xworm | 9d4e6b0fe6db752c0bab9fd0c9d2041f3304880010cfa271486f2288c80fd4f7

Analysis

max time kernel
145s
max time network
152s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.6MB
MD5

c655d958dac296c3e6b0667e5f00dada
SHA1

678c76f62274a01a98ddd70082589c4a283c5a5a
SHA256

9d4e6b0fe6db752c0bab9fd0c9d2041f3304880010cfa271486f2288c80fd4f7
SHA512

98c4595eccf9fa67f99e16d36347739932fdbebe29bd95d65e397e60a34002d3724f9221fcf0514631f8cf05808c320cdf4c22eee28e77b06c01993b1079d7a0
SSDEEP

98304:9sNuDeuRqghwVZpsCzTB0saQZ2pT46vyQUiGNcX84I3UjpFU473BJ9kQEuyh2:Qu1ElzTB0saGhkGs84I3U1/JQh2

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

allows-welfare.gl.at.ply.gg:49180

Attributes

Install_directory
%AppData%
install_file
System32pdfc.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\RarSFX0\system32transmitter.exe family_xworm
behavioral1/memory/2332-13-0x0000000001380000-0x0000000001398000-memory.dmp family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2092 powershell.exe
1104 powershell.exe
1088 powershell.exe
1768 powershell.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\system32transmitter.exe	family_xworm
behavioral1/memory/2332-13-0x0000000001380000-0x0000000001398000-memory.dmp	family_xworm

pid	process
2092	powershell.exe
1104	powershell.exe
1088	powershell.exe
1768	powershell.exe

Drops startup file 2 IoCs

Processes:

system32transmitter.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32pdfc.lnk	system32transmitter.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32pdfc.lnk	system32transmitter.exe

Executes dropped EXE 4 IoCs

Processes:

system32transmitter.exeAnyDesk.exeAnyDesk.exeAnyDesk.exe

pid process

2332 system32transmitter.exe
2660 AnyDesk.exe
2680 AnyDesk.exe
2556 AnyDesk.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.exeAnyDesk.exe

pid process

2808 cmd.exe
2808 cmd.exe
2660 AnyDesk.exe
2660 AnyDesk.exe
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 9.9.9.9
Destination IP 9.9.9.9
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2332	system32transmitter.exe
2660	AnyDesk.exe
2680	AnyDesk.exe
2556	AnyDesk.exe

pid	process
2808	cmd.exe
2808	cmd.exe
2660	AnyDesk.exe
2660	AnyDesk.exe

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9

flow	ioc
6	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

AnyDesk.exepowershell.exepowershell.exepowershell.exepowershell.exesystem32transmitter.exe

pid process

2680 AnyDesk.exe
2092 powershell.exe
1104 powershell.exe
1088 powershell.exe
1768 powershell.exe
2332 system32transmitter.exe

pid	process
2680	AnyDesk.exe
2092	powershell.exe
1104	powershell.exe
1088	powershell.exe
1768	powershell.exe
2332	system32transmitter.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

system32transmitter.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2332	system32transmitter.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	2332	system32transmitter.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

2556 AnyDesk.exe
2556 AnyDesk.exe
2556 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

2556 AnyDesk.exe
2556 AnyDesk.exe
2556 AnyDesk.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

system32transmitter.exe

pid process

2332 system32transmitter.exe

pid	process
2556	AnyDesk.exe
2556	AnyDesk.exe
2556	AnyDesk.exe

pid	process
2556	AnyDesk.exe
2556	AnyDesk.exe
2556	AnyDesk.exe

pid	process
2332	system32transmitter.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

AnyDesk.execmd.exeAnyDesk.exesystem32transmitter.exe

description	pid	process	target process
PID 3068 wrote to memory of 2808	3068	AnyDesk.exe	cmd.exe
PID 3068 wrote to memory of 2808	3068	AnyDesk.exe	cmd.exe
PID 3068 wrote to memory of 2808	3068	AnyDesk.exe	cmd.exe
PID 3068 wrote to memory of 2808	3068	AnyDesk.exe	cmd.exe
PID 2808 wrote to memory of 2332	2808	cmd.exe	system32transmitter.exe
PID 2808 wrote to memory of 2332	2808	cmd.exe	system32transmitter.exe
PID 2808 wrote to memory of 2332	2808	cmd.exe	system32transmitter.exe
PID 2808 wrote to memory of 2332	2808	cmd.exe	system32transmitter.exe
PID 2808 wrote to memory of 2660	2808	cmd.exe	AnyDesk.exe
PID 2808 wrote to memory of 2660	2808	cmd.exe	AnyDesk.exe
PID 2808 wrote to memory of 2660	2808	cmd.exe	AnyDesk.exe
PID 2808 wrote to memory of 2660	2808	cmd.exe	AnyDesk.exe
PID 2660 wrote to memory of 2680	2660	AnyDesk.exe	AnyDesk.exe
PID 2660 wrote to memory of 2680	2660	AnyDesk.exe	AnyDesk.exe
PID 2660 wrote to memory of 2680	2660	AnyDesk.exe	AnyDesk.exe
PID 2660 wrote to memory of 2680	2660	AnyDesk.exe	AnyDesk.exe
PID 2660 wrote to memory of 2556	2660	AnyDesk.exe	AnyDesk.exe
PID 2660 wrote to memory of 2556	2660	AnyDesk.exe	AnyDesk.exe
PID 2660 wrote to memory of 2556	2660	AnyDesk.exe	AnyDesk.exe
PID 2660 wrote to memory of 2556	2660	AnyDesk.exe	AnyDesk.exe
PID 2332 wrote to memory of 2092	2332	system32transmitter.exe	powershell.exe
PID 2332 wrote to memory of 2092	2332	system32transmitter.exe	powershell.exe
PID 2332 wrote to memory of 2092	2332	system32transmitter.exe	powershell.exe
PID 2332 wrote to memory of 1104	2332	system32transmitter.exe	powershell.exe
PID 2332 wrote to memory of 1104	2332	system32transmitter.exe	powershell.exe
PID 2332 wrote to memory of 1104	2332	system32transmitter.exe	powershell.exe
PID 2332 wrote to memory of 1088	2332	system32transmitter.exe	powershell.exe
PID 2332 wrote to memory of 1088	2332	system32transmitter.exe	powershell.exe
PID 2332 wrote to memory of 1088	2332	system32transmitter.exe	powershell.exe
PID 2332 wrote to memory of 1768	2332	system32transmitter.exe	powershell.exe
PID 2332 wrote to memory of 1768	2332	system32transmitter.exe	powershell.exe
PID 2332 wrote to memory of 1768	2332	system32transmitter.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "system32transmitter.exe" & start "" "AnyDesk.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808

C:\Users\Admin\AppData\Local\Temp\RarSFX0\system32transmitter.exe
"system32transmitter.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\system32transmitter.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system32transmitter.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System32pdfc.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System32pdfc.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exe
"AnyDesk.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2660

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exe" --local-service
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2680

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exe" --local-control
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2556

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exe
Filesize
5.1MB

MD5
aee6801792d67607f228be8cec8291f9

SHA1
bf6ba727ff14ca2fddf619f292d56db9d9088066

SHA256
1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

SHA512
09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\system32transmitter.exe
Filesize
73KB

MD5
864c37423bb1332bb4ae49b13da56cbc

SHA1
6a710197408e7e50e78b529e85499a364447fbd3

SHA256
d61cc856e397eccad395768e0046e54a1b2b32b580c358195206dcf3cd08da3c

SHA512
4dae0ee5c4dc08ca295e557a3aef27187a7b1db9bc9ec27445f83f06937c9c81ddd0974219df34d6556c0646685287997a97ec2702a3eaac433c985c7e976c34

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
10KB

MD5
e2ea7eb88b54861303b3a8d4b89b9967

SHA1
11aeb6cad8c63c1af549bec94e13ea8d2e3fc342

SHA256
edee60e72d0533d24a088c93c159b179447b1515a3856a529b17c039210e78bb

SHA512
1d7558eae4380973b8fa3a68a87ce47d275ed0048434cfadcccde532a75bc8efcb50480c4f0578093598cafafa3ba33b394aee2faf18cca6814596d8a7210ced

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
Filesize
2KB

MD5
74504adefc6f467055cff78020e03051

SHA1
a94e859c45149ac94b55cb2c84ebe3046f3fc7b6

SHA256
042d8189ae9078e346e068449cd9a249133941ef7d1e3e1ba9b67d73fb34d738

SHA512
7cba97aea3b8b6a4150995e32b51a87cae4abfd6374df16dd2f272081220b8f5047d641b1aab4a7fb96ba65987d79ee40b86ddd0e7bdab8d3a0b5162fee07293

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
424B

MD5
221a15ff8465ed79efebd8d5b3434e07

SHA1
dc584b6ba4e630baeaa66faebb369cfb3fc36871

SHA256
25d33e1ec105fd327c3596fbfeb4976845cfaf77aa2a6190e59fc12452d3c84f

SHA512
024bfecc4957abd4923a6a643a3085eb437e1c58b93eae9c339defebabf46e265df564a0eced88b5254e83b309362d7a54a34db88b73cac3680f603d19fd4f57

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
424B

MD5
5b6c81bdfdb3b267a8a4e8958eb924b6

SHA1
ab4090f6a2106325769212ea3322daeaff8d11d9

SHA256
c181e931039c4cf719f2d6db5680b3fc8edca8e363625193723460e4173e9375

SHA512
217ecd38e395d45eaf9eab93c44de375f654c853feef8ca3f373ca7cbad05aa33203bdbdc774eaad2b98f72770ad72a2faab9380832d0e921418c84ea4f6482d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
6a44c3ce73c6e594014ecd1e8335efbe

SHA1
17eb46f58a8fe432bf4c0ba95f43be2ac443d74f

SHA256
0f8ffea2ba0b3d5241df7dc87bafe16b3e32d3be994e5590fa05bd6c0b06b637

SHA512
491b545216beec7173ec3c66a5544dd0d7c0fade0f45cef0cd8ee4eeabe94a84cca5d6cabbf8251ae46110c3cefe60bb5d8d4a38a75e22952208a70dfc8b31b3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
b390e570e2bda96d2f1338d11bdcfce8

SHA1
b195bd99e157cbcee6641dd75ad708f5a0040dab

SHA256
3a7b9c47313b34b53c465c1905cfd2534e03b8284f5d0d6cc574e4ae07f04ceb

SHA512
578613dbd71cf1122abd5796458497f7b8051ad80b7f725597b46ccce064673e02b2fd7bf4081385f3117b22babdffc31b33282a5dc35322ddb5e88c89ed04b4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
bb78e62bb3387126abed26ab009677ad

SHA1
a9ee6ece6a6b51da3dc0a63cad593f30435d0b23

SHA256
a40c6a99a7508f83e64ca5f73c93c2b8178e5168749c3e7f8f1b343ff3c6efa0

SHA512
d286c7c28efd33180fe98623ebbdb4f508e6b763b09eb98651df7f125ebbe341a503cc461705ae34506167af24a0c68175c5ccbfc196029351806b58d7834e9d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
d184854a7ac406763acc14c60f92f7ce

SHA1
a4fd8b6999ea2880921918bea248c0a429f2dfe1

SHA256
53d428bf8169d5a60274ce83a488e6308635b2e0923afb20498358af06546854

SHA512
5412f3d84b4f1d21824e90b93f5547c55394875462ea8fb1061126aaf05add9ede51c1b734bceb9a1857ffc5182b9cf564e776779c65f40c28f64b0e394a8eb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UNLDWFZA7KGX1V9F194K.temp
Filesize
7KB

MD5
537e2da8fe26313b31fb9d917493d936

SHA1
818a733c991dbd242aa141fec1c5b30e2364b567

SHA256
155113f9b37819ce3f38cf0ee2a34dbbb1c00114090fe525b45929cb76315d12

SHA512
78d166c1a179f68067d78d93b547da0a315750f6b153f23b5741d1668de981b98c28c4fa1fed640620ce14d6846a825435fa63d1d4f85ad23c7770a6328c1b66

Download Submit
memory/1104-132-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1104-131-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2092-125-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2092-124-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2332-13-0x0000000001380000-0x0000000001398000-memory.dmp

Filesize
96KB

Download
memory/2556-28-0x0000000001100000-0x0000000002849000-memory.dmp

Filesize
23.3MB

Download
memory/2556-283-0x0000000001100000-0x0000000002849000-memory.dmp

Filesize
23.3MB

Download
memory/2556-115-0x0000000001100000-0x0000000002849000-memory.dmp

Filesize
23.3MB

Download
memory/2660-113-0x0000000001100000-0x0000000002849000-memory.dmp

Filesize
23.3MB

Download
memory/2660-14-0x0000000001100000-0x0000000002849000-memory.dmp

Filesize
23.3MB

Download
memory/2660-177-0x0000000001100000-0x0000000002849000-memory.dmp

Filesize
23.3MB

Download
memory/2680-114-0x0000000001100000-0x0000000002849000-memory.dmp

Filesize
23.3MB

Download
memory/2680-158-0x0000000001100000-0x0000000002849000-memory.dmp

Filesize
23.3MB

Download
memory/2680-178-0x0000000001100000-0x0000000002849000-memory.dmp

Filesize
23.3MB

Download
memory/2680-134-0x0000000001100000-0x0000000002849000-memory.dmp

Filesize
23.3MB

Download
memory/2680-198-0x0000000001100000-0x0000000002849000-memory.dmp

Filesize
23.3MB

Download
memory/2680-208-0x0000000001100000-0x0000000002849000-memory.dmp

Filesize
23.3MB

Download
memory/2680-215-0x0000000001100000-0x0000000002849000-memory.dmp

Filesize
23.3MB

Download
memory/2680-233-0x0000000001100000-0x0000000002849000-memory.dmp

Filesize
23.3MB

Download
memory/2680-282-0x0000000001100000-0x0000000002849000-memory.dmp

Filesize
23.3MB

Download
memory/2680-26-0x0000000001100000-0x0000000002849000-memory.dmp

Filesize
23.3MB

Download
memory/2680-289-0x0000000001100000-0x0000000002849000-memory.dmp

Filesize
23.3MB

Download