xworm | 000996e02592d6f5216a77464baff2591739b5cb35a8ad930a5424c9099c7e11

Analysis

max time kernel
145s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dcb9d68dd68eefabbec3c03cc3e8381.exe
Size

73KB
MD5

0dcb9d68dd68eefabbec3c03cc3e8381
SHA1

2dd5b2b00ede969b27339eade10ae3777338d932
SHA256

537f638fa423a635cb9777e9a20b37c0757695a83c6307c1b482c0d8c932d9e8
SHA512

7176a5870a6ce56d2efed4f158642939714282799b326e3fbe366c4d1b2fdc8ee7441db58941a75b2fdfc58e25ed93f343cb34b8e3243fdd0a1992862452049d
SSDEEP

1536:AFOQ/aiFj51h/7Kxp/kyklHDspvtuuUP+bGzzphSt6EQj8OJ6Fj7o04ySv:AsBxppk9IvYuUP+bGzmPOB04lv

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:2408

front-recommend.gl.at.ply.gg:2408

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral11/memory/2524-1-0x0000000000F50000-0x0000000000F68000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2916	powershell.exe
2808	powershell.exe
2844	powershell.exe
2648	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	0dcb9d68dd68eefabbec3c03cc3e8381.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	0dcb9d68dd68eefabbec3c03cc3e8381.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\svchost.exe"	0dcb9d68dd68eefabbec3c03cc3e8381.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2916	powershell.exe
2808	powershell.exe
2844	powershell.exe
2648	powershell.exe
2524	0dcb9d68dd68eefabbec3c03cc3e8381.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	0dcb9d68dd68eefabbec3c03cc3e8381.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2524	0dcb9d68dd68eefabbec3c03cc3e8381.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2524	0dcb9d68dd68eefabbec3c03cc3e8381.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2916	2524	0dcb9d68dd68eefabbec3c03cc3e8381.exe	30
PID 2524 wrote to memory of 2916	2524	0dcb9d68dd68eefabbec3c03cc3e8381.exe	30
PID 2524 wrote to memory of 2916	2524	0dcb9d68dd68eefabbec3c03cc3e8381.exe	30
PID 2524 wrote to memory of 2808	2524	0dcb9d68dd68eefabbec3c03cc3e8381.exe	32
PID 2524 wrote to memory of 2808	2524	0dcb9d68dd68eefabbec3c03cc3e8381.exe	32
PID 2524 wrote to memory of 2808	2524	0dcb9d68dd68eefabbec3c03cc3e8381.exe	32
PID 2524 wrote to memory of 2844	2524	0dcb9d68dd68eefabbec3c03cc3e8381.exe	34
PID 2524 wrote to memory of 2844	2524	0dcb9d68dd68eefabbec3c03cc3e8381.exe	34
PID 2524 wrote to memory of 2844	2524	0dcb9d68dd68eefabbec3c03cc3e8381.exe	34
PID 2524 wrote to memory of 2648	2524	0dcb9d68dd68eefabbec3c03cc3e8381.exe	36
PID 2524 wrote to memory of 2648	2524	0dcb9d68dd68eefabbec3c03cc3e8381.exe	36
PID 2524 wrote to memory of 2648	2524	0dcb9d68dd68eefabbec3c03cc3e8381.exe	36

C:\Users\Admin\AppData\Local\Temp\0dcb9d68dd68eefabbec3c03cc3e8381.exe
"C:\Users\Admin\AppData\Local\Temp\0dcb9d68dd68eefabbec3c03cc3e8381.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0dcb9d68dd68eefabbec3c03cc3e8381.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '0dcb9d68dd68eefabbec3c03cc3e8381.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2bb46b1ed128e5bc6e1ef150d890802d

SHA1
d03af750b4a6c915bbd9e6c403e856a4d26aa451

SHA256
29cd881e73dd73ba29c37ec912e3a017f7a76289e8bf4b8ce07db05e98aa3246

SHA512
4caadd7e2382ada9870b8cab14c945ff4565f7619deaa81d5950721215807664259787df7f41c48046879c4f627275e1b31b0c427fbbe49c87a23ca1009e9e9e

Download Submit
memory/2524-0-0x000007FEF5063000-0x000007FEF5064000-memory.dmp

Filesize
4KB

Download
memory/2524-1-0x0000000000F50000-0x0000000000F68000-memory.dmp

Filesize
96KB

Download
memory/2524-31-0x000000001AC90000-0x000000001AD10000-memory.dmp

Filesize
512KB

Download
memory/2524-32-0x000007FEF5063000-0x000007FEF5064000-memory.dmp

Filesize
4KB

Download
memory/2524-33-0x000000001AC90000-0x000000001AD10000-memory.dmp

Filesize
512KB

Download
memory/2808-14-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2808-15-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2916-6-0x0000000001E80000-0x0000000001F00000-memory.dmp

Filesize
512KB

Download
memory/2916-7-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2916-8-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download