Analysis
-
max time kernel
60s -
max time network
61s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 13:42
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/koyaxZ/XWorm-v5-Remote-Access-Tool/releases/download/download/XWorm.rar
Resource
win10v2004-20240508-en
General
-
Target
https://github.com/koyaxZ/XWorm-v5-Remote-Access-Tool/releases/download/download/XWorm.rar
Malware Config
Signatures
-
Detect rhadamanthys stealer shellcode 6 IoCs
Processes:
resource yara_rule behavioral1/memory/620-131-0x00000000022F0000-0x00000000026F0000-memory.dmp family_rhadamanthys behavioral1/memory/620-132-0x00000000022F0000-0x00000000026F0000-memory.dmp family_rhadamanthys behavioral1/memory/620-133-0x00000000022F0000-0x00000000026F0000-memory.dmp family_rhadamanthys behavioral1/memory/620-134-0x00000000022F0000-0x00000000026F0000-memory.dmp family_rhadamanthys behavioral1/memory/4128-139-0x0000000002410000-0x0000000002810000-memory.dmp family_rhadamanthys behavioral1/memory/4128-138-0x0000000002410000-0x0000000002810000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Executes dropped EXE 2 IoCs
Processes:
XWorm.exeXWorm.exepid process 620 XWorm.exe 4128 XWorm.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
XWorm.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI XWorm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 XWorm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID XWorm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI XWorm.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI XWorm.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\XWorm.rar:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
XWorm.exeXWorm.exepid process 620 XWorm.exe 620 XWorm.exe 4128 XWorm.exe 4128 XWorm.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
firefox.exe7zG.exeXWorm.exedescription pid process Token: SeDebugPrivilege 5108 firefox.exe Token: SeDebugPrivilege 5108 firefox.exe Token: SeDebugPrivilege 5108 firefox.exe Token: SeRestorePrivilege 3848 7zG.exe Token: 35 3848 7zG.exe Token: SeSecurityPrivilege 3848 7zG.exe Token: SeSecurityPrivilege 3848 7zG.exe Token: SeShutdownPrivilege 620 XWorm.exe Token: SeCreatePagefilePrivilege 620 XWorm.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
firefox.exe7zG.exepid process 5108 firefox.exe 5108 firefox.exe 5108 firefox.exe 5108 firefox.exe 3848 7zG.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 5108 firefox.exe 5108 firefox.exe 5108 firefox.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
firefox.exepid process 5108 firefox.exe 5108 firefox.exe 5108 firefox.exe 5108 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 3080 wrote to memory of 5108 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 5108 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 5108 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 5108 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 5108 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 5108 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 5108 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 5108 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 5108 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 5108 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 5108 3080 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 1336 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 548 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 548 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 548 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 548 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 548 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 548 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 548 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 548 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 548 5108 firefox.exe firefox.exe PID 5108 wrote to memory of 548 5108 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/koyaxZ/XWorm-v5-Remote-Access-Tool/releases/download/download/XWorm.rar"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/koyaxZ/XWorm-v5-Remote-Access-Tool/releases/download/download/XWorm.rar2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.0.1165275093\1330521276" -parentBuildID 20230214051806 -prefsHandle 1764 -prefMapHandle 1756 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c567ebd0-4f1d-418d-9cbf-dceebcc8c43b} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 1880 296496b1d58 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.1.1476260898\158435896" -parentBuildID 20230214051806 -prefsHandle 2460 -prefMapHandle 2448 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f5fffc7-dff9-4964-be8b-8d8182f9345e} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 2488 2963548c958 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.2.1361860170\1008957759" -childID 1 -isForBrowser -prefsHandle 2952 -prefMapHandle 2948 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1016 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8890c89f-9b85-4d10-80e0-e7f6efc76662} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 2976 2964869b558 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.3.1396352248\868873515" -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 3668 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1016 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98a91127-bea1-4d83-87bd-921a9620a22f} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 3684 2964e1c6a58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.4.1489385991\654782256" -childID 3 -isForBrowser -prefsHandle 5072 -prefMapHandle 5024 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1016 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8449a6e5-3992-429c-b1fe-14d356e0f723} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 5080 2964fc19258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.5.1861505389\1569848277" -childID 4 -isForBrowser -prefsHandle 5224 -prefMapHandle 5228 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1016 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {636a987b-e541-47c6-a23c-771a3c001db4} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 5212 2964fc1cb58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.6.1020698775\620942506" -childID 5 -isForBrowser -prefsHandle 5412 -prefMapHandle 5416 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1016 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29096412-72b8-4cd6-8abe-1dad555cb5b2} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 5404 2964fc1ad58 tab3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm\" -spe -an -ai#7zMap11102:72:7zEvent65771⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\XWorm\XWorm.exe"C:\Users\Admin\Downloads\XWorm\XWorm.exe"1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\XWorm\XWorm.exe"C:\Users\Admin\Downloads\XWorm\XWorm.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\activity-stream.discovery_stream.json.tmpFilesize
28KB
MD5eafcbce50beed51d78e5e6a987445ce3
SHA136cee26d5e1cb7a8fa1b5651a4359076bc8f77bb
SHA256568068a1880a3f9da40b795974e79e66bd24941a733051e2a62d7f2e813baf7e
SHA512db482ce72279bea066d61b0ba49196c672903a19be72292494c5d7b4fce705133c94d699676ca7ae30bb3ca7c0e6af454bd35dcf98ea0282f2d84f8af834619c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\prefs-1.jsFilesize
7KB
MD5a9a82a6d2aa9e75c3c727cdc567858a3
SHA1f9152f5217618c444b5314e37de127b658c156e5
SHA256b2decc94370b536f5606730420373ce49ee27d93318e76c9cbafd61eb3102ad9
SHA512c4c185df957a73a410666c5e468514d3dc3eda2c4fc071470b7ed9cbdd4d14f303a05f2ba69cb2fe2b2602ded01034df2246fba938cd15971dabff00032baaba
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\prefs.jsFilesize
6KB
MD58cc506d387994ad6f3c0891b5ddc684a
SHA17617a2cb1e1300638108059d7aa5aa0cc9b13e3d
SHA256892f75a2a262656eee8922e42f539950fbf00d0f4f8e176d963a22af8c8d2049
SHA5129fdb9a8b60d65559cb5acddc39cd471d2f80d7fac20dc16e835a040102d4a6404144b111f513914b76c25072cadb345a90667fe9fd101f2bbca40cf3e5fbccec
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\prefs.jsFilesize
6KB
MD52eca16e96f0cafd540e3adec8e956d00
SHA153f0f698919fb3500708b3e51a16e9806a23fc08
SHA2565249269cbdaf3bcfc67acfa5cb2140722401ac865624d583217fe026783d1360
SHA512369dd14cc935462ce0919649015ae6f4e31d738b18541dd638467e4dff694ea74e67521b46cff544c8179cb8ae0892917a6a830a8d4f9bba8d6abd200a5cb26c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD50cd1a0e5bde36267f2579ef0c7457167
SHA1aeb9b50bcde39bcf983fa85f69aaf2078860c3fd
SHA256aad0b48527867b63266a011f0707d9fca82da54e78b28d181efcdc6531f4ff21
SHA5121b30bfc201865c264b5ec33593a4375135bf6c631071d50f7678dfd2d435fb4a8de42021dafc67626b014f931c3849191fea6bc3a26afd71ebaf6331b248ff03
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
192KB
MD547291f5bffb17c1658b2811eee4df7be
SHA1e030537635d7c86eb9fe73d9c7fc05f5c4165545
SHA2561385c163850263d9c6806b1defd58aa25e00b04a0faf83446c25ec92ac761f31
SHA5127582a960472b794ae598be82cf65857cb51b389ac657c20e394d041db7a46a1eae761a2530090f67ec0e4d90edf84a7139593bc846731130b14b44a13b8d4c2b
-
C:\Users\Admin\Downloads\XWorm.zJgeySBq.rar.partFilesize
3.8MB
MD58845f7149b64a79343f12ee97b8d90ad
SHA1d48a4d2b00859e6e7e362e38a34190da60ff8550
SHA25617c103b0cd832139aded6213496300760f83abc7922d3829d10f09d422b2b348
SHA512132c47c287aad520e29c42debff6c2a847487323a57824e7b43f48fa5562d9b008c28b297fd3a260b108aebfd99246ed2fff5d38cc9fd52b3406a047aedd5bd9
-
C:\Users\Admin\Downloads\XWorm\XWorm.exeFilesize
456KB
MD5515a0c8be21a5ba836e5687fc2d73333
SHA1c52be9d0d37ac1b8d6bc09860e68e9e0615255ab
SHA2569950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae
SHA5124e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522
-
memory/620-130-0x00000000020A0000-0x00000000020A7000-memory.dmpFilesize
28KB
-
memory/620-131-0x00000000022F0000-0x00000000026F0000-memory.dmpFilesize
4.0MB
-
memory/620-132-0x00000000022F0000-0x00000000026F0000-memory.dmpFilesize
4.0MB
-
memory/620-133-0x00000000022F0000-0x00000000026F0000-memory.dmpFilesize
4.0MB
-
memory/620-134-0x00000000022F0000-0x00000000026F0000-memory.dmpFilesize
4.0MB
-
memory/4128-139-0x0000000002410000-0x0000000002810000-memory.dmpFilesize
4.0MB
-
memory/4128-138-0x0000000002410000-0x0000000002810000-memory.dmpFilesize
4.0MB