xworm | d6a078d829a27f232416f95de57fb4f5f222bbad10547716e6b385ee04cb7c8c

Analysis

max time kernel
4s
max time network
196s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
30-06-2024 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pro.exe
Size

37KB
MD5

1518c4d4db87c26cefdc651c1cf8832f
SHA1

fc8a4926dc4550315e1acc893028434b88756fcc
SHA256

d6a078d829a27f232416f95de57fb4f5f222bbad10547716e6b385ee04cb7c8c
SHA512

1131964442e97234b3825e116d3780c497157b8215e8dcb35c3bcbfa5def4120f9b5b5cbbc41b9d07f13f71335406f258a7ca5c2ba8ce4ae62b73505ccc6a912
SSDEEP

768:N5gTXwbLsAheofRhSUHB9tLFyc9P7BO/h7Dy0X:N5gTgUAhH/HBF39P7BO/I0X

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

five-sequences.gl.at.ply.gg:47561

Mutex

To0ZWBcJVNwMHP6y

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/1012-1-0x0000000000800000-0x0000000000810000-memory.dmp family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Drops startup file 1 IoCs

Processes:

pro.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows backup.lnk pro.exe

resource	yara_rule
behavioral1/memory/1012-1-0x0000000000800000-0x0000000000810000-memory.dmp	family_xworm

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows backup.lnk	pro.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pro.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows backup = "C:\\Users\\Admin\\Windows backup"	pro.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

892 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

992 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

pro.exe

description pid process

Token: SeDebugPrivilege 1012 pro.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

pro.exe

description pid process target process

PID 1012 wrote to memory of 992 1012 pro.exe schtasks.exe
PID 1012 wrote to memory of 992 1012 pro.exe schtasks.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

flow	ioc
1	ip-api.com

pid	process
892	timeout.exe

pid	process
992	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1012	pro.exe

description	pid	process	target process
PID 1012 wrote to memory of 992	1012	pro.exe	schtasks.exe
PID 1012 wrote to memory of 992	1012	pro.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\pro.exe
"C:\Users\Admin\AppData\Local\Temp\pro.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows backup" /tr "C:\Users\Admin\Windows backup"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "Windows backup"
2⤵
PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC822.tmp.bat""
2⤵
PID:1548

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:892

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC822.tmp.bat
Filesize
155B

MD5
5c110b33471ec7b04f9634e64f7ede7f

SHA1
7db5443c451fbc52901a36ea17e3a68dfe43b73e

SHA256
c4eeb98ac4de902094e6f2e9ae22f9886a0ab464814a41d4b495c14a189e8acb

SHA512
b2fb5d32fdd2f6e6c5c154611e72ea9500641b24c46042f0be5afb08bf0d9120b6147aa6585880fbca2c11b677263a87f15f187d81489766d7eb8cdf21a3e0af

Download Submit
memory/1012-0-0x00007FFB0A173000-0x00007FFB0A175000-memory.dmp

Filesize
8KB

Download
memory/1012-1-0x0000000000800000-0x0000000000810000-memory.dmp

Filesize
64KB

Download
memory/1012-2-0x00007FFB0A170000-0x00007FFB0AC32000-memory.dmp

Filesize
10.8MB

Download
memory/1012-6-0x00007FFB0A173000-0x00007FFB0A175000-memory.dmp

Filesize
8KB

Download
memory/1012-7-0x00007FFB0A170000-0x00007FFB0AC32000-memory.dmp

Filesize
10.8MB

Download
memory/1012-15-0x00007FFB0A170000-0x00007FFB0AC32000-memory.dmp

Filesize
10.8MB

Download