Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 09:26
Static task
static1
Behavioral task
behavioral1
Sample
XWormLoader5.2.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
XWormLoader5.2.exe
Resource
win10v2004-20240508-en
General
-
Target
XWormLoader5.2.exe
-
Size
328KB
-
MD5
7b421f9a8cbcf57135dfaaa03e138f83
-
SHA1
f7f9eaa8ac991cfba88cea00fa273e2b173ed785
-
SHA256
8996df7c25c4a8cd10c80971660852235429fa116ae188c188db8a750c579653
-
SHA512
6903cae013bd87bb6416ecc2db6e1c7462354a4387da50e48665fa20f68bb918d786d9a22690cfdaf6fb987a3539dfafb7daeb5da130b3cf4fa304dad10d3143
-
SSDEEP
6144:zE+IZP9d8mZrz+QftDS8lHAAJq0Q7u8mZrz+Q/zqm:1IZPH80n+QFDS8lgUbQq80n+Q/
Malware Config
Extracted
xworm
promptylol-44968.portmap.io:44968
-
Install_directory
%LocalAppData%
-
install_file
dllhost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\XWormLoader.exe family_xworm behavioral1/memory/2640-13-0x0000000000B40000-0x0000000000B68000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1656 powershell.exe 2824 powershell.exe 940 powershell.exe 2444 powershell.exe -
Drops startup file 2 IoCs
Processes:
XWormLoader.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.lnk XWormLoader.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.lnk XWormLoader.exe -
Executes dropped EXE 2 IoCs
Processes:
XWormLoader 5.2 x64.exeXWormLoader.exepid process 2388 XWormLoader 5.2 x64.exe 2640 XWormLoader.exe -
Loads dropped DLL 6 IoCs
Processes:
XWormLoader5.2.exeWerFault.exepid process 2200 XWormLoader5.2.exe 2600 WerFault.exe 2600 WerFault.exe 2600 WerFault.exe 2600 WerFault.exe 2600 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XWormLoader.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\dllhost.exe" XWormLoader.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeXWormLoader.exepid process 2444 powershell.exe 1656 powershell.exe 2824 powershell.exe 940 powershell.exe 2640 XWormLoader.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
XWormLoader.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2640 XWormLoader.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 1656 powershell.exe Token: SeDebugPrivilege 2824 powershell.exe Token: SeDebugPrivilege 940 powershell.exe Token: SeDebugPrivilege 2640 XWormLoader.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XWormLoader.exepid process 2640 XWormLoader.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
XWormLoader5.2.exeXWormLoader 5.2 x64.exeXWormLoader.exedescription pid process target process PID 2200 wrote to memory of 2388 2200 XWormLoader5.2.exe XWormLoader 5.2 x64.exe PID 2200 wrote to memory of 2388 2200 XWormLoader5.2.exe XWormLoader 5.2 x64.exe PID 2200 wrote to memory of 2388 2200 XWormLoader5.2.exe XWormLoader 5.2 x64.exe PID 2200 wrote to memory of 2640 2200 XWormLoader5.2.exe XWormLoader.exe PID 2200 wrote to memory of 2640 2200 XWormLoader5.2.exe XWormLoader.exe PID 2200 wrote to memory of 2640 2200 XWormLoader5.2.exe XWormLoader.exe PID 2388 wrote to memory of 2600 2388 XWormLoader 5.2 x64.exe WerFault.exe PID 2388 wrote to memory of 2600 2388 XWormLoader 5.2 x64.exe WerFault.exe PID 2388 wrote to memory of 2600 2388 XWormLoader 5.2 x64.exe WerFault.exe PID 2640 wrote to memory of 2444 2640 XWormLoader.exe powershell.exe PID 2640 wrote to memory of 2444 2640 XWormLoader.exe powershell.exe PID 2640 wrote to memory of 2444 2640 XWormLoader.exe powershell.exe PID 2640 wrote to memory of 1656 2640 XWormLoader.exe powershell.exe PID 2640 wrote to memory of 1656 2640 XWormLoader.exe powershell.exe PID 2640 wrote to memory of 1656 2640 XWormLoader.exe powershell.exe PID 2640 wrote to memory of 2824 2640 XWormLoader.exe powershell.exe PID 2640 wrote to memory of 2824 2640 XWormLoader.exe powershell.exe PID 2640 wrote to memory of 2824 2640 XWormLoader.exe powershell.exe PID 2640 wrote to memory of 940 2640 XWormLoader.exe powershell.exe PID 2640 wrote to memory of 940 2640 XWormLoader.exe powershell.exe PID 2640 wrote to memory of 940 2640 XWormLoader.exe powershell.exe PID 2640 wrote to memory of 2800 2640 XWormLoader.exe schtasks.exe PID 2640 wrote to memory of 2800 2640 XWormLoader.exe schtasks.exe PID 2640 wrote to memory of 2800 2640 XWormLoader.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWormLoader5.2.exe"C:\Users\Admin\AppData\Local\Temp\XWormLoader5.2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\XWormLoader 5.2 x64.exe"C:\Users\Admin\AppData\Local\XWormLoader 5.2 x64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2388 -s 5403⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\XWormLoader.exe"C:\Users\Admin\AppData\Local\XWormLoader.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\XWormLoader.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWormLoader.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\dllhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dllhost" /tr "C:\Users\Admin\AppData\Local\dllhost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\XWormLoader.exeFilesize
140KB
MD513cc0069bf3c3b6167fe5254580c8714
SHA193edf81e9b6305a24b1c026978a6ef0af2bbc858
SHA2564bac6c8269e3b746c8ab03c5327292ab0a6aa85ca080818521339ad4671ab2a4
SHA512c285f1d6ecbdab5676805f49acec48be4b860296bae5ed44aca7c70384e08d7e0d4039210b341c2e9e65000f4e278461d22e6b4b964321350083e737d766c60e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5adfd176ca8e76e61ea69928b8edb2f4d
SHA14e12d8ec78c99468a192f28f1d0775692f52299e
SHA256cddc7e49de621c5234a7cc3ce8696a504f30a8765378c0524ba56bb59f0c1028
SHA512e777e7728b6e6a7dc242cccac941862a81cd02b28b443ba0a7dd39ca3fcf2366b11160eccf9ea067b40a4135fe1e5643bb63132a4a211a069ca89075215f3f91
-
\Users\Admin\AppData\Local\XWormLoader 5.2 x64.exeFilesize
109KB
MD5e6a20535b636d6402164a8e2d871ef6d
SHA1981cb1fd9361ca58f8985104e00132d1836a8736
SHA256b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2
SHA51235856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30
-
memory/1656-31-0x000000001B660000-0x000000001B942000-memory.dmpFilesize
2.9MB
-
memory/1656-32-0x0000000002240000-0x0000000002248000-memory.dmpFilesize
32KB
-
memory/2200-0-0x000007FEF5C93000-0x000007FEF5C94000-memory.dmpFilesize
4KB
-
memory/2200-1-0x0000000000270000-0x00000000002C8000-memory.dmpFilesize
352KB
-
memory/2388-14-0x0000000001180000-0x00000000011A0000-memory.dmpFilesize
128KB
-
memory/2444-24-0x000000001B510000-0x000000001B7F2000-memory.dmpFilesize
2.9MB
-
memory/2444-25-0x00000000028E0000-0x00000000028E8000-memory.dmpFilesize
32KB
-
memory/2640-13-0x0000000000B40000-0x0000000000B68000-memory.dmpFilesize
160KB