xworm | 77d041474b58f2142077c3da4fc2d64c29a40eb400410c784e2606647028fa3f

Resubmissions

30-06-2024 19:02

240630-xqax3swdnr 10

30-06-2024 18:53

240630-xjrx1swcnk 10

Analysis

max time kernel
32s
max time network
43s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
30-06-2024 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Image Logger Hybrid V4.exe
Size

126KB
MD5

6d103c685ef0960fab6eca5bf4617583
SHA1

ea11a8ba30f54015d71ed646fbd14b8800fc2e3f
SHA256

77d041474b58f2142077c3da4fc2d64c29a40eb400410c784e2606647028fa3f
SHA512

2429d67cf73056d496ff4cff2b8a72e2bc643201616b969464543580bd027366e13c51fda4161e319af122fa22c088c1ec737e87e8528e09b4e450d84755732d
SSDEEP

3072:RMSncRzAOLeCyRuZA3A+bZ5FFOOszPAv:ySncRl3Zebv

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
dllhost.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE family_xworm
behavioral2/memory/980-22-0x0000000000A60000-0x0000000000A76000-memory.dmp family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4088 powershell.exe
928 powershell.exe
4244 powershell.exe
5060 powershell.exe
Executes dropped EXE 3 IoCs

Processes:

S.EXETESTEE.EXEdllhost.exe

pid process

3816 S.EXE
980 TESTEE.EXE
3692 dllhost.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE	family_xworm
behavioral2/memory/980-22-0x0000000000A60000-0x0000000000A76000-memory.dmp	family_xworm

pid	process
4088	powershell.exe
928	powershell.exe
4244	powershell.exe
5060	powershell.exe

pid	process
3816	S.EXE
980	TESTEE.EXE
3692	dllhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TESTEE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe"	TESTEE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2116 schtasks.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeTESTEE.EXE

pid process

5060 powershell.exe
5060 powershell.exe
4088 powershell.exe
4088 powershell.exe
928 powershell.exe
928 powershell.exe
4244 powershell.exe
4244 powershell.exe
980 TESTEE.EXE

pid	process
2116	schtasks.exe

pid	process
5060	powershell.exe
5060	powershell.exe
4088	powershell.exe
4088	powershell.exe
928	powershell.exe
928	powershell.exe
4244	powershell.exe
4244	powershell.exe
980	TESTEE.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

TESTEE.EXEpowershell.exepowershell.exepowershell.exepowershell.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	980	TESTEE.EXE
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeDebugPrivilege	3692	dllhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

TESTEE.EXE

pid process

980 TESTEE.EXE

pid	process
980	TESTEE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Image Logger Hybrid V4.exeS.EXETESTEE.EXE

description	pid	process	target process
PID 5064 wrote to memory of 3816	5064	Image Logger Hybrid V4.exe	S.EXE
PID 5064 wrote to memory of 3816	5064	Image Logger Hybrid V4.exe	S.EXE
PID 5064 wrote to memory of 980	5064	Image Logger Hybrid V4.exe	TESTEE.EXE
PID 5064 wrote to memory of 980	5064	Image Logger Hybrid V4.exe	TESTEE.EXE
PID 3816 wrote to memory of 4336	3816	S.EXE	cmd.exe
PID 3816 wrote to memory of 4336	3816	S.EXE	cmd.exe
PID 980 wrote to memory of 5060	980	TESTEE.EXE	powershell.exe
PID 980 wrote to memory of 5060	980	TESTEE.EXE	powershell.exe
PID 980 wrote to memory of 4088	980	TESTEE.EXE	powershell.exe
PID 980 wrote to memory of 4088	980	TESTEE.EXE	powershell.exe
PID 980 wrote to memory of 928	980	TESTEE.EXE	powershell.exe
PID 980 wrote to memory of 928	980	TESTEE.EXE	powershell.exe
PID 980 wrote to memory of 4244	980	TESTEE.EXE	powershell.exe
PID 980 wrote to memory of 4244	980	TESTEE.EXE	powershell.exe
PID 980 wrote to memory of 2116	980	TESTEE.EXE	schtasks.exe
PID 980 wrote to memory of 2116	980	TESTEE.EXE	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Image Logger Hybrid V4.exe
"C:\Users\Admin\AppData\Local\Temp\Image Logger Hybrid V4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5064

C:\Users\Admin\AppData\Local\Temp\S.EXE
"C:\Users\Admin\AppData\Local\Temp\S.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMm41yoJ.bat" "
3⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE
"C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TESTEE.EXE'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\dllhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dllhost" /tr "C:\Users\Admin\AppData\Roaming\dllhost.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Users\Admin\AppData\Roaming\dllhost.exe
C:\Users\Admin\AppData\Roaming\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3692

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
45f53352160cf0903c729c35c8edfdce

SHA1
b35a4d4fbaf2a3cc61e540fc03516dd70f3c34ab

SHA256
9cf18d157a858fc143a6de5c2dd3f618516a527b34478ac478d8c94ff027b0d2

SHA512
e3fa27a80a1df58acb49106c306dab22e5ed582f6b0cd7d9c3ef0a85e9f5919333257e88aa44f42a0e095fd577c9e12a02957a7845c0d109f821f32d8d3343f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d25824885a04d4e312ef2a5259828e5b

SHA1
9befaa1be8b82ab0adbf95bea0e211f3bed56d61

SHA256
9bafaf42de818939e444144a6f0e231a21c3fb881d32d718ffcd658bc0efb9ca

SHA512
729cebf87417b7848ef627e70bb51399f463c468e32468d861d219077050833e95330af63307c0cc2ec22936d93ef994bc12db842b636fc6a80d967459c2f631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
21017c68eaf9461301de459f4f07e888

SHA1
41ff30fc8446508d4c3407c79e798cf6eaa5bb73

SHA256
03b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888

SHA512
956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\S.EXE
Filesize
7KB

MD5
b8d58060de9ef19140c2801ea6c979bf

SHA1
f98094ff9101b483e7a0d2826884a351c734fa9b

SHA256
38d7a6d3e1fee555dd526ade1d5efaf18d62bb35dbcea1505f47fd6346b432a8

SHA512
3eec6801ce54fc2541374a6f97956186d17e841a35f039fce59d7b0143f31d9fe8efe33e89fd676311b79baf75b5fae04f785d493206b75e424ba8d4e56adc7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE
Filesize
66KB

MD5
04b8f12a041a2812f433aaf8f0a897e7

SHA1
b0680cf948c750266c565d21a100e8127d8bae40

SHA256
94fc19b165838e67bb83583d20b11d5acc7af865aa8a1c73691addd86975ac15

SHA512
018e3e534249abaa1d7da77566a3f1742e047a074ee07ae9a6cfcfa32d68f2b1bfb853360928cc9d2b28299d41803f7841aa5b5ef6431310b0b8b3ce0adf608e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wkwt5yic.q05.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bMm41yoJ.bat
Filesize
2KB

MD5
f588fb26f7bb8500fe4235446e808d1d

SHA1
0d0029a41f068d8b2ace763b57a1a7cdca6ea86b

SHA256
70b6546689c6e17ce3da85e5d52f0b053fdc18579559f3477d3362e2cdaff41e

SHA512
fc84adc7447cb36b43aa9c90f395126622044c83321bc2c2c6791f8f4f6099b43137e5668f2eff5c1d9edec0f5af5ae2e7b22d64dc2307404c27291349822a1e

Download Submit
memory/980-22-0x0000000000A60000-0x0000000000A76000-memory.dmp

Filesize
88KB

Download
memory/980-21-0x00007FFA49493000-0x00007FFA49495000-memory.dmp

Filesize
8KB

Download
memory/980-74-0x00007FFA49490000-0x00007FFA49F52000-memory.dmp

Filesize
10.8MB

Download
memory/980-79-0x00007FFA49490000-0x00007FFA49F52000-memory.dmp

Filesize
10.8MB

Download
memory/3816-27-0x00007FFA49490000-0x00007FFA49F52000-memory.dmp

Filesize
10.8MB

Download
memory/3816-24-0x0000000000C00000-0x0000000000C08000-memory.dmp

Filesize
32KB

Download
memory/3816-78-0x00007FFA49490000-0x00007FFA49F52000-memory.dmp

Filesize
10.8MB

Download
memory/5060-32-0x000001E63BBC0000-0x000001E63BBE2000-memory.dmp

Filesize
136KB

Download