xworm | a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

Analysis

max time kernel
794s
max time network
784s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-07-2024 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sv.exe
Size

63KB
MD5

c095a62b525e62244cad230e696028cf
SHA1

67232c186d3efe248b540f1f2fe3382770b5074a
SHA256

a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA512

5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
SSDEEP

1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

amount-acceptance.gl.at.ply.gg:7420

Attributes

Install_directory
%ProgramData%
install_file
svhost.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/5116-0-0x0000000000880000-0x0000000000896000-memory.dmp family_xworm
C:\ProgramData\svhost.exe family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2260 powershell.exe
1232 powershell.exe
1028 powershell.exe
4792 powershell.exe

resource	yara_rule
behavioral1/memory/5116-0-0x0000000000880000-0x0000000000896000-memory.dmp	family_xworm
C:\ProgramData\svhost.exe	family_xworm

Drops startup file 2 IoCs

Processes:

sv.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe

Executes dropped EXE 13 IoCs

Processes:

svhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exe

pid process

1496 svhost.exe
96 svhost.exe
4784 svhost.exe
4020 svhost.exe
3432 svhost.exe
4668 svhost.exe
2088 svhost.exe
3628 svhost.exe
1600 svhost.exe
1492 svhost.exe
3608 svhost.exe
4316 svhost.exe
4444 svhost.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

sv.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" sv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1540 schtasks.exe

pid	process
1496	svhost.exe
96	svhost.exe
4784	svhost.exe
4020	svhost.exe
3432	svhost.exe
4668	svhost.exe
2088	svhost.exe
3628	svhost.exe
1600	svhost.exe
1492	svhost.exe
3608	svhost.exe
4316	svhost.exe
4444	svhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe"	sv.exe

pid	process
1540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2260	powershell.exe
2260	powershell.exe
2260	powershell.exe
1232	powershell.exe
1232	powershell.exe
1232	powershell.exe
1028	powershell.exe
1028	powershell.exe
1028	powershell.exe
4792	powershell.exe
4792	powershell.exe
4792	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sv.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	5116	sv.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeIncreaseQuotaPrivilege	2260	powershell.exe
Token: SeSecurityPrivilege	2260	powershell.exe
Token: SeTakeOwnershipPrivilege	2260	powershell.exe
Token: SeLoadDriverPrivilege	2260	powershell.exe
Token: SeSystemProfilePrivilege	2260	powershell.exe
Token: SeSystemtimePrivilege	2260	powershell.exe
Token: SeProfSingleProcessPrivilege	2260	powershell.exe
Token: SeIncBasePriorityPrivilege	2260	powershell.exe
Token: SeCreatePagefilePrivilege	2260	powershell.exe
Token: SeBackupPrivilege	2260	powershell.exe
Token: SeRestorePrivilege	2260	powershell.exe
Token: SeShutdownPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeSystemEnvironmentPrivilege	2260	powershell.exe
Token: SeRemoteShutdownPrivilege	2260	powershell.exe
Token: SeUndockPrivilege	2260	powershell.exe
Token: SeManageVolumePrivilege	2260	powershell.exe
Token: 33	2260	powershell.exe
Token: 34	2260	powershell.exe
Token: 35	2260	powershell.exe
Token: 36	2260	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeIncreaseQuotaPrivilege	1232	powershell.exe
Token: SeSecurityPrivilege	1232	powershell.exe
Token: SeTakeOwnershipPrivilege	1232	powershell.exe
Token: SeLoadDriverPrivilege	1232	powershell.exe
Token: SeSystemProfilePrivilege	1232	powershell.exe
Token: SeSystemtimePrivilege	1232	powershell.exe
Token: SeProfSingleProcessPrivilege	1232	powershell.exe
Token: SeIncBasePriorityPrivilege	1232	powershell.exe
Token: SeCreatePagefilePrivilege	1232	powershell.exe
Token: SeBackupPrivilege	1232	powershell.exe
Token: SeRestorePrivilege	1232	powershell.exe
Token: SeShutdownPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeSystemEnvironmentPrivilege	1232	powershell.exe
Token: SeRemoteShutdownPrivilege	1232	powershell.exe
Token: SeUndockPrivilege	1232	powershell.exe
Token: SeManageVolumePrivilege	1232	powershell.exe
Token: 33	1232	powershell.exe
Token: 34	1232	powershell.exe
Token: 35	1232	powershell.exe
Token: 36	1232	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeIncreaseQuotaPrivilege	1028	powershell.exe
Token: SeSecurityPrivilege	1028	powershell.exe
Token: SeTakeOwnershipPrivilege	1028	powershell.exe
Token: SeLoadDriverPrivilege	1028	powershell.exe
Token: SeSystemProfilePrivilege	1028	powershell.exe
Token: SeSystemtimePrivilege	1028	powershell.exe
Token: SeProfSingleProcessPrivilege	1028	powershell.exe
Token: SeIncBasePriorityPrivilege	1028	powershell.exe
Token: SeCreatePagefilePrivilege	1028	powershell.exe
Token: SeBackupPrivilege	1028	powershell.exe
Token: SeRestorePrivilege	1028	powershell.exe
Token: SeShutdownPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeSystemEnvironmentPrivilege	1028	powershell.exe
Token: SeRemoteShutdownPrivilege	1028	powershell.exe
Token: SeUndockPrivilege	1028	powershell.exe
Token: SeManageVolumePrivilege	1028	powershell.exe
Token: 33	1028	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

sv.exe

description	pid	process	target process
PID 5116 wrote to memory of 2260	5116	sv.exe	powershell.exe
PID 5116 wrote to memory of 2260	5116	sv.exe	powershell.exe
PID 5116 wrote to memory of 1232	5116	sv.exe	powershell.exe
PID 5116 wrote to memory of 1232	5116	sv.exe	powershell.exe
PID 5116 wrote to memory of 1028	5116	sv.exe	powershell.exe
PID 5116 wrote to memory of 1028	5116	sv.exe	powershell.exe
PID 5116 wrote to memory of 4792	5116	sv.exe	powershell.exe
PID 5116 wrote to memory of 4792	5116	sv.exe	powershell.exe
PID 5116 wrote to memory of 1540	5116	sv.exe	schtasks.exe
PID 5116 wrote to memory of 1540	5116	sv.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sv.exe
"C:\Users\Admin\AppData\Local\Temp\sv.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4792

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:1496

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:96

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4784

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4020

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:3432

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4668

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:2088

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:3628

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:1600

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:1492

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:3608

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4316

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4444

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svhost.exe
Filesize
63KB

MD5
c095a62b525e62244cad230e696028cf

SHA1
67232c186d3efe248b540f1f2fe3382770b5074a

SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.log
Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
14741e67e80cf79afc9f78ddecf4511c

SHA1
4d88dfdbc3a6588810b20cb2d333987305f9411a

SHA256
566d4ab531ab8bbb9e68ce82a8543d5788943b9d51ffe8c2c3feedf4a263f4d2

SHA512
53c123b8f971e5493418da5593a1a067a323b57574a157bebfa4532d85832585d7fd22bf7236d9f6cfabb55f905ff8cf92b7f6faa984e90541d5bc4ec5884b4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3715120b6eb7f27980bbdfa898cea402

SHA1
4941cc2581199e0b31915c6f7785d7e7fea986f7

SHA256
7405d690cbcc4d55b20f10b7dcc93fe00372dd249dcea733ad590561b0483e88

SHA512
166b748d0d1eac16b532a16b82961f2aee724bf56a38036163cb9ed049a6142974a5c77e71c553c612771232137b78f433258c49c8177ea581f19f5dd85ad28d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
37e5c10834b07a782e971ec576c02f6d

SHA1
7b188f5ed6d172cf7c96aadad5f61e6d96d9d070

SHA256
75a48f2fdf0dcecee5b7c22e0e959920b2f47733dea615acb733307140f70d4d

SHA512
a3d7ab62ff67143026121b3a2a0b6780e81af3c6363c2f0dece18b5c997cbd15c45ae75487d7668a0b2fb415af625c7f07aec8505733ac5110b6b8504f39b20c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ym3obm3m.iu0.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2260-10-0x00000292DDCF0000-0x00000292DDD66000-memory.dmp

Filesize
472KB

Download
memory/2260-41-0x00007FFFDD2A0000-0x00007FFFDDC8C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-48-0x00007FFFDD2A0000-0x00007FFFDDC8C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-51-0x00007FFFDD2A0000-0x00007FFFDDC8C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-24-0x00007FFFDD2A0000-0x00007FFFDDC8C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-11-0x00007FFFDD2A0000-0x00007FFFDDC8C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-9-0x00007FFFDD2A0000-0x00007FFFDDC8C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-6-0x00000292DDB40000-0x00000292DDB62000-memory.dmp

Filesize
136KB

Download
memory/5116-0-0x0000000000880000-0x0000000000896000-memory.dmp

Filesize
88KB

Download
memory/5116-186-0x00007FFFDD2A0000-0x00007FFFDDC8C000-memory.dmp

Filesize
9.9MB

Download
memory/5116-190-0x00007FFFDD2A0000-0x00007FFFDDC8C000-memory.dmp

Filesize
9.9MB

Download
memory/5116-1-0x00007FFFDD2A3000-0x00007FFFDD2A4000-memory.dmp

Filesize
4KB

Download