDG.lnk	Bootstrapper_v2.2.exe

Executes dropped EXE 5 IoCs

pid	Process
2812	Bootstrapper_v2.2.exe
2552	BootstrapperNew (1).exe
1196	Process not Found
1264	RealtekAudioDG.exe
920	RealtekAudioDG.exe

Loads dropped DLL 2 IoCs

pid	Process
2228	Bootstrapper_v2.3.exe
1196	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\RealtekAudioDG = "C:\\Users\\Admin\\RealtekAudioDG.exe"	Bootstrapper_v2.2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2624	powershell.exe
580	powershell.exe
2396	powershell.exe
1720	powershell.exe
2812	Bootstrapper_v2.2.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	Bootstrapper_v2.2.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2812	Bootstrapper_v2.2.exe
Token: SeDebugPrivilege	1264	RealtekAudioDG.exe
Token: SeDebugPrivilege	920	RealtekAudioDG.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2812	Bootstrapper_v2.2.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2812	2228	Bootstrapper_v2.3.exe	30
PID 2228 wrote to memory of 2812	2228	Bootstrapper_v2.3.exe	30
PID 2228 wrote to memory of 2812	2228	Bootstrapper_v2.3.exe	30
PID 2228 wrote to memory of 2552	2228	Bootstrapper_v2.3.exe	31
PID 2228 wrote to memory of 2552	2228	Bootstrapper_v2.3.exe	31
PID 2228 wrote to memory of 2552	2228	Bootstrapper_v2.3.exe	31
PID 2812 wrote to memory of 2624	2812	Bootstrapper_v2.2.exe	32
PID 2812 wrote to memory of 2624	2812	Bootstrapper_v2.2.exe	32
PID 2812 wrote to memory of 2624	2812	Bootstrapper_v2.2.exe	32
PID 2812 wrote to memory of 580	2812	Bootstrapper_v2.2.exe	34
PID 2812 wrote to memory of 580	2812	Bootstrapper_v2.2.exe	34
PID 2812 wrote to memory of 580	2812	Bootstrapper_v2.2.exe	34
PID 2812 wrote to memory of 2396	2812	Bootstrapper_v2.2.exe	36
PID 2812 wrote to memory of 2396	2812	Bootstrapper_v2.2.exe	36
PID 2812 wrote to memory of 2396	2812	Bootstrapper_v2.2.exe	36
PID 2812 wrote to memory of 1720	2812	Bootstrapper_v2.2.exe	38
PID 2812 wrote to memory of 1720	2812	Bootstrapper_v2.2.exe	38
PID 2812 wrote to memory of 1720	2812	Bootstrapper_v2.2.exe	38
PID 2812 wrote to memory of 1808	2812	Bootstrapper_v2.2.exe	40
PID 2812 wrote to memory of 1808	2812	Bootstrapper_v2.2.exe	40
PID 2812 wrote to memory of 1808	2812	Bootstrapper_v2.2.exe	40
PID 3068 wrote to memory of 1264	3068	taskeng.exe	44
PID 3068 wrote to memory of 1264	3068	taskeng.exe	44
PID 3068 wrote to memory of 1264	3068	taskeng.exe	44
PID 3068 wrote to memory of 920	3068	taskeng.exe	45
PID 3068 wrote to memory of 920	3068	taskeng.exe	45
PID 3068 wrote to memory of 920	3068	taskeng.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Bootstrapper_v2.3.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper_v2.3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\Bootstrapper_v2.2.exe
  "C:\Users\Admin\Bootstrapper_v2.2.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Bootstrapper_v2.2.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Bootstrapper_v2.2.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\RealtekAudioDG.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RealtekAudioDG.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1720
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RealtekAudioDG" /tr "C:\Users\Admin\RealtekAudioDG.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1808
- C:\Users\Admin\BootstrapperNew (1).exe
  "C:\Users\Admin\BootstrapperNew (1).exe"
  2⤵
  - Executes dropped EXE
  PID:2552

C:\Windows\system32\taskeng.exe
taskeng.exe {B2A1B13F-24F9-4CC7-A577-25A986C8ED4B} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\RealtekAudioDG.exe
  C:\Users\Admin\RealtekAudioDG.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Users\Admin\RealtekAudioDG.exe
  C:\Users\Admin\RealtekAudioDG.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
75eed72d2c1e3774a1ee6674d49c16b3

SHA1
d8db0a12bc0343cf6941cdcaaf74890c8f6d43c6

SHA256
22d56cc7eb5382e9c35116b6dd0256d5424daa17b239e8ca625416277001e752

SHA512
5c4b39a205b6e8f7bacf775e856d6bda91e69c96b47b9f9250bf431563f7f59e7a7e18a2bb224a5c5eaa707d21d011041ee91a49ae10444f0aa998d64faefb53

Download Submit
C:\Users\Admin\Bootstrapper_v2.2.exe

Filesize
78KB

MD5
e237ba50d7c4c0d84f956a5168a78b49

SHA1
d61a3b653ba7b93e93b7e390e4dd1dda487b1e0d

SHA256
8b9f724111d915222ae03f66af3a00bcc4273dbe3474bd702bf34a067c256956

SHA512
ddd7f4c4f02a277c3227d575c09d66f2056ccbee50fd9ccd9901cf221638909ab865244c8e0f41e8ad3c2d33ece03da06f7472b4148186b7b563661cae60f759

Download Submit
\Users\Admin\BootstrapperNew (1).exe

Filesize
2.9MB

MD5
f227cdfd423b3cc03bb69c49babf4da3

SHA1
3db5a97d9b0f2545e7ba97026af6c28512200441

SHA256
cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8

SHA512
b10afd03b02a928545c16fad39a6ae46b68b1e1a2477a6990803ce80008e7161fb2ebc9380ba15a1b074bb436aa34bcd6c94a922933d438b1c22489717e1e10e

Download Submit
memory/580-41-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/580-40-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/920-66-0x00000000011F0000-0x000000000120A000-memory.dmp

Filesize
104KB

Download
memory/1264-64-0x0000000001140000-0x000000000115A000-memory.dmp

Filesize
104KB

Download
memory/2228-1-0x0000000000A10000-0x0000000000D0A000-memory.dmp

Filesize
3.0MB

Download
memory/2228-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

Filesize
4KB

Download
memory/2552-16-0x0000000000770000-0x000000000077A000-memory.dmp

Filesize
40KB

Download
memory/2552-21-0x000000001B050000-0x000000001B05A000-memory.dmp

Filesize
40KB

Download
memory/2552-23-0x000000001B0A0000-0x000000001B0A8000-memory.dmp

Filesize
32KB

Download
memory/2552-24-0x000000001B0B0000-0x000000001B0C6000-memory.dmp

Filesize
88KB

Download
memory/2552-25-0x000000001B090000-0x000000001B09A000-memory.dmp

Filesize
40KB

Download
memory/2552-26-0x000000001B040000-0x000000001B04A000-memory.dmp

Filesize
40KB

Download
memory/2552-27-0x000000001B0D0000-0x000000001B0D8000-memory.dmp

Filesize
32KB

Download
memory/2552-58-0x0000000000770000-0x000000000077A000-memory.dmp

Filesize
40KB

Download
memory/2552-15-0x00000000010A0000-0x0000000001382000-memory.dmp

Filesize
2.9MB

Download
memory/2552-22-0x000000001B060000-0x000000001B086000-memory.dmp

Filesize
152KB

Download
memory/2552-20-0x000000001E5C0000-0x000000001E6C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-17-0x0000000000770000-0x0000000000780000-memory.dmp

Filesize
64KB

Download
memory/2624-34-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2624-33-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2812-57-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2812-59-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2812-14-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2812-7-0x0000000000200000-0x000000000021A000-memory.dmp

Filesize
104KB

Download