xworm | 404a515445e44719d42c8689968c39b4903d9fb65bab7624cd14a943b7809ae8

Analysis

max time kernel
36s
max time network
44s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22Executor (1).exe
Size

14.3MB
MD5

2f6ccdc5a983127eb4619c0131b22f74
SHA1

ea606124c913238a1cd06ed46cf297467634745a
SHA256

404a515445e44719d42c8689968c39b4903d9fb65bab7624cd14a943b7809ae8
SHA512

97ebbd6814cc8451ed14f573bcf9d81f025e2a127df71f6632eece8886952edda5ed075a48f88e859a044c6070bfd64035922ff171689df8b3f6428813d1c9a1
SSDEEP

1536:efT1xxuiGO+oS2tXFlGXyjXnq7CkHOHmvkKUUgFv2qsFjAk1CortszhXXIX8xe2X:G2HoZXFlAyjrkHOHRFsFcGtsz1ef29d

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

tr3.localto.net:44953

Attributes

Install_directory
%ProgramData%
install_file
svchhost.exe
telegram
https://api.telegram.org/bot6919369290:AAGnnKr1Yo67mV9jYUriuVi-XAno2tdvbq0/sendMessage?chat_id=6340808873

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe	family_xworm
behavioral2/memory/2436-47-0x0000000000030000-0x000000000004C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

3564 powershell.exe
4012 powershell.exe
3356 powershell.exe
1504 powershell.exe
2768 powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

22Exe.exe22Executor (1).exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	22Exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	22Executor (1).exe

Drops startup file 4 IoCs

Processes:

22Executor (1).exe22Exe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe	22Executor (1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe	22Executor (1).exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchhost.lnk	22Exe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchhost.lnk	22Exe.exe

Executes dropped EXE 2 IoCs

Processes:

22.exe22Exe.exe

pid process

2188 22.exe
2436 22Exe.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

22Exe.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchhost = "C:\\ProgramData\\svchhost.exe" 22Exe.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3396 2188 WerFault.exe 22.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4628 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

22Exe.exe

pid process

2436 22Exe.exe

pid	process
2188	22.exe
2436	22Exe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchhost = "C:\\ProgramData\\svchhost.exe"	22Exe.exe

flow	ioc
18	ip-api.com

pid	pid_target	process	target process
3396	2188	WerFault.exe	22.exe

pid	process
4628	schtasks.exe

pid	process
2436	22Exe.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe22Exe.exe

pid	process
3564	powershell.exe
3564	powershell.exe
4012	powershell.exe
4012	powershell.exe
4012	powershell.exe
3356	powershell.exe
3356	powershell.exe
3356	powershell.exe
1504	powershell.exe
1504	powershell.exe
1504	powershell.exe
2768	powershell.exe
2768	powershell.exe
2768	powershell.exe
2436	22Exe.exe
2436	22Exe.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exe22Exe.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	2436	22Exe.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2436	22Exe.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

22Exe.exe

pid process

2436 22Exe.exe

pid	process
2436	22Exe.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

22Executor (1).exe22Exe.exe

description	pid	process	target process
PID 332 wrote to memory of 2188	332	22Executor (1).exe	22.exe
PID 332 wrote to memory of 2188	332	22Executor (1).exe	22.exe
PID 332 wrote to memory of 2188	332	22Executor (1).exe	22.exe
PID 332 wrote to memory of 3564	332	22Executor (1).exe	powershell.exe
PID 332 wrote to memory of 3564	332	22Executor (1).exe	powershell.exe
PID 332 wrote to memory of 2436	332	22Executor (1).exe	22Exe.exe
PID 332 wrote to memory of 2436	332	22Executor (1).exe	22Exe.exe
PID 2436 wrote to memory of 4012	2436	22Exe.exe	powershell.exe
PID 2436 wrote to memory of 4012	2436	22Exe.exe	powershell.exe
PID 2436 wrote to memory of 3356	2436	22Exe.exe	powershell.exe
PID 2436 wrote to memory of 3356	2436	22Exe.exe	powershell.exe
PID 2436 wrote to memory of 1504	2436	22Exe.exe	powershell.exe
PID 2436 wrote to memory of 1504	2436	22Exe.exe	powershell.exe
PID 2436 wrote to memory of 2768	2436	22Exe.exe	powershell.exe
PID 2436 wrote to memory of 2768	2436	22Exe.exe	powershell.exe
PID 2436 wrote to memory of 4628	2436	22Exe.exe	schtasks.exe
PID 2436 wrote to memory of 4628	2436	22Exe.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\22Executor (1).exe
"C:\Users\Admin\AppData\Local\Temp\22Executor (1).exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:332

C:\Users\Admin\AppData\Local\Temp\22.exe
"C:\Users\Admin\AppData\Local\Temp\22.exe"
2⤵
- Executes dropped EXE
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 1048
3⤵
- Program crash
PID:3396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '22Exe.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchhost" /tr "C:\ProgramData\svchhost.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2188 -ip 2188
1⤵
PID:5080

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2d6baabb78161c2401e97f08de1b3b4e

SHA1
7bd22cebd5f310d8ac2ef8027caf6a0ec3bf709e

SHA256
1cea816e9897ec6852edb3671e5a93b05ea817bc969c4d47ee70f5573f95df42

SHA512
9f35b70cdb0159002143296f11dd22bec6e28836d36bb2ec0527692935cfc3f43df54871a9397bbdf2aaf6912943968310320433ca51a39e360d7227262c754c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
83685d101174171875b4a603a6c2a35c

SHA1
37be24f7c4525e17fa18dbd004186be3a9209017

SHA256
0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870

SHA512
005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
c08aea9c78561a5f00398a723fdf2925

SHA1
2c880cbb5d02169a86bb9517ce2a0184cb177c6e

SHA256
63d2688b92da4d1bb69980b7998b9be1595dd9e53951434a9414d019c4f825a7

SHA512
d30db2f55bbda7102ffe90520d233355633313dcc77cdb69a26fdbb56e59dd41793def23d69dc5dc3f94c5bd41d3c26b3628886fd2edbed2df0b332e9a21f95c

Download Submit
C:\Users\Admin\AppData\Local\Temp\22.exe
Filesize
53KB

MD5
26f0ceb6deadcade5fc0f8c407039d85

SHA1
40c28e32bcb62ed98d91344b6bb202aee3b45a96

SHA256
aa084872bd13860993b33d46aa7285e1828d3139aba727a644a93d519491f18f

SHA512
71683db2320e0a6c73cbffc1855c1345ced2bbc0a44feeb0e0372ee184e57208a47d896de3b14a18fcaacd1ec9a632052074ffcf6a483f06e07a7650cffc4181

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0esvl4a5.el0.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe
Filesize
89KB

MD5
a748f90b8a2ae76abca49e988f684448

SHA1
4fdb6d05574d6da4dec15c532ab773e2b6edcaf6

SHA256
d0928439360838dfdbfefe96ef20922518ee0a9224ad17372587dce5894df41a

SHA512
6401b64a363a40d11317d33aa0aed26c6a6a191661e6eadc653b2b4deef24120b715bc83748d4f41ff3afbb145c466898b74cc252c6fb2dadc8dbb1b36f83bb2

Download Submit
memory/332-3-0x000000001B530000-0x000000001B5D6000-memory.dmp

Filesize
664KB

Download
memory/332-2-0x00007FFA05FC0000-0x00007FFA06961000-memory.dmp

Filesize
9.6MB

Download
memory/332-1-0x00007FFA05FC0000-0x00007FFA06961000-memory.dmp

Filesize
9.6MB

Download
memory/332-49-0x00007FFA05FC0000-0x00007FFA06961000-memory.dmp

Filesize
9.6MB

Download
memory/332-0-0x00007FFA06275000-0x00007FFA06276000-memory.dmp

Filesize
4KB

Download
memory/2188-32-0x0000000000DA0000-0x0000000000DB4000-memory.dmp

Filesize
80KB

Download
memory/2188-35-0x0000000005DD0000-0x0000000006374000-memory.dmp

Filesize
5.6MB

Download
memory/2188-48-0x0000000005820000-0x00000000058B2000-memory.dmp

Filesize
584KB

Download
memory/2188-50-0x00000000057C0000-0x00000000057CA000-memory.dmp

Filesize
40KB

Download
memory/2436-47-0x0000000000030000-0x000000000004C000-memory.dmp

Filesize
112KB

Download
memory/3564-31-0x00007FFA036C0000-0x00007FFA04181000-memory.dmp

Filesize
10.8MB

Download
memory/3564-28-0x00007FFA036C0000-0x00007FFA04181000-memory.dmp

Filesize
10.8MB

Download
memory/3564-27-0x00007FFA036C0000-0x00007FFA04181000-memory.dmp

Filesize
10.8MB

Download
memory/3564-26-0x00007FFA036C0000-0x00007FFA04181000-memory.dmp

Filesize
10.8MB

Download
memory/3564-25-0x000001B8B9730000-0x000001B8B9752000-memory.dmp

Filesize
136KB

Download
memory/3564-14-0x00007FFA036C3000-0x00007FFA036C5000-memory.dmp

Filesize
8KB

Download