xworm | 5c63933553e1452d634beb2b295333e4db5742e571322d823648d4e5c94b2828

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f4990caad41dd3228d704682f251b6144a6e406233c1e3003548230e2243907.exe
Size

8.6MB
MD5

22852f82d88f9583ff3f02d8dd9e2987
SHA1

12584d0de1d2c7a74677969075c93cad2124edc0
SHA256

7f4990caad41dd3228d704682f251b6144a6e406233c1e3003548230e2243907
SHA512

247e76e070b196aab063951c5635a1bb4193af70e5aec88bb82b8865a2b91d7f3095d8e64320f66e654241185a3c61610dff987a0f47db6277cde43996fb9ff5
SSDEEP

196608:3/8c9MdCTp3PWQ7iaa+8G5KQHqUPpWPMZkJE9CHGxxL5HIJ64pEWEVci5:0c9NkCT75Kwq+WPMZk8hN/

Score

10^/10

xworm pyinstaller rat trojan

Malware Config

Extracted

Family

xworm

77.83.242.113:2020

Mutex

miZU0rMm5DElS6cq

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral13/files/0x0009000000016ea4-10.dat	family_xworm
behavioral13/memory/1716-13-0x00000000009D0000-0x00000000009DE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 3 IoCs

pid	Process
2524	Cloner by Casa.exe
1716	ghost.exe
3008	Cloner by Casa.exe

Loads dropped DLL 2 IoCs

pid	Process
2548	7f4990caad41dd3228d704682f251b6144a6e406233c1e3003548230e2243907.exe
3008	Cloner by Casa.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral13/files/0x000700000001211a-4.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ghost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ghost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	ghost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2524	2548	7f4990caad41dd3228d704682f251b6144a6e406233c1e3003548230e2243907.exe	30
PID 2548 wrote to memory of 2524	2548	7f4990caad41dd3228d704682f251b6144a6e406233c1e3003548230e2243907.exe	30
PID 2548 wrote to memory of 2524	2548	7f4990caad41dd3228d704682f251b6144a6e406233c1e3003548230e2243907.exe	30
PID 2548 wrote to memory of 1716	2548	7f4990caad41dd3228d704682f251b6144a6e406233c1e3003548230e2243907.exe	32
PID 2548 wrote to memory of 1716	2548	7f4990caad41dd3228d704682f251b6144a6e406233c1e3003548230e2243907.exe	32
PID 2548 wrote to memory of 1716	2548	7f4990caad41dd3228d704682f251b6144a6e406233c1e3003548230e2243907.exe	32
PID 2524 wrote to memory of 3008	2524	Cloner by Casa.exe	33
PID 2524 wrote to memory of 3008	2524	Cloner by Casa.exe	33
PID 2524 wrote to memory of 3008	2524	Cloner by Casa.exe	33

C:\Users\Admin\AppData\Local\Temp\7f4990caad41dd3228d704682f251b6144a6e406233c1e3003548230e2243907.exe
"C:\Users\Admin\AppData\Local\Temp\7f4990caad41dd3228d704682f251b6144a6e406233c1e3003548230e2243907.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Roaming\Cloner by Casa.exe
  "C:\Users\Admin\AppData\Roaming\Cloner by Casa.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Roaming\Cloner by Casa.exe
    "C:\Users\Admin\AppData\Roaming\Cloner by Casa.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3008
- C:\Users\Admin\AppData\Roaming\ghost.exe
  "C:\Users\Admin\AppData\Roaming\ghost.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI25242\python310.dll

Filesize
4.2MB

MD5
a1185bef38fdba5e3fe6a71f93a9d142

SHA1
e2b40f5e518ad000002b239a84c153fdc35df4eb

SHA256
8d0bec69554317ccf1796c505d749d5c9f3be74ccbfce1d9e4d5fe64a536ae9e

SHA512
cb9baea9b483b9153efe2f453d6ac0f0846b140e465d07244f651c946900bfcd768a6b4c0c335ecebb45810bf08b7324501ea22b40cc7061b2f2bb98ed7897f4

Download Submit
C:\Users\Admin\AppData\Roaming\ghost.exe

Filesize
30KB

MD5
171905da4eddf5104144138a66bf92d0

SHA1
7c9f7a556f67585ba0c0d2da6ca08d0c08761feb

SHA256
f283710dee245c076b85b0bc6fd5335528d2566711e809712abd8737b4a4c8b1

SHA512
8d15c9c41acf9362a5be5ac2493d0143a22d4e99dc239c91b28908ba17c9b0ea9e7040623d21a69409ccd1824d57b5eafae608b9816356b70721825e81dc20da

Download Submit
\Users\Admin\AppData\Roaming\Cloner by Casa.exe

Filesize
8.3MB

MD5
66e6140ba9e19c29529dceb265b17b41

SHA1
fefdb348596c3160bac45888d56e6e940a452907

SHA256
bded5cf8faf4c7ff8a7582538cd325da029adcae50b14f38ed4dc6adabc5673b

SHA512
b0a26c3d34e1f1043e06ca759d645d10c7b1ab6f05a1d5e1788714b0d568c27f2763450f2af608cf01c7947dc7f55cc403dfa3355d51c45227f2951e4d5a6944

Download Submit
memory/1716-13-0x00000000009D0000-0x00000000009DE000-memory.dmp

Filesize
56KB

Download
memory/1716-43-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download
memory/1716-45-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download
memory/1716-72-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download
memory/1716-73-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-0-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2548-1-0x0000000000CA0000-0x0000000001546000-memory.dmp

Filesize
8.6MB

Download