xworm | d57a032d5be760d322088790f12ba491dc302387dba82143f7eaa26fe6d15b3c

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe
Size

248KB
MD5

7b20c6c1ae8a7fb30666a20540ed992a
SHA1

c4c615789b1cd6afa7fb48a6916ca5e8de838eda
SHA256

0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1
SHA512

c8f0ada254ed44e07fc1593e084b14644f80dd36c98a25cb8ff1a7674d27da6559c56e96db7abcfff1de4a2ef5e6333878a890dc361a031a85809f6b7be4d8a9
SSDEEP

6144:BV4/b1Gx1MVvUhcX7elbKTua9bfF/H9d9n:4JcEv3X3u+

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

156.225.129.202:7001

Attributes

Install_directory
%AppData%
install_file
crss.exe

Signatures

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2184-1-0x00000000001F0000-0x0000000000234000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\crss.exe	family_xworm
behavioral1/memory/2880-37-0x00000000001D0000-0x0000000000214000-memory.dmp	family_xworm
behavioral1/memory/448-40-0x0000000000AD0000-0x0000000000B14000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1516 powershell.exe
2652 powershell.exe
2576 powershell.exe
2416 powershell.exe

pid	process
1516	powershell.exe
2652	powershell.exe
2576	powershell.exe
2416	powershell.exe

Drops startup file 2 IoCs

Processes:

0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crss.lnk	0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crss.lnk	0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe

Executes dropped EXE 2 IoCs

Processes:

crss.execrss.exe

pid process

2880 crss.exe
448 crss.exe

pid	process
2880	crss.exe
448	crss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Users\\Admin\\AppData\\Roaming\\crss.exe"	0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2820 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe

pid process

2652 powershell.exe
2576 powershell.exe
2416 powershell.exe
1516 powershell.exe
2184 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe

flow	ioc
4	ip-api.com

pid	process
2820	schtasks.exe

pid	process
2652	powershell.exe
2576	powershell.exe
2416	powershell.exe
1516	powershell.exe
2184	0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exepowershell.exepowershell.exepowershell.exepowershell.execrss.execrss.exe

description	pid	process
Token: SeDebugPrivilege	2184	0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	2184	0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe
Token: SeDebugPrivilege	2880	crss.exe
Token: SeDebugPrivilege	448	crss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe

pid process

2184 0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe

pid	process
2184	0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exetaskeng.exe

description	pid	process	target process
PID 2184 wrote to memory of 2652	2184	0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe	powershell.exe
PID 2184 wrote to memory of 2652	2184	0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe	powershell.exe
PID 2184 wrote to memory of 2652	2184	0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe	powershell.exe
PID 2184 wrote to memory of 2576	2184	0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe	powershell.exe
PID 2184 wrote to memory of 2576	2184	0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe	powershell.exe
PID 2184 wrote to memory of 2576	2184	0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe	powershell.exe
PID 2184 wrote to memory of 2416	2184	0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe	powershell.exe
PID 2184 wrote to memory of 2416	2184	0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe	powershell.exe
PID 2184 wrote to memory of 2416	2184	0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe	powershell.exe
PID 2184 wrote to memory of 1516	2184	0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe	powershell.exe
PID 2184 wrote to memory of 1516	2184	0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe	powershell.exe
PID 2184 wrote to memory of 1516	2184	0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe	powershell.exe
PID 2184 wrote to memory of 2820	2184	0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe	schtasks.exe
PID 2184 wrote to memory of 2820	2184	0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe	schtasks.exe
PID 2184 wrote to memory of 2820	2184	0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe	schtasks.exe
PID 2424 wrote to memory of 2880	2424	taskeng.exe	crss.exe
PID 2424 wrote to memory of 2880	2424	taskeng.exe	crss.exe
PID 2424 wrote to memory of 2880	2424	taskeng.exe	crss.exe
PID 2424 wrote to memory of 448	2424	taskeng.exe	crss.exe
PID 2424 wrote to memory of 448	2424	taskeng.exe	crss.exe
PID 2424 wrote to memory of 448	2424	taskeng.exe	crss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe
"C:\Users\Admin\AppData\Local\Temp\0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\crss.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'crss.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "crss" /tr "C:\Users\Admin\AppData\Roaming\crss.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\taskeng.exe
taskeng.exe {98F656C1-5761-4410-90B5-EC4ACA683893} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2424

C:\Users\Admin\AppData\Roaming\crss.exe
C:\Users\Admin\AppData\Roaming\crss.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Users\Admin\AppData\Roaming\crss.exe
C:\Users\Admin\AppData\Roaming\crss.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:448

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
88d05de6d10c03402b0013eaf67aa767

SHA1
0d636d66d551e3a45351aa237d46d9d8d2f762cb

SHA256
bf2d9750f20e6351962b02f90dd2122d8a7b114e6726bce26c1a54aee0513b4d

SHA512
26130f446307717b5ccf596afd0beaa77eb49c74716f66795ff2c8c4df6bb313b92b9f7f07ae35ed095e642827cce2e19f62002357f38499f6ae00de42975b05

Download Submit
C:\Users\Admin\AppData\Roaming\crss.exe
Filesize
248KB

MD5
7b20c6c1ae8a7fb30666a20540ed992a

SHA1
c4c615789b1cd6afa7fb48a6916ca5e8de838eda

SHA256
0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1

SHA512
c8f0ada254ed44e07fc1593e084b14644f80dd36c98a25cb8ff1a7674d27da6559c56e96db7abcfff1de4a2ef5e6333878a890dc361a031a85809f6b7be4d8a9

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/448-40-0x0000000000AD0000-0x0000000000B14000-memory.dmp

Filesize
272KB

Download
memory/2184-2-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2184-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

Filesize
4KB

Download
memory/2184-32-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

Filesize
4KB

Download
memory/2184-33-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2184-1-0x00000000001F0000-0x0000000000234000-memory.dmp

Filesize
272KB

Download
memory/2576-15-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/2576-16-0x0000000002680000-0x0000000002688000-memory.dmp

Filesize
32KB

Download
memory/2652-7-0x0000000002C30000-0x0000000002CB0000-memory.dmp

Filesize
512KB

Download
memory/2652-8-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2652-9-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/2880-37-0x00000000001D0000-0x0000000000214000-memory.dmp

Filesize
272KB

Download