xworm | 6fbe3dbb5f3224e36ef2017a3d6df98b134aca7f3cdade044e5ba0cb152c3428

Analysis

max time kernel
240s
max time network
240s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
30-06-2024 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Packages.exe
Size

68KB
MD5

9415d4c4cfa3920ceda0b1318dbb15c6
SHA1

99e81931f1e2d42eb3cecb5745fc4cde99f983e2
SHA256

6fbe3dbb5f3224e36ef2017a3d6df98b134aca7f3cdade044e5ba0cb152c3428
SHA512

af2011920b67cb1a0fc5dc30e93e7c1fc401c2769b41a9654b96bcfab2860221ce17a0d47fa2ab28bb504a9a802bb7736c89d9191e8f1e483186d4006cb46adc
SSDEEP

1536:YAhnty455oY4jw9PrMIMpGbOAhxw/l69dOFi/:YAB0e534M9TMIEGbOitdOFi/

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Ironthing-22901.portmap.host:22901

193.161.193.99:22901

Attributes

Install_directory
%AppData%
install_file
Packages.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/2840-1-0x0000000000B10000-0x0000000000B28000-memory.dmp family_xworm
C:\Users\Admin\AppData\Roaming\Packages.exe family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2156 powershell.exe
3352 powershell.exe
4184 powershell.exe
5032 powershell.exe

resource	yara_rule
behavioral1/memory/2840-1-0x0000000000B10000-0x0000000000B28000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\Packages.exe	family_xworm

Drops startup file 2 IoCs

Processes:

Packages.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Packages.lnk	Packages.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Packages.lnk	Packages.exe

Executes dropped EXE 3 IoCs

Processes:

Packages.exePackages.exePackages.exe

pid process

2280 Packages.exe
536 Packages.exe
2732 Packages.exe

pid	process
2280	Packages.exe
536	Packages.exe
2732	Packages.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Packages.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\Packages = "C:\\Users\\Admin\\AppData\\Roaming\\Packages.exe"	Packages.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1792 schtasks.exe

flow	ioc
7	ip-api.com

pid	process
1792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2156	powershell.exe
2156	powershell.exe
2156	powershell.exe
3352	powershell.exe
3352	powershell.exe
3352	powershell.exe
4184	powershell.exe
4184	powershell.exe
4184	powershell.exe
5032	powershell.exe
5032	powershell.exe
5032	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Packages.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2840	Packages.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeIncreaseQuotaPrivilege	2156	powershell.exe
Token: SeSecurityPrivilege	2156	powershell.exe
Token: SeTakeOwnershipPrivilege	2156	powershell.exe
Token: SeLoadDriverPrivilege	2156	powershell.exe
Token: SeSystemProfilePrivilege	2156	powershell.exe
Token: SeSystemtimePrivilege	2156	powershell.exe
Token: SeProfSingleProcessPrivilege	2156	powershell.exe
Token: SeIncBasePriorityPrivilege	2156	powershell.exe
Token: SeCreatePagefilePrivilege	2156	powershell.exe
Token: SeBackupPrivilege	2156	powershell.exe
Token: SeRestorePrivilege	2156	powershell.exe
Token: SeShutdownPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeSystemEnvironmentPrivilege	2156	powershell.exe
Token: SeRemoteShutdownPrivilege	2156	powershell.exe
Token: SeUndockPrivilege	2156	powershell.exe
Token: SeManageVolumePrivilege	2156	powershell.exe
Token: 33	2156	powershell.exe
Token: 34	2156	powershell.exe
Token: 35	2156	powershell.exe
Token: 36	2156	powershell.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeIncreaseQuotaPrivilege	3352	powershell.exe
Token: SeSecurityPrivilege	3352	powershell.exe
Token: SeTakeOwnershipPrivilege	3352	powershell.exe
Token: SeLoadDriverPrivilege	3352	powershell.exe
Token: SeSystemProfilePrivilege	3352	powershell.exe
Token: SeSystemtimePrivilege	3352	powershell.exe
Token: SeProfSingleProcessPrivilege	3352	powershell.exe
Token: SeIncBasePriorityPrivilege	3352	powershell.exe
Token: SeCreatePagefilePrivilege	3352	powershell.exe
Token: SeBackupPrivilege	3352	powershell.exe
Token: SeRestorePrivilege	3352	powershell.exe
Token: SeShutdownPrivilege	3352	powershell.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeSystemEnvironmentPrivilege	3352	powershell.exe
Token: SeRemoteShutdownPrivilege	3352	powershell.exe
Token: SeUndockPrivilege	3352	powershell.exe
Token: SeManageVolumePrivilege	3352	powershell.exe
Token: 33	3352	powershell.exe
Token: 34	3352	powershell.exe
Token: 35	3352	powershell.exe
Token: 36	3352	powershell.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeIncreaseQuotaPrivilege	4184	powershell.exe
Token: SeSecurityPrivilege	4184	powershell.exe
Token: SeTakeOwnershipPrivilege	4184	powershell.exe
Token: SeLoadDriverPrivilege	4184	powershell.exe
Token: SeSystemProfilePrivilege	4184	powershell.exe
Token: SeSystemtimePrivilege	4184	powershell.exe
Token: SeProfSingleProcessPrivilege	4184	powershell.exe
Token: SeIncBasePriorityPrivilege	4184	powershell.exe
Token: SeCreatePagefilePrivilege	4184	powershell.exe
Token: SeBackupPrivilege	4184	powershell.exe
Token: SeRestorePrivilege	4184	powershell.exe
Token: SeShutdownPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeSystemEnvironmentPrivilege	4184	powershell.exe
Token: SeRemoteShutdownPrivilege	4184	powershell.exe
Token: SeUndockPrivilege	4184	powershell.exe
Token: SeManageVolumePrivilege	4184	powershell.exe
Token: 33	4184	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Packages.exe

description	pid	process	target process
PID 2840 wrote to memory of 2156	2840	Packages.exe	powershell.exe
PID 2840 wrote to memory of 2156	2840	Packages.exe	powershell.exe
PID 2840 wrote to memory of 3352	2840	Packages.exe	powershell.exe
PID 2840 wrote to memory of 3352	2840	Packages.exe	powershell.exe
PID 2840 wrote to memory of 4184	2840	Packages.exe	powershell.exe
PID 2840 wrote to memory of 4184	2840	Packages.exe	powershell.exe
PID 2840 wrote to memory of 5032	2840	Packages.exe	powershell.exe
PID 2840 wrote to memory of 5032	2840	Packages.exe	powershell.exe
PID 2840 wrote to memory of 1792	2840	Packages.exe	schtasks.exe
PID 2840 wrote to memory of 1792	2840	Packages.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Packages.exe
"C:\Users\Admin\AppData\Local\Temp\Packages.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Packages.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Packages.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Packages.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Packages.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5032

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Packages" /tr "C:\Users\Admin\AppData\Roaming\Packages.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Users\Admin\AppData\Roaming\Packages.exe
C:\Users\Admin\AppData\Roaming\Packages.exe
1⤵
- Executes dropped EXE
PID:2280

C:\Users\Admin\AppData\Roaming\Packages.exe
C:\Users\Admin\AppData\Roaming\Packages.exe
1⤵
- Executes dropped EXE
PID:536

C:\Users\Admin\AppData\Roaming\Packages.exe
C:\Users\Admin\AppData\Roaming\Packages.exe
1⤵
- Executes dropped EXE
PID:2732

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Packages.exe.log
Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d537d3a46601caceaf81b5de0e917469

SHA1
68a119c88ce5c79db93d39144f4f2e33d078ef40

SHA256
6ead98b2bb9b60f3ceda1750f7bf510ba53202ab4e05c66c3b74dd335b5a364c

SHA512
8a69410af11c72cbd11a46c198fe6f256087caea82aa39ce06f00e6573c073e293682018c9aab73f7d12da770fd044df14955742b26f2a8ab484af4eb069595f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a25da9867df891ebac640f58c43ac0c4

SHA1
950862d974bf947a78689425e20af4e38e0ba085

SHA256
7fdd9586663fd2ec6295bf5a8f21804547808deea0e70780fd9221c0adc16c95

SHA512
94cbd1c14aa2315def23be2af1bc08cf3fe5f99bd01e449a0d302e767d1c9cb1d0eed53bc32cb5e2464cb0d80a186f891e0df941a6a9510965b3f4b3ce378bcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e5494bf7d4a99a086919f0778db84d92

SHA1
c6dddccbd49e38bae93673d89afec73a80b27c9c

SHA256
3098a832825599d648dd83b944844318aa42f992778d11aaf256d75338c1d921

SHA512
da4e9111532a6caba8fe5537303ce5524ad58ce8b255b5b505b9cc7bc090d73f7b2b71a36570ae29ba4618a2667de81ea0b2c39efdad6492e1f37b90f9710133

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c3vbmy5p.2pn.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Packages.exe
Filesize
68KB

MD5
9415d4c4cfa3920ceda0b1318dbb15c6

SHA1
99e81931f1e2d42eb3cecb5745fc4cde99f983e2

SHA256
6fbe3dbb5f3224e36ef2017a3d6df98b134aca7f3cdade044e5ba0cb152c3428

SHA512
af2011920b67cb1a0fc5dc30e93e7c1fc401c2769b41a9654b96bcfab2860221ce17a0d47fa2ab28bb504a9a802bb7736c89d9191e8f1e483186d4006cb46adc

Download Submit
memory/2156-10-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmp

Filesize
9.9MB

Download
memory/2156-13-0x0000025C54810000-0x0000025C54886000-memory.dmp

Filesize
472KB

Download
memory/2156-51-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmp

Filesize
9.9MB

Download
memory/2156-9-0x0000025C3C150000-0x0000025C3C172000-memory.dmp

Filesize
136KB

Download
memory/2156-8-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmp

Filesize
9.9MB

Download
memory/2156-7-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-0-0x00007FFF16C53000-0x00007FFF16C54000-memory.dmp

Filesize
4KB

Download
memory/2840-2-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-186-0x00007FFF16C53000-0x00007FFF16C54000-memory.dmp

Filesize
4KB

Download
memory/2840-187-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-1-0x0000000000B10000-0x0000000000B28000-memory.dmp

Filesize
96KB

Download