xworm | 8996df7c25c4a8cd10c80971660852235429fa116ae188c188db8a750c579653

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWormLoader5.2.exe
Size

328KB
MD5

7b421f9a8cbcf57135dfaaa03e138f83
SHA1

f7f9eaa8ac991cfba88cea00fa273e2b173ed785
SHA256

8996df7c25c4a8cd10c80971660852235429fa116ae188c188db8a750c579653
SHA512

6903cae013bd87bb6416ecc2db6e1c7462354a4387da50e48665fa20f68bb918d786d9a22690cfdaf6fb987a3539dfafb7daeb5da130b3cf4fa304dad10d3143
SSDEEP

6144:zE+IZP9d8mZrz+QftDS8lHAAJq0Q7u8mZrz+Q/zqm:1IZPH80n+QFDS8lgUbQq80n+Q/

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

promptylol-44968.portmap.io:44968

Attributes

Install_directory
%LocalAppData%
install_file
dllhost.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\XWormLoader.exe family_xworm
behavioral1/memory/2640-13-0x0000000000B40000-0x0000000000B68000-memory.dmp family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1656 powershell.exe
2824 powershell.exe
940 powershell.exe
2444 powershell.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\XWormLoader.exe	family_xworm
behavioral1/memory/2640-13-0x0000000000B40000-0x0000000000B68000-memory.dmp	family_xworm

pid	process
1656	powershell.exe
2824	powershell.exe
940	powershell.exe
2444	powershell.exe

Drops startup file 2 IoCs

Processes:

XWormLoader.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.lnk	XWormLoader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.lnk	XWormLoader.exe

Executes dropped EXE 2 IoCs

Processes:

XWormLoader 5.2 x64.exeXWormLoader.exe

pid process

2388 XWormLoader 5.2 x64.exe
2640 XWormLoader.exe
Loads dropped DLL 6 IoCs

Processes:

XWormLoader5.2.exeWerFault.exe

pid process

2200 XWormLoader5.2.exe
2600 WerFault.exe
2600 WerFault.exe
2600 WerFault.exe
2600 WerFault.exe
2600 WerFault.exe

pid	process
2388	XWormLoader 5.2 x64.exe
2640	XWormLoader.exe

pid	process
2200	XWormLoader5.2.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

XWormLoader.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\dllhost.exe"	XWormLoader.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2800 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeXWormLoader.exe

pid process

2444 powershell.exe
1656 powershell.exe
2824 powershell.exe
940 powershell.exe
2640 XWormLoader.exe

flow	ioc
4	ip-api.com

pid	process
2800	schtasks.exe

pid	process
2444	powershell.exe
1656	powershell.exe
2824	powershell.exe
940	powershell.exe
2640	XWormLoader.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

XWormLoader.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2640	XWormLoader.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	2640	XWormLoader.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

XWormLoader.exe

pid process

2640 XWormLoader.exe

pid	process
2640	XWormLoader.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

XWormLoader5.2.exeXWormLoader 5.2 x64.exeXWormLoader.exe

description	pid	process	target process
PID 2200 wrote to memory of 2388	2200	XWormLoader5.2.exe	XWormLoader 5.2 x64.exe
PID 2200 wrote to memory of 2388	2200	XWormLoader5.2.exe	XWormLoader 5.2 x64.exe
PID 2200 wrote to memory of 2388	2200	XWormLoader5.2.exe	XWormLoader 5.2 x64.exe
PID 2200 wrote to memory of 2640	2200	XWormLoader5.2.exe	XWormLoader.exe
PID 2200 wrote to memory of 2640	2200	XWormLoader5.2.exe	XWormLoader.exe
PID 2200 wrote to memory of 2640	2200	XWormLoader5.2.exe	XWormLoader.exe
PID 2388 wrote to memory of 2600	2388	XWormLoader 5.2 x64.exe	WerFault.exe
PID 2388 wrote to memory of 2600	2388	XWormLoader 5.2 x64.exe	WerFault.exe
PID 2388 wrote to memory of 2600	2388	XWormLoader 5.2 x64.exe	WerFault.exe
PID 2640 wrote to memory of 2444	2640	XWormLoader.exe	powershell.exe
PID 2640 wrote to memory of 2444	2640	XWormLoader.exe	powershell.exe
PID 2640 wrote to memory of 2444	2640	XWormLoader.exe	powershell.exe
PID 2640 wrote to memory of 1656	2640	XWormLoader.exe	powershell.exe
PID 2640 wrote to memory of 1656	2640	XWormLoader.exe	powershell.exe
PID 2640 wrote to memory of 1656	2640	XWormLoader.exe	powershell.exe
PID 2640 wrote to memory of 2824	2640	XWormLoader.exe	powershell.exe
PID 2640 wrote to memory of 2824	2640	XWormLoader.exe	powershell.exe
PID 2640 wrote to memory of 2824	2640	XWormLoader.exe	powershell.exe
PID 2640 wrote to memory of 940	2640	XWormLoader.exe	powershell.exe
PID 2640 wrote to memory of 940	2640	XWormLoader.exe	powershell.exe
PID 2640 wrote to memory of 940	2640	XWormLoader.exe	powershell.exe
PID 2640 wrote to memory of 2800	2640	XWormLoader.exe	schtasks.exe
PID 2640 wrote to memory of 2800	2640	XWormLoader.exe	schtasks.exe
PID 2640 wrote to memory of 2800	2640	XWormLoader.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XWormLoader5.2.exe
"C:\Users\Admin\AppData\Local\Temp\XWormLoader5.2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200

C:\Users\Admin\AppData\Local\XWormLoader 5.2 x64.exe
"C:\Users\Admin\AppData\Local\XWormLoader 5.2 x64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2388 -s 540
3⤵
- Loads dropped DLL
PID:2600

C:\Users\Admin\AppData\Local\XWormLoader.exe
"C:\Users\Admin\AppData\Local\XWormLoader.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\XWormLoader.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWormLoader.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\dllhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dllhost" /tr "C:\Users\Admin\AppData\Local\dllhost.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2800

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\XWormLoader.exe
Filesize
140KB

MD5
13cc0069bf3c3b6167fe5254580c8714

SHA1
93edf81e9b6305a24b1c026978a6ef0af2bbc858

SHA256
4bac6c8269e3b746c8ab03c5327292ab0a6aa85ca080818521339ad4671ab2a4

SHA512
c285f1d6ecbdab5676805f49acec48be4b860296bae5ed44aca7c70384e08d7e0d4039210b341c2e9e65000f4e278461d22e6b4b964321350083e737d766c60e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
adfd176ca8e76e61ea69928b8edb2f4d

SHA1
4e12d8ec78c99468a192f28f1d0775692f52299e

SHA256
cddc7e49de621c5234a7cc3ce8696a504f30a8765378c0524ba56bb59f0c1028

SHA512
e777e7728b6e6a7dc242cccac941862a81cd02b28b443ba0a7dd39ca3fcf2366b11160eccf9ea067b40a4135fe1e5643bb63132a4a211a069ca89075215f3f91

Download Submit
\Users\Admin\AppData\Local\XWormLoader 5.2 x64.exe
Filesize
109KB

MD5
e6a20535b636d6402164a8e2d871ef6d

SHA1
981cb1fd9361ca58f8985104e00132d1836a8736

SHA256
b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2

SHA512
35856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30

Download Submit
memory/1656-31-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1656-32-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2200-0-0x000007FEF5C93000-0x000007FEF5C94000-memory.dmp

Filesize
4KB

Download
memory/2200-1-0x0000000000270000-0x00000000002C8000-memory.dmp

Filesize
352KB

Download
memory/2388-14-0x0000000001180000-0x00000000011A0000-memory.dmp

Filesize
128KB

Download
memory/2444-24-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/2444-25-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2640-13-0x0000000000B40000-0x0000000000B68000-memory.dmp

Filesize
160KB

Download