xworm | a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

Analysis

max time kernel
349s
max time network
351s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30-06-2024 21:51

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

sv.exe
Size

63KB
MD5

c095a62b525e62244cad230e696028cf
SHA1

67232c186d3efe248b540f1f2fe3382770b5074a
SHA256

a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA512

5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
SSDEEP

1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

amount-acceptance.gl.at.ply.gg:7420

Attributes

Install_directory
%ProgramData%
install_file
svhost.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/2092-1-0x00000000003B0000-0x00000000003C6000-memory.dmp family_xworm
C:\ProgramData\svhost.exe family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3204 powershell.exe
4652 powershell.exe
4780 powershell.exe
1980 powershell.exe

resource	yara_rule
behavioral1/memory/2092-1-0x00000000003B0000-0x00000000003C6000-memory.dmp	family_xworm
C:\ProgramData\svhost.exe	family_xworm

Drops startup file 2 IoCs

Processes:

sv.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe

Executes dropped EXE 6 IoCs

Processes:

svhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exe

pid process

1680 svhost.exe
4856 svhost.exe
4908 svhost.exe
3596 svhost.exe
3224 svhost.exe
4320 svhost.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

sv.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" sv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1680	svhost.exe
4856	svhost.exe
4908	svhost.exe
3596	svhost.exe
3224	svhost.exe
4320	svhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe"	sv.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4408 schtasks.exe

pid	process
4408	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3204	powershell.exe
3204	powershell.exe
3204	powershell.exe
4652	powershell.exe
4652	powershell.exe
4652	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sv.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2092	sv.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeIncreaseQuotaPrivilege	3204	powershell.exe
Token: SeSecurityPrivilege	3204	powershell.exe
Token: SeTakeOwnershipPrivilege	3204	powershell.exe
Token: SeLoadDriverPrivilege	3204	powershell.exe
Token: SeSystemProfilePrivilege	3204	powershell.exe
Token: SeSystemtimePrivilege	3204	powershell.exe
Token: SeProfSingleProcessPrivilege	3204	powershell.exe
Token: SeIncBasePriorityPrivilege	3204	powershell.exe
Token: SeCreatePagefilePrivilege	3204	powershell.exe
Token: SeBackupPrivilege	3204	powershell.exe
Token: SeRestorePrivilege	3204	powershell.exe
Token: SeShutdownPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeSystemEnvironmentPrivilege	3204	powershell.exe
Token: SeRemoteShutdownPrivilege	3204	powershell.exe
Token: SeUndockPrivilege	3204	powershell.exe
Token: SeManageVolumePrivilege	3204	powershell.exe
Token: 33	3204	powershell.exe
Token: 34	3204	powershell.exe
Token: 35	3204	powershell.exe
Token: 36	3204	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeIncreaseQuotaPrivilege	4652	powershell.exe
Token: SeSecurityPrivilege	4652	powershell.exe
Token: SeTakeOwnershipPrivilege	4652	powershell.exe
Token: SeLoadDriverPrivilege	4652	powershell.exe
Token: SeSystemProfilePrivilege	4652	powershell.exe
Token: SeSystemtimePrivilege	4652	powershell.exe
Token: SeProfSingleProcessPrivilege	4652	powershell.exe
Token: SeIncBasePriorityPrivilege	4652	powershell.exe
Token: SeCreatePagefilePrivilege	4652	powershell.exe
Token: SeBackupPrivilege	4652	powershell.exe
Token: SeRestorePrivilege	4652	powershell.exe
Token: SeShutdownPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeSystemEnvironmentPrivilege	4652	powershell.exe
Token: SeRemoteShutdownPrivilege	4652	powershell.exe
Token: SeUndockPrivilege	4652	powershell.exe
Token: SeManageVolumePrivilege	4652	powershell.exe
Token: 33	4652	powershell.exe
Token: 34	4652	powershell.exe
Token: 35	4652	powershell.exe
Token: 36	4652	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeIncreaseQuotaPrivilege	4780	powershell.exe
Token: SeSecurityPrivilege	4780	powershell.exe
Token: SeTakeOwnershipPrivilege	4780	powershell.exe
Token: SeLoadDriverPrivilege	4780	powershell.exe
Token: SeSystemProfilePrivilege	4780	powershell.exe
Token: SeSystemtimePrivilege	4780	powershell.exe
Token: SeProfSingleProcessPrivilege	4780	powershell.exe
Token: SeIncBasePriorityPrivilege	4780	powershell.exe
Token: SeCreatePagefilePrivilege	4780	powershell.exe
Token: SeBackupPrivilege	4780	powershell.exe
Token: SeRestorePrivilege	4780	powershell.exe
Token: SeShutdownPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeSystemEnvironmentPrivilege	4780	powershell.exe
Token: SeRemoteShutdownPrivilege	4780	powershell.exe
Token: SeUndockPrivilege	4780	powershell.exe
Token: SeManageVolumePrivilege	4780	powershell.exe
Token: 33	4780	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

sv.exe

pid process

2092 sv.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

420 LogonUI.exe

pid	process
2092	sv.exe

pid	process
420	LogonUI.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

sv.exe

description	pid	process	target process
PID 2092 wrote to memory of 3204	2092	sv.exe	powershell.exe
PID 2092 wrote to memory of 3204	2092	sv.exe	powershell.exe
PID 2092 wrote to memory of 4652	2092	sv.exe	powershell.exe
PID 2092 wrote to memory of 4652	2092	sv.exe	powershell.exe
PID 2092 wrote to memory of 4780	2092	sv.exe	powershell.exe
PID 2092 wrote to memory of 4780	2092	sv.exe	powershell.exe
PID 2092 wrote to memory of 1980	2092	sv.exe	powershell.exe
PID 2092 wrote to memory of 1980	2092	sv.exe	powershell.exe
PID 2092 wrote to memory of 4408	2092	sv.exe	schtasks.exe
PID 2092 wrote to memory of 4408	2092	sv.exe	schtasks.exe
PID 2092 wrote to memory of 1868	2092	sv.exe	shutdown.exe
PID 2092 wrote to memory of 1868	2092	sv.exe	shutdown.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sv.exe
"C:\Users\Admin\AppData\Local\Temp\sv.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1980

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\SYSTEM32\shutdown.exe
shutdown.exe /f /s /t 0
2⤵
PID:1868

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:1680

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4856

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4908

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:3596

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:3224

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4320

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3af0855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:420

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svhost.exe
Filesize
63KB

MD5
c095a62b525e62244cad230e696028cf

SHA1
67232c186d3efe248b540f1f2fe3382770b5074a

SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.log
Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
08d0bb9a5252cf722abd7421bdb6512b

SHA1
3e04afa4693b40652381d6682e7c07a0a9987f6b

SHA256
0035bc905e396505863387a9d5a8aab6f52181cb8002e34d2708329be8858d92

SHA512
853b31b4ff1f657ee3a0fba02bc43c5e65cede90f1787fae89a652a40952155117973ac1c1c644893a1e9673b3c435e84853aca107a68f52b0f374d3a43b19ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
69c8f802d5212894391066dabd7819ea

SHA1
a281c00d0f617cfbd56576368f10727f5d6bb484

SHA256
2787541da3c867c47920e96b293e03a59baefb50447481e11cd9de0a12496381

SHA512
5c57f04f1e49c6890b10dd429698f74326f217f66650288723b82c1454734e25290eca996ca2e893f3544f9f50424dff88811e58003039e7aa325fd26fb6cd74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3df03b7292eeda72e97180e347b03cf3

SHA1
6dcf07eba6cbefa06b5ca7cc458e2e87d18fb750

SHA256
a3b2aa06d843fcb2399f1d529737e59b2beeb20519bd80035c2033dac646a52f

SHA512
1d458b231c87f3a70031284430a63553e2739e9bd406d8a04a4f9d9b19ab4f97b4e785b41e2e530321767e8d7f6c12c2299078335491dfb205669f749ab29cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fmszxspb.1dq.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2092-195-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

Filesize
40KB

Download
memory/2092-190-0x00007FFA77890000-0x00007FFA7827C000-memory.dmp

Filesize
9.9MB

Download
memory/2092-186-0x00007FFA77890000-0x00007FFA7827C000-memory.dmp

Filesize
9.9MB

Download
memory/2092-0-0x00007FFA77893000-0x00007FFA77894000-memory.dmp

Filesize
4KB

Download
memory/2092-199-0x00007FFA77890000-0x00007FFA7827C000-memory.dmp

Filesize
9.9MB

Download
memory/2092-1-0x00000000003B0000-0x00000000003C6000-memory.dmp

Filesize
88KB

Download
memory/3204-10-0x000001E8AB990000-0x000001E8ABA06000-memory.dmp

Filesize
472KB

Download
memory/3204-52-0x00007FFA77890000-0x00007FFA7827C000-memory.dmp

Filesize
9.9MB

Download
memory/3204-48-0x00007FFA77890000-0x00007FFA7827C000-memory.dmp

Filesize
9.9MB

Download
memory/3204-25-0x00007FFA77890000-0x00007FFA7827C000-memory.dmp

Filesize
9.9MB

Download
memory/3204-20-0x00007FFA77890000-0x00007FFA7827C000-memory.dmp

Filesize
9.9MB

Download
memory/3204-11-0x00007FFA77890000-0x00007FFA7827C000-memory.dmp

Filesize
9.9MB

Download
memory/3204-9-0x00007FFA77890000-0x00007FFA7827C000-memory.dmp

Filesize
9.9MB

Download
memory/3204-6-0x000001E8AB860000-0x000001E8AB882000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads