xworm | dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6

Analysis

max time kernel
146s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe
Size

83KB
MD5

2bebcc27d5c495d9b776162968f42b07
SHA1

bfa471133b6a8b74b35fa054e62871c6ce05f873
SHA256

dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6
SHA512

f6223ebb6ef6b1a4ded6c742ace5d93ea18dece22ff1f18c69003594e0274edd4ff4998fbb6890bdc98b5e3ce5fc08b2ce9aced270017449122f2d7733bba1cc
SSDEEP

1536:d6Mq/zy7LGGIGms90ANGA1A4C7bEkmWgq6QJ9zfcO57tkBvXdV:4Mq7OvI2GAMA+b13gMvz0O57tkB1V

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

courses-disney.gl.at.ply.gg:21335

127.0.0.1:21335

Attributes

Install_directory
%AppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7006468177:AAEjUyc53owWdXWMasYo_ZE1Y7t2sH1O718/sendMessage?chat_id=809478226

Signatures

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1932-1-0x0000000000A40000-0x0000000000A5C000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\svchost.exe	family_xworm
behavioral1/memory/1288-34-0x0000000001380000-0x000000000139C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Detects Windows executables referencing non-Windows User-Agents 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1932-1-0x0000000000A40000-0x0000000000A5C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Users\Admin\AppData\Roaming\svchost.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1288-34-0x0000000001380000-0x000000000139C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables using Telegram Chat Bot 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1932-1-0x0000000000A40000-0x0000000000A5C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
C:\Users\Admin\AppData\Roaming\svchost.exe	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
behavioral1/memory/1288-34-0x0000000001380000-0x000000000139C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2684 powershell.exe
2732 powershell.exe
2468 powershell.exe
1936 powershell.exe

pid	process
2684	powershell.exe
2732	powershell.exe
2468	powershell.exe
1936	powershell.exe

Drops startup file 2 IoCs

Processes:

dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe

Executes dropped EXE 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

1288 svchost.exe
2260 svchost.exe
2384 svchost.exe

pid	process
1288	svchost.exe
2260	svchost.exe
2384	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2572 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exedcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe

pid process

2684 powershell.exe
2732 powershell.exe
2468 powershell.exe
1936 powershell.exe
1932 dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe

flow	ioc
4	ip-api.com

pid	process
2572	schtasks.exe

pid	process
2684	powershell.exe
2732	powershell.exe
2468	powershell.exe
1936	powershell.exe
1932	dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1932	dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1932	dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe
Token: SeDebugPrivilege	1288	svchost.exe
Token: SeDebugPrivilege	2260	svchost.exe
Token: SeDebugPrivilege	2384	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe

pid process

1932 dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe

pid	process
1932	dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exetaskeng.exe

description	pid	process	target process
PID 1932 wrote to memory of 2684	1932	dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe	powershell.exe
PID 1932 wrote to memory of 2684	1932	dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe	powershell.exe
PID 1932 wrote to memory of 2684	1932	dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe	powershell.exe
PID 1932 wrote to memory of 2732	1932	dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe	powershell.exe
PID 1932 wrote to memory of 2732	1932	dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe	powershell.exe
PID 1932 wrote to memory of 2732	1932	dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe	powershell.exe
PID 1932 wrote to memory of 2468	1932	dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe	powershell.exe
PID 1932 wrote to memory of 2468	1932	dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe	powershell.exe
PID 1932 wrote to memory of 2468	1932	dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe	powershell.exe
PID 1932 wrote to memory of 1936	1932	dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe	powershell.exe
PID 1932 wrote to memory of 1936	1932	dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe	powershell.exe
PID 1932 wrote to memory of 1936	1932	dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe	powershell.exe
PID 1932 wrote to memory of 2572	1932	dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe	schtasks.exe
PID 1932 wrote to memory of 2572	1932	dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe	schtasks.exe
PID 1932 wrote to memory of 2572	1932	dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe	schtasks.exe
PID 844 wrote to memory of 1288	844	taskeng.exe	svchost.exe
PID 844 wrote to memory of 1288	844	taskeng.exe	svchost.exe
PID 844 wrote to memory of 1288	844	taskeng.exe	svchost.exe
PID 844 wrote to memory of 2260	844	taskeng.exe	svchost.exe
PID 844 wrote to memory of 2260	844	taskeng.exe	svchost.exe
PID 844 wrote to memory of 2260	844	taskeng.exe	svchost.exe
PID 844 wrote to memory of 2384	844	taskeng.exe	svchost.exe
PID 844 wrote to memory of 2384	844	taskeng.exe	svchost.exe
PID 844 wrote to memory of 2384	844	taskeng.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe
"C:\Users\Admin\AppData\Local\Temp\dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\taskeng.exe
taskeng.exe {D2B6230D-EAC6-42DD-BED9-6AD3821EFBAA} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:844

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2384

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
948fc212c4cdcb543676cc95190e4498

SHA1
6bc8bf1b9f91f9ef5411f458c40e3f00fd19c3f6

SHA256
8c9cdd0e306da4b53bdedb30c85732207706a960e496650a6b108fe924344b9d

SHA512
a73fc24a666890a7d1db5ec532ba9ed91a072de412fa89b2cf8dae7922aaceae4832a6ba8571c90c679f2d032be30ea3839f9d2117ff83036c236a51b8ceeb8a

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
83KB

MD5
2bebcc27d5c495d9b776162968f42b07

SHA1
bfa471133b6a8b74b35fa054e62871c6ce05f873

SHA256
dcf95d14fbf8ed9cef6cf7be3e71a753d5334c1be5deaba771d8354f5bd0f5e6

SHA512
f6223ebb6ef6b1a4ded6c742ace5d93ea18dece22ff1f18c69003594e0274edd4ff4998fbb6890bdc98b5e3ce5fc08b2ce9aced270017449122f2d7733bba1cc

Download Submit
memory/1288-34-0x0000000001380000-0x000000000139C000-memory.dmp

Filesize
112KB

Download
memory/1932-2-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

Filesize
9.9MB

Download
memory/1932-1-0x0000000000A40000-0x0000000000A5C000-memory.dmp

Filesize
112KB

Download
memory/1932-0-0x000007FEF5F43000-0x000007FEF5F44000-memory.dmp

Filesize
4KB

Download
memory/1932-35-0x000007FEF5F43000-0x000007FEF5F44000-memory.dmp

Filesize
4KB

Download
memory/1932-36-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-7-0x0000000002C50000-0x0000000002CD0000-memory.dmp

Filesize
512KB

Download
memory/2684-8-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2684-9-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2732-15-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2732-16-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download