xworm | 20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46

General

Target

2ae3a0c040d6570d55d82d06f3d31584.exe
Size

41KB
MD5

2ae3a0c040d6570d55d82d06f3d31584
SHA1

e69f8b020a5ea66426f00458c535b2f0ce336329
SHA256

20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46
SHA512

d87b5cd1c1e9c5c7c1a188f3abceba227035e1b2a8ceba7861e0d5f415868c21d75db5af9808d396a50c5e13e9a42534bd5630caa6869a3d658a2982db24d48d
SSDEEP

768:eOQvBUsvIsEaxV0h/L9/1rsQhLOSyoZV65:eXlAbCGL9/x1OSZZV65

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Mutex

PNfnJNqXASy2Le3d

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/2L3vs8UY

aes.plain

Signatures

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Executes dropped EXE 3 IoCs

Processes:

2ae3a0c040d6570d55d82d06f3d31584.exe2ae3a0c040d6570d55d82d06f3d31584.exe2ae3a0c040d6570d55d82d06f3d31584.exe

pid process

2144 2ae3a0c040d6570d55d82d06f3d31584.exe
5004 2ae3a0c040d6570d55d82d06f3d31584.exe
2812 2ae3a0c040d6570d55d82d06f3d31584.exe

pid	process
2144	2ae3a0c040d6570d55d82d06f3d31584.exe
5004	2ae3a0c040d6570d55d82d06f3d31584.exe
2812	2ae3a0c040d6570d55d82d06f3d31584.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2ae3a0c040d6570d55d82d06f3d31584.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	2ae3a0c040d6570d55d82d06f3d31584.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2ae3a0c040d6570d55d82d06f3d31584.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2ae3a0c040d6570d55d82d06f3d31584 = "C:\\Users\\Admin\\AppData\\Roaming\\2ae3a0c040d6570d55d82d06f3d31584.exe"	2ae3a0c040d6570d55d82d06f3d31584.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4452 schtasks.exe

pid	process
4452	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

2ae3a0c040d6570d55d82d06f3d31584.exe2ae3a0c040d6570d55d82d06f3d31584.exe2ae3a0c040d6570d55d82d06f3d31584.exe2ae3a0c040d6570d55d82d06f3d31584.exe

description	pid	process
Token: SeDebugPrivilege	1824	2ae3a0c040d6570d55d82d06f3d31584.exe
Token: SeDebugPrivilege	2144	2ae3a0c040d6570d55d82d06f3d31584.exe
Token: SeDebugPrivilege	5004	2ae3a0c040d6570d55d82d06f3d31584.exe
Token: SeDebugPrivilege	2812	2ae3a0c040d6570d55d82d06f3d31584.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

2ae3a0c040d6570d55d82d06f3d31584.exe

description	pid	process	target process
PID 1824 wrote to memory of 4452	1824	2ae3a0c040d6570d55d82d06f3d31584.exe	schtasks.exe
PID 1824 wrote to memory of 4452	1824	2ae3a0c040d6570d55d82d06f3d31584.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\2ae3a0c040d6570d55d82d06f3d31584.exe
"C:\Users\Admin\AppData\Local\Temp\2ae3a0c040d6570d55d82d06f3d31584.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "2ae3a0c040d6570d55d82d06f3d31584" /tr "C:\Users\Admin\AppData\Roaming\2ae3a0c040d6570d55d82d06f3d31584.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4452

C:\Users\Admin\AppData\Roaming\2ae3a0c040d6570d55d82d06f3d31584.exe
C:\Users\Admin\AppData\Roaming\2ae3a0c040d6570d55d82d06f3d31584.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Users\Admin\AppData\Roaming\2ae3a0c040d6570d55d82d06f3d31584.exe
C:\Users\Admin\AppData\Roaming\2ae3a0c040d6570d55d82d06f3d31584.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Users\Admin\AppData\Roaming\2ae3a0c040d6570d55d82d06f3d31584.exe
C:\Users\Admin\AppData\Roaming\2ae3a0c040d6570d55d82d06f3d31584.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2ae3a0c040d6570d55d82d06f3d31584.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Roaming\2ae3a0c040d6570d55d82d06f3d31584.exe

Filesize
41KB

MD5
2ae3a0c040d6570d55d82d06f3d31584

SHA1
e69f8b020a5ea66426f00458c535b2f0ce336329

SHA256
20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46

SHA512
d87b5cd1c1e9c5c7c1a188f3abceba227035e1b2a8ceba7861e0d5f415868c21d75db5af9808d396a50c5e13e9a42534bd5630caa6869a3d658a2982db24d48d

Download Submit
C:\Users\Admin\AppData\Roaming\2ae3a0c040d6570d55d82d06f3d31584.exe

Filesize
41KB

MD5
2ae3a0c040d6570d55d82d06f3d31584

SHA1
e69f8b020a5ea66426f00458c535b2f0ce336329

SHA256
20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46

SHA512
d87b5cd1c1e9c5c7c1a188f3abceba227035e1b2a8ceba7861e0d5f415868c21d75db5af9808d396a50c5e13e9a42534bd5630caa6869a3d658a2982db24d48d

Download Submit
C:\Users\Admin\AppData\Roaming\2ae3a0c040d6570d55d82d06f3d31584.exe

Filesize
41KB

MD5
2ae3a0c040d6570d55d82d06f3d31584

SHA1
e69f8b020a5ea66426f00458c535b2f0ce336329

SHA256
20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46

SHA512
d87b5cd1c1e9c5c7c1a188f3abceba227035e1b2a8ceba7861e0d5f415868c21d75db5af9808d396a50c5e13e9a42534bd5630caa6869a3d658a2982db24d48d

Download Submit
C:\Users\Admin\AppData\Roaming\2ae3a0c040d6570d55d82d06f3d31584.exe

Filesize
41KB

MD5
2ae3a0c040d6570d55d82d06f3d31584

SHA1
e69f8b020a5ea66426f00458c535b2f0ce336329

SHA256
20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46

SHA512
d87b5cd1c1e9c5c7c1a188f3abceba227035e1b2a8ceba7861e0d5f415868c21d75db5af9808d396a50c5e13e9a42534bd5630caa6869a3d658a2982db24d48d

Download Submit
memory/1824-132-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/1824-133-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/1824-139-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/2144-137-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/2144-138-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/2812-145-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/2812-146-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/4452-134-0x0000000000000000-mapping.dmp

Download
memory/5004-142-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/5004-143-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads