xworm | 2ed8aebbe1157d9b321637bf6c8b841d70b903b26109ff412ab35d9b558f0cdb

Analysis

max time kernel
138s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe
Size

251KB
MD5

1fee5ce12cd61659dd46575a2e378361
SHA1

91722b8dcf5318c379e5ae96692928b22b055969
SHA256

ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce
SHA512

9e46fe97922c9c24c9ceb31201bb703ba47b73248c413633c097ec8b44ee026fb4ce2569a3f7578f753b3d8cd7f6ed5aa425bb308b49b7e0062a685468d38638
SSDEEP

3072:vfWp/2bS2/YnEtOryoW8SKfbzxcwg7es6/Vsb8VKTu549oJMfF/H9N3Ky9NzLnK:dbn/YnWUhcX7elbKTua9bfF/H9d9n

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

156.225.129.202:7005

Attributes

Install_directory
%AppData%
install_file
crss.exe

Signatures

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2344-1-0x0000000001320000-0x0000000001364000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\crss.exe	family_xworm
behavioral1/memory/1320-36-0x0000000000C20000-0x0000000000C64000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2588 powershell.exe
2156 powershell.exe
2676 powershell.exe
1240 powershell.exe

pid	process
2588	powershell.exe
2156	powershell.exe
2676	powershell.exe
1240	powershell.exe

Drops startup file 2 IoCs

Processes:

ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crss.lnk	ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crss.lnk	ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe

Executes dropped EXE 2 IoCs

Processes:

crss.execrss.exe

pid process

1320 crss.exe
412 crss.exe

pid	process
1320	crss.exe
412	crss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Users\\Admin\\AppData\\Roaming\\crss.exe"	ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2852 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe

pid process

2588 powershell.exe
2156 powershell.exe
2676 powershell.exe
1240 powershell.exe
2344 ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe

flow	ioc
4	ip-api.com

pid	process
2852	schtasks.exe

pid	process
2588	powershell.exe
2156	powershell.exe
2676	powershell.exe
1240	powershell.exe
2344	ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exepowershell.exepowershell.exepowershell.exepowershell.execrss.execrss.exe

description	pid	process
Token: SeDebugPrivilege	2344	ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	2344	ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe
Token: SeDebugPrivilege	1320	crss.exe
Token: SeDebugPrivilege	412	crss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe

pid process

2344 ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe

pid	process
2344	ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exetaskeng.exe

description	pid	process	target process
PID 2344 wrote to memory of 2588	2344	ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe	powershell.exe
PID 2344 wrote to memory of 2588	2344	ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe	powershell.exe
PID 2344 wrote to memory of 2588	2344	ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe	powershell.exe
PID 2344 wrote to memory of 2156	2344	ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe	powershell.exe
PID 2344 wrote to memory of 2156	2344	ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe	powershell.exe
PID 2344 wrote to memory of 2156	2344	ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe	powershell.exe
PID 2344 wrote to memory of 2676	2344	ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe	powershell.exe
PID 2344 wrote to memory of 2676	2344	ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe	powershell.exe
PID 2344 wrote to memory of 2676	2344	ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe	powershell.exe
PID 2344 wrote to memory of 1240	2344	ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe	powershell.exe
PID 2344 wrote to memory of 1240	2344	ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe	powershell.exe
PID 2344 wrote to memory of 1240	2344	ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe	powershell.exe
PID 2344 wrote to memory of 2852	2344	ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe	schtasks.exe
PID 2344 wrote to memory of 2852	2344	ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe	schtasks.exe
PID 2344 wrote to memory of 2852	2344	ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe	schtasks.exe
PID 860 wrote to memory of 1320	860	taskeng.exe	crss.exe
PID 860 wrote to memory of 1320	860	taskeng.exe	crss.exe
PID 860 wrote to memory of 1320	860	taskeng.exe	crss.exe
PID 860 wrote to memory of 412	860	taskeng.exe	crss.exe
PID 860 wrote to memory of 412	860	taskeng.exe	crss.exe
PID 860 wrote to memory of 412	860	taskeng.exe	crss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe
"C:\Users\Admin\AppData\Local\Temp\ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\crss.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'crss.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "crss" /tr "C:\Users\Admin\AppData\Roaming\crss.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\taskeng.exe
taskeng.exe {E9902D0E-CE6A-49E5-8202-E0170F5394A5} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Users\Admin\AppData\Roaming\crss.exe
C:\Users\Admin\AppData\Roaming\crss.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Users\Admin\AppData\Roaming\crss.exe
C:\Users\Admin\AppData\Roaming\crss.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:412

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
d40d737fdd1b63b1fc7a1f7fdb74ce6c

SHA1
a45a2d53941a658e16d05ddf567f272aabf29c6c

SHA256
35525941698c0c2ab0c2a72f651cbc826f50b6d00b49163481900e8c7ebd3a22

SHA512
551d9e049d744f484bb856884e629155616e63adaff6dec7c6851ddde5c96adbb7ec8c362eea6c9f7f10213cefee8ff71e44492d36d93baf372ffd6aec81396e

Download Submit
C:\Users\Admin\AppData\Roaming\crss.exe
Filesize
251KB

MD5
1fee5ce12cd61659dd46575a2e378361

SHA1
91722b8dcf5318c379e5ae96692928b22b055969

SHA256
ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce

SHA512
9e46fe97922c9c24c9ceb31201bb703ba47b73248c413633c097ec8b44ee026fb4ce2569a3f7578f753b3d8cd7f6ed5aa425bb308b49b7e0062a685468d38638

Download Submit
memory/1320-36-0x0000000000C20000-0x0000000000C64000-memory.dmp

Filesize
272KB

Download
memory/2156-16-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2156-15-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/2344-31-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

Filesize
4KB

Download
memory/2344-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

Filesize
4KB

Download
memory/2344-32-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2344-2-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2344-1-0x0000000001320000-0x0000000001364000-memory.dmp

Filesize
272KB

Download
memory/2588-9-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2588-8-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2588-7-0x0000000002E20000-0x0000000002EA0000-memory.dmp

Filesize
512KB

Download