xworm | 404a515445e44719d42c8689968c39b4903d9fb65bab7624cd14a943b7809ae8

Analysis

max time kernel
9s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22Executor.exe
Size

14.3MB
MD5

2f6ccdc5a983127eb4619c0131b22f74
SHA1

ea606124c913238a1cd06ed46cf297467634745a
SHA256

404a515445e44719d42c8689968c39b4903d9fb65bab7624cd14a943b7809ae8
SHA512

97ebbd6814cc8451ed14f573bcf9d81f025e2a127df71f6632eece8886952edda5ed075a48f88e859a044c6070bfd64035922ff171689df8b3f6428813d1c9a1
SSDEEP

1536:efT1xxuiGO+oS2tXFlGXyjXnq7CkHOHmvkKUUgFv2qsFjAk1CortszhXXIX8xe2X:G2HoZXFlAyjrkHOHRFsFcGtsz1ef29d

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

tr3.localto.net:44953

Attributes

Install_directory
%ProgramData%
install_file
svchhost.exe
telegram
https://api.telegram.org/bot6919369290:AAGnnKr1Yo67mV9jYUriuVi-XAno2tdvbq0/sendMessage?chat_id=6340808873

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2544-46-0x0000000000E30000-0x0000000000E4C000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4384 powershell.exe
4288 powershell.exe
2400 powershell.exe
432 powershell.exe
3356 powershell.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 ip-api.com
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1616 3372 WerFault.exe 22.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4840 schtasks.exe

pid	process
4384	powershell.exe
4288	powershell.exe
2400	powershell.exe
432	powershell.exe
3356	powershell.exe

flow	ioc
20	ip-api.com

pid	pid_target	process	target process
1616	3372	WerFault.exe	22.exe

pid	process
4840	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\22Executor.exe
"C:\Users\Admin\AppData\Local\Temp\22Executor.exe"
1⤵
PID:2412

C:\Users\Admin\AppData\Local\Temp\22.exe
"C:\Users\Admin\AppData\Local\Temp\22.exe"
2⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 1048
3⤵
- Program crash
PID:1616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3356

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe"
2⤵
PID:2544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
PID:4384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '22Exe.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
PID:4288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
PID:2400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
PID:432

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchhost" /tr "C:\ProgramData\svchhost.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3372 -ip 3372
1⤵
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3696 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:4896

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9a2c763c5ff40e18e49ad63c7c3b0088

SHA1
4b289ea34755323fa869da6ad6480d8d12385a36

SHA256
517807921c55bd16cd8a8bfae3d5dc19444c66f836b66acd5593e3080acbaf8e

SHA512
3af01926bc7de92076067d158d7250b206d396b3282ee0db43639d04d91bd9ff763acbce12c7822914824984a3c5fdd1b8dbf1ad2ee88233d47f0f808b746bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d0a40a2d16d62c60994d5bb5624a589b

SHA1
30f0a77f10518a09d83e6185d6c4cde23e4de8af

SHA256
c213a4024e89a0240d0b1fa3b18ea3db3db7bbe7ca1bdeed86dce9c2c4991ef8

SHA512
cecef5087f194a83948880e36445324406218f6877386d6db7850b8f97ac107e042ea9445bb7e73c6e6a2c7da9782b7dae8caba0a1c997677d096b3271a4cac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e5663972c1caaba7088048911c758bf3

SHA1
3462dea0f9c2c16a9c3afdaef8bbb1f753c1c198

SHA256
9f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e

SHA512
ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\22.exe
Filesize
53KB

MD5
26f0ceb6deadcade5fc0f8c407039d85

SHA1
40c28e32bcb62ed98d91344b6bb202aee3b45a96

SHA256
aa084872bd13860993b33d46aa7285e1828d3139aba727a644a93d519491f18f

SHA512
71683db2320e0a6c73cbffc1855c1345ced2bbc0a44feeb0e0372ee184e57208a47d896de3b14a18fcaacd1ec9a632052074ffcf6a483f06e07a7650cffc4181

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nnyvtsht.vip.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe
Filesize
89KB

MD5
a748f90b8a2ae76abca49e988f684448

SHA1
4fdb6d05574d6da4dec15c532ab773e2b6edcaf6

SHA256
d0928439360838dfdbfefe96ef20922518ee0a9224ad17372587dce5894df41a

SHA512
6401b64a363a40d11317d33aa0aed26c6a6a191661e6eadc653b2b4deef24120b715bc83748d4f41ff3afbb145c466898b74cc252c6fb2dadc8dbb1b36f83bb2

Download Submit
memory/2412-3-0x000000001B140000-0x000000001B1E6000-memory.dmp

Filesize
664KB

Download
memory/2412-2-0x00007FFED7CC0000-0x00007FFED8661000-memory.dmp

Filesize
9.6MB

Download
memory/2412-1-0x00007FFED7CC0000-0x00007FFED8661000-memory.dmp

Filesize
9.6MB

Download
memory/2412-47-0x00007FFED7CC0000-0x00007FFED8661000-memory.dmp

Filesize
9.6MB

Download
memory/2412-0-0x00007FFED7F75000-0x00007FFED7F76000-memory.dmp

Filesize
4KB

Download
memory/2544-46-0x0000000000E30000-0x0000000000E4C000-memory.dmp

Filesize
112KB

Download
memory/3356-32-0x00007FFED4F80000-0x00007FFED5A41000-memory.dmp

Filesize
10.8MB

Download
memory/3356-31-0x00007FFED4F80000-0x00007FFED5A41000-memory.dmp

Filesize
10.8MB

Download
memory/3356-28-0x00007FFED4F80000-0x00007FFED5A41000-memory.dmp

Filesize
10.8MB

Download
memory/3356-27-0x00007FFED4F80000-0x00007FFED5A41000-memory.dmp

Filesize
10.8MB

Download
memory/3356-26-0x00007FFED4F80000-0x00007FFED5A41000-memory.dmp

Filesize
10.8MB

Download
memory/3356-20-0x0000017B3DD70000-0x0000017B3DD92000-memory.dmp

Filesize
136KB

Download
memory/3356-14-0x00007FFED4F83000-0x00007FFED4F85000-memory.dmp

Filesize
8KB

Download
memory/3372-48-0x00000000002E0000-0x00000000002F4000-memory.dmp

Filesize
80KB

Download
memory/3372-49-0x0000000005250000-0x00000000057F4000-memory.dmp

Filesize
5.6MB

Download
memory/3372-50-0x0000000004D40000-0x0000000004DD2000-memory.dmp

Filesize
584KB

Download
memory/3372-51-0x0000000004D00000-0x0000000004D0A000-memory.dmp

Filesize
40KB

Download