xworm | 99bf031f23b1759702a56ccfc9425f0a063654dcc4a94d8feeb89792c82f3082

Resubmissions

01-07-2024 12:23

240701-pkp6tavcrm 10

01-07-2024 12:17

240701-pf8scs1dnf 10

01-07-2024 12:12

240701-pdbd3sthnj 10

01-07-2024 12:03

240701-n8evbatfll 10

Analysis

max time kernel
121s
max time network
142s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fix.exe
Size

35KB
MD5

83bbe29b99a54bad48074efb72ce1fcc
SHA1

421deeba13130a8eebacc8c7f48f28e6fe8485f2
SHA256

99bf031f23b1759702a56ccfc9425f0a063654dcc4a94d8feeb89792c82f3082
SHA512

67fe2ac907c297cd3c4d1af7f80257b468bc4e73cab428568ea1238d41cd8c43262765a0b0d43b2accb003901a66e9e7ec162fefda2fd89040697e1e168ac27f
SSDEEP

768:ChiLce92aOrsQiUy5FyS9ZL6LOjhibold:ChkceWsQi5FT9ZL6LOjGo7

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

20.ip.gl.ply.gg:53765

Mutex

JCfj6Aifpywc6Ul9

Attributes

Install_directory
%AppData%
install_file
svchost.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/2424-1-0x00000000012A0000-0x00000000012B0000-memory.dmp family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2236 powershell.exe
3024 powershell.exe
2888 powershell.exe
2744 powershell.exe

resource	yara_rule
behavioral1/memory/2424-1-0x00000000012A0000-0x00000000012B0000-memory.dmp	family_xworm

pid	process
2236	powershell.exe
3024	powershell.exe
2888	powershell.exe
2744	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fix.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	fix.exe

Drops file in Windows directory 1 IoCs

Processes:

ehshell.exe

description ioc process

File opened for modification C:\Windows\WindowsUpdate.log ehshell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeehshell.exeehExtHost.exe

pid process

2236 powershell.exe
3024 powershell.exe
2888 powershell.exe
2744 powershell.exe
1660 ehshell.exe
1916 ehExtHost.exe
1916 ehExtHost.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	ehshell.exe

pid	process
2236	powershell.exe
3024	powershell.exe
2888	powershell.exe
2744	powershell.exe
1660	ehshell.exe
1916	ehExtHost.exe
1916	ehExtHost.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

fix.exepowershell.exepowershell.exepowershell.exepowershell.exeehshell.exeehExtHost.exe

description	pid	process
Token: SeDebugPrivilege	2424	fix.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2424	fix.exe
Token: SeDebugPrivilege	1660	ehshell.exe
Token: SeDebugPrivilege	1916	ehExtHost.exe
Token: SeShutdownPrivilege	1660	ehshell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

fix.exeehshell.exe

description	pid	process	target process
PID 2424 wrote to memory of 2236	2424	fix.exe	powershell.exe
PID 2424 wrote to memory of 2236	2424	fix.exe	powershell.exe
PID 2424 wrote to memory of 2236	2424	fix.exe	powershell.exe
PID 2424 wrote to memory of 3024	2424	fix.exe	powershell.exe
PID 2424 wrote to memory of 3024	2424	fix.exe	powershell.exe
PID 2424 wrote to memory of 3024	2424	fix.exe	powershell.exe
PID 2424 wrote to memory of 2888	2424	fix.exe	powershell.exe
PID 2424 wrote to memory of 2888	2424	fix.exe	powershell.exe
PID 2424 wrote to memory of 2888	2424	fix.exe	powershell.exe
PID 2424 wrote to memory of 2744	2424	fix.exe	powershell.exe
PID 2424 wrote to memory of 2744	2424	fix.exe	powershell.exe
PID 2424 wrote to memory of 2744	2424	fix.exe	powershell.exe
PID 1660 wrote to memory of 1916	1660	ehshell.exe	ehExtHost.exe
PID 1660 wrote to memory of 1916	1660	ehshell.exe	ehExtHost.exe
PID 1660 wrote to memory of 1916	1660	ehshell.exe	ehExtHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fix.exe
"C:\Users\Admin\AppData\Local\Temp\fix.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fix.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fix.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\eHome\ehshell.exe
"C:\Windows\eHome\ehshell.exe" /prefetch:1003 "C:\Users\Admin\Desktop\ShowJoin.DVR"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\eHome\ehExtHost.exe
"C:\Windows\eHome\ehExtHost.exe" 1660 e28947be-18c2-4280-9b3a-6e2764549471 3 False False False
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
1d51060b89119092187c763328f5fb7f

SHA1
d1114f533aaa033898c58b75cd8670a870a0f89d

SHA256
c8676e8aa9778a4e5583f93ade08dd3be74b220b8218b040a47449fbd5a397aa

SHA512
d0c8f388f3a9c92dc711b5da4a966a616e4535542e1c66159c42af4f5ba70a5342cc0761224118dc19994b0e266f24064a66f7e1a544a0d7a0a14f06238badc5

Download Submit
memory/1660-35-0x000000001F1E0000-0x000000001F298000-memory.dmp

Filesize
736KB

Download
memory/1660-34-0x000000001D110000-0x000000001D1AE000-memory.dmp

Filesize
632KB

Download
memory/1660-61-0x000000001D050000-0x000000001D05A000-memory.dmp

Filesize
40KB

Download
memory/1660-59-0x000000001D050000-0x000000001D087000-memory.dmp

Filesize
220KB

Download
memory/1660-33-0x000000001E920000-0x000000001EAA4000-memory.dmp

Filesize
1.5MB

Download
memory/1660-32-0x000000001E310000-0x000000001E918000-memory.dmp

Filesize
6.0MB

Download
memory/1660-60-0x000000001D050000-0x000000001D05A000-memory.dmp

Filesize
40KB

Download
memory/1916-36-0x0000000002180000-0x00000000021E0000-memory.dmp

Filesize
384KB

Download
memory/2236-7-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/2236-6-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2236-8-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2424-27-0x00000000011F0000-0x0000000001270000-memory.dmp

Filesize
512KB

Download
memory/2424-30-0x00000000011F0000-0x0000000001270000-memory.dmp

Filesize
512KB

Download
memory/2424-1-0x00000000012A0000-0x00000000012B0000-memory.dmp

Filesize
64KB

Download
memory/2424-0-0x000007FEF5893000-0x000007FEF5894000-memory.dmp

Filesize
4KB

Download
memory/2424-28-0x0000000001290000-0x000000000129C000-memory.dmp

Filesize
48KB

Download
memory/2424-29-0x000007FEF5893000-0x000007FEF5894000-memory.dmp

Filesize
4KB

Download
memory/3024-15-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/3024-14-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download