xworm | a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

Analysis

max time kernel
1799s
max time network
1796s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-07-2024 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sv.exe
Size

63KB
MD5

c095a62b525e62244cad230e696028cf
SHA1

67232c186d3efe248b540f1f2fe3382770b5074a
SHA256

a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA512

5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
SSDEEP

1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

amount-acceptance.gl.at.ply.gg:7420

Attributes

Install_directory
%ProgramData%
install_file
svhost.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

behavioral3/memory/3936-0-0x0000000000C90000-0x0000000000CA6000-memory.dmp family_xworm
C:\ProgramData\svhost.exe family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1612 powershell.exe
952 powershell.exe
2320 powershell.exe
2716 powershell.exe

resource	yara_rule
behavioral3/memory/3936-0-0x0000000000C90000-0x0000000000CA6000-memory.dmp	family_xworm
C:\ProgramData\svhost.exe	family_xworm

pid	process
1612	powershell.exe
952	powershell.exe
2320	powershell.exe
2716	powershell.exe

Drops startup file 2 IoCs

Processes:

sv.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe

Executes dropped EXE 30 IoCs

Processes:

svhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exe

pid	process
2228	svhost.exe
2164	svhost.exe
2344	svhost.exe
4992	svhost.exe
1536	svhost.exe
652	svhost.exe
4512	svhost.exe
2080	svhost.exe
4164	svhost.exe
4956	svhost.exe
3956	svhost.exe
3948	svhost.exe
652	svhost.exe
3932	svhost.exe
2444	svhost.exe
1920	svhost.exe
4208	svhost.exe
3176	svhost.exe
2776	svhost.exe
2068	svhost.exe
680	svhost.exe
4344	svhost.exe
4028	svhost.exe
1016	svhost.exe
2112	svhost.exe
4680	svhost.exe
1648	svhost.exe
1460	svhost.exe
4864	svhost.exe
4488	svhost.exe

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

sv.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" sv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4568 schtasks.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe"	sv.exe

pid	process
4568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2320	powershell.exe
2320	powershell.exe
2320	powershell.exe
2716	powershell.exe
2716	powershell.exe
2716	powershell.exe
1612	powershell.exe
1612	powershell.exe
1612	powershell.exe
952	powershell.exe
952	powershell.exe
952	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

sv.exe

pid process

3936 sv.exe

pid	process
3936	sv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sv.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3936	sv.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeIncreaseQuotaPrivilege	2320	powershell.exe
Token: SeSecurityPrivilege	2320	powershell.exe
Token: SeTakeOwnershipPrivilege	2320	powershell.exe
Token: SeLoadDriverPrivilege	2320	powershell.exe
Token: SeSystemProfilePrivilege	2320	powershell.exe
Token: SeSystemtimePrivilege	2320	powershell.exe
Token: SeProfSingleProcessPrivilege	2320	powershell.exe
Token: SeIncBasePriorityPrivilege	2320	powershell.exe
Token: SeCreatePagefilePrivilege	2320	powershell.exe
Token: SeBackupPrivilege	2320	powershell.exe
Token: SeRestorePrivilege	2320	powershell.exe
Token: SeShutdownPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeSystemEnvironmentPrivilege	2320	powershell.exe
Token: SeRemoteShutdownPrivilege	2320	powershell.exe
Token: SeUndockPrivilege	2320	powershell.exe
Token: SeManageVolumePrivilege	2320	powershell.exe
Token: 33	2320	powershell.exe
Token: 34	2320	powershell.exe
Token: 35	2320	powershell.exe
Token: 36	2320	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeIncreaseQuotaPrivilege	2716	powershell.exe
Token: SeSecurityPrivilege	2716	powershell.exe
Token: SeTakeOwnershipPrivilege	2716	powershell.exe
Token: SeLoadDriverPrivilege	2716	powershell.exe
Token: SeSystemProfilePrivilege	2716	powershell.exe
Token: SeSystemtimePrivilege	2716	powershell.exe
Token: SeProfSingleProcessPrivilege	2716	powershell.exe
Token: SeIncBasePriorityPrivilege	2716	powershell.exe
Token: SeCreatePagefilePrivilege	2716	powershell.exe
Token: SeBackupPrivilege	2716	powershell.exe
Token: SeRestorePrivilege	2716	powershell.exe
Token: SeShutdownPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeSystemEnvironmentPrivilege	2716	powershell.exe
Token: SeRemoteShutdownPrivilege	2716	powershell.exe
Token: SeUndockPrivilege	2716	powershell.exe
Token: SeManageVolumePrivilege	2716	powershell.exe
Token: 33	2716	powershell.exe
Token: 34	2716	powershell.exe
Token: 35	2716	powershell.exe
Token: 36	2716	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeIncreaseQuotaPrivilege	1612	powershell.exe
Token: SeSecurityPrivilege	1612	powershell.exe
Token: SeTakeOwnershipPrivilege	1612	powershell.exe
Token: SeLoadDriverPrivilege	1612	powershell.exe
Token: SeSystemProfilePrivilege	1612	powershell.exe
Token: SeSystemtimePrivilege	1612	powershell.exe
Token: SeProfSingleProcessPrivilege	1612	powershell.exe
Token: SeIncBasePriorityPrivilege	1612	powershell.exe
Token: SeCreatePagefilePrivilege	1612	powershell.exe
Token: SeBackupPrivilege	1612	powershell.exe
Token: SeRestorePrivilege	1612	powershell.exe
Token: SeShutdownPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeSystemEnvironmentPrivilege	1612	powershell.exe
Token: SeRemoteShutdownPrivilege	1612	powershell.exe
Token: SeUndockPrivilege	1612	powershell.exe
Token: SeManageVolumePrivilege	1612	powershell.exe
Token: 33	1612	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

sv.exe

description	pid	process	target process
PID 3936 wrote to memory of 2320	3936	sv.exe	powershell.exe
PID 3936 wrote to memory of 2320	3936	sv.exe	powershell.exe
PID 3936 wrote to memory of 2716	3936	sv.exe	powershell.exe
PID 3936 wrote to memory of 2716	3936	sv.exe	powershell.exe
PID 3936 wrote to memory of 1612	3936	sv.exe	powershell.exe
PID 3936 wrote to memory of 1612	3936	sv.exe	powershell.exe
PID 3936 wrote to memory of 952	3936	sv.exe	powershell.exe
PID 3936 wrote to memory of 952	3936	sv.exe	powershell.exe
PID 3936 wrote to memory of 4568	3936	sv.exe	schtasks.exe
PID 3936 wrote to memory of 4568	3936	sv.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sv.exe
"C:\Users\Admin\AppData\Local\Temp\sv.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:952

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:2228

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:2164

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:2344

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4992

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:1536

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:652

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4512

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:2080

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4164

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4956

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:3956

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:3948

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:652

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:3932

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:2444

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:1920

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4208

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:3176

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:2776

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:2068

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:680

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4344

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4028

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:1016

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:2112

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4680

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:1648

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:1460

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4864

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4488

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svhost.exe
Filesize
63KB

MD5
c095a62b525e62244cad230e696028cf

SHA1
67232c186d3efe248b540f1f2fe3382770b5074a

SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.log
Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b71789d087829439aca1df8f283d3071

SHA1
7e533f0fd80f301d38f0996f022dc6c2b47f87c3

SHA256
642e7829ede31c9547b6c3c7afcfbcd3af6764807ee48be29a065462ecdab510

SHA512
4ae908bda256285f99dc554e6b28e4797299e19b6ddcde8e8e57ecb9d01a11454cdec331725b6f82ce09c135342d337a9556ce0c41e4bfa7a43c1c9e8af463f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
70567807c59c442fdaee30be7c3cf590

SHA1
20a60d2561362a3ede7ef1070d9249a16f30b276

SHA256
f359100508880a92633d36cdb69b8a3044e0eaf5f15433b5edc9f3717520c514

SHA512
8f90aa172d6adcc2e911b00ee4b8c38ae39da31143917f724f8163a40a6f2eb8e56fe76413b7a5598b0b9174d321b9ae93365f2ccf69d07d9f4ef28f2f97213f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8e68d0b1881b9084b62529aacdfda63b

SHA1
6e94ca42a8c817aa94b6f204212bde71b71927b6

SHA256
0876f27a62ea7970aadd4f3468bfe3f3c8823b557ec940dfd4aebb3ff434de02

SHA512
6c7e1198f1e27815c5c90bf10c2f93f3ff20d96e1054d55b1b8835c260db0173f388430dbe4b35dca918be575f58226506b1d3e53142b87a8c18f9723dc0612a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fhzgcnfq.jot.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2320-10-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-41-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-51-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-52-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-12-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-11-0x00000291C22E0000-0x00000291C2356000-memory.dmp

Filesize
472KB

Download
memory/2320-7-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-6-0x00000291C1FC0000-0x00000291C1FE2000-memory.dmp

Filesize
136KB

Download
memory/3936-0-0x0000000000C90000-0x0000000000CA6000-memory.dmp

Filesize
88KB

Download
memory/3936-187-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmp

Filesize
9.9MB

Download
memory/3936-188-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmp

Filesize
9.9MB

Download
memory/3936-1-0x00007FFFEE743000-0x00007FFFEE744000-memory.dmp

Filesize
4KB

Download