xworm | 35e26bdbdea45ece8f73ddac192c584868bc55018cd95fcf669695c0f68260d7

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc0103e816984d1e97626e76a8d18d3d.exe
Size

35KB
MD5

fc0103e816984d1e97626e76a8d18d3d
SHA1

2dc01271ff1b12d7371b9b00814b352ec7fec649
SHA256

26dcef17d03bf49ee2800449e47fe58e65a1850463f5bee3ce8d8db47db97ab1
SHA512

88b9d200a949bf8b12ecc41d3020ed8c3f7bfafcf1175203ed5691eabba6c546b204f1f6f2148da168e3849be2312a295a8d118fd269c6b6855b67e7bc87e68d
SSDEEP

768:zDS4bdiN/IGd6fm5Fyw9P+6RO/hIS/g9:S4bdwBAIFP9P+6RO/yIW

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

147.185.221.27:9999

Mutex

Xb1ZZPuPdjP7zT1W

Attributes

Install_directory
%Temp%
install_file
smhost.exe

aes.plain

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral23/memory/2300-1-0x00000000011F0000-0x0000000001200000-memory.dmp	family_xworm
behavioral23/files/0x000f000000012254-31.dat	family_xworm
behavioral23/memory/1244-33-0x0000000000BE0000-0x0000000000BF0000-memory.dmp	family_xworm
behavioral23/memory/1892-35-0x0000000000DB0000-0x0000000000DC0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1048	powershell.exe
2664	powershell.exe
2820	powershell.exe
2580	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
1244	smhost.exe
1892	smhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1048	powershell.exe
2664	powershell.exe
2820	powershell.exe
2580	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	fc0103e816984d1e97626e76a8d18d3d.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2300	fc0103e816984d1e97626e76a8d18d3d.exe
Token: SeDebugPrivilege	1244	smhost.exe
Token: SeDebugPrivilege	1892	smhost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 1048	2300	fc0103e816984d1e97626e76a8d18d3d.exe	31
PID 2300 wrote to memory of 1048	2300	fc0103e816984d1e97626e76a8d18d3d.exe	31
PID 2300 wrote to memory of 1048	2300	fc0103e816984d1e97626e76a8d18d3d.exe	31
PID 2300 wrote to memory of 2664	2300	fc0103e816984d1e97626e76a8d18d3d.exe	33
PID 2300 wrote to memory of 2664	2300	fc0103e816984d1e97626e76a8d18d3d.exe	33
PID 2300 wrote to memory of 2664	2300	fc0103e816984d1e97626e76a8d18d3d.exe	33
PID 2300 wrote to memory of 2820	2300	fc0103e816984d1e97626e76a8d18d3d.exe	35
PID 2300 wrote to memory of 2820	2300	fc0103e816984d1e97626e76a8d18d3d.exe	35
PID 2300 wrote to memory of 2820	2300	fc0103e816984d1e97626e76a8d18d3d.exe	35
PID 2300 wrote to memory of 2580	2300	fc0103e816984d1e97626e76a8d18d3d.exe	37
PID 2300 wrote to memory of 2580	2300	fc0103e816984d1e97626e76a8d18d3d.exe	37
PID 2300 wrote to memory of 2580	2300	fc0103e816984d1e97626e76a8d18d3d.exe	37
PID 2300 wrote to memory of 2608	2300	fc0103e816984d1e97626e76a8d18d3d.exe	39
PID 2300 wrote to memory of 2608	2300	fc0103e816984d1e97626e76a8d18d3d.exe	39
PID 2300 wrote to memory of 2608	2300	fc0103e816984d1e97626e76a8d18d3d.exe	39
PID 1628 wrote to memory of 1244	1628	taskeng.exe	42
PID 1628 wrote to memory of 1244	1628	taskeng.exe	42
PID 1628 wrote to memory of 1244	1628	taskeng.exe	42
PID 1628 wrote to memory of 1892	1628	taskeng.exe	43
PID 1628 wrote to memory of 1892	1628	taskeng.exe	43
PID 1628 wrote to memory of 1892	1628	taskeng.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fc0103e816984d1e97626e76a8d18d3d.exe
"C:\Users\Admin\AppData\Local\Temp\fc0103e816984d1e97626e76a8d18d3d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fc0103e816984d1e97626e76a8d18d3d.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fc0103e816984d1e97626e76a8d18d3d.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\smhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'smhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "smhost" /tr "C:\Users\Admin\AppData\Local\Temp\smhost.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2608

C:\Windows\system32\taskeng.exe
taskeng.exe {50B969B5-67FC-44CE-AE63-7AAD783CBD00} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\smhost.exe
  C:\Users\Admin\AppData\Local\Temp\smhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Users\Admin\AppData\Local\Temp\smhost.exe
  C:\Users\Admin\AppData\Local\Temp\smhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\smhost.exe

Filesize
35KB

MD5
fc0103e816984d1e97626e76a8d18d3d

SHA1
2dc01271ff1b12d7371b9b00814b352ec7fec649

SHA256
26dcef17d03bf49ee2800449e47fe58e65a1850463f5bee3ce8d8db47db97ab1

SHA512
88b9d200a949bf8b12ecc41d3020ed8c3f7bfafcf1175203ed5691eabba6c546b204f1f6f2148da168e3849be2312a295a8d118fd269c6b6855b67e7bc87e68d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
61d9baf5780f8868dce69584fd3e6f1d

SHA1
fcc31da5088d50cde7921ad51d639b2db2de5e1f

SHA256
6cf1b519d24c71300e26a50f99974d79532cfa395b661b3ed93e6d2dbea364dd

SHA512
e4e2d23004154daa8f198e821cfe4dcb8669817d45cfe9b35eb01519060f543efa0b67ba848738a09ed90881abc29ba0c0b57947c4748e4834185defa765c5ed

Download Submit
memory/1048-6-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/1048-7-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/1048-8-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/1244-33-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/1892-35-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

Filesize
64KB

Download
memory/2300-28-0x000007FEF5E53000-0x000007FEF5E54000-memory.dmp

Filesize
4KB

Download
memory/2300-27-0x0000000001170000-0x00000000011F0000-memory.dmp

Filesize
512KB

Download
memory/2300-0-0x000007FEF5E53000-0x000007FEF5E54000-memory.dmp

Filesize
4KB

Download
memory/2300-29-0x0000000001170000-0x00000000011F0000-memory.dmp

Filesize
512KB

Download
memory/2300-1-0x00000000011F0000-0x0000000001200000-memory.dmp

Filesize
64KB

Download
memory/2664-15-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2664-14-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download