xworm | 20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46

General

Target

20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46.exe
Size

41KB
MD5

2ae3a0c040d6570d55d82d06f3d31584
SHA1

e69f8b020a5ea66426f00458c535b2f0ce336329
SHA256

20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46
SHA512

d87b5cd1c1e9c5c7c1a188f3abceba227035e1b2a8ceba7861e0d5f415868c21d75db5af9808d396a50c5e13e9a42534bd5630caa6869a3d658a2982db24d48d
SSDEEP

768:eOQvBUsvIsEaxV0h/L9/1rsQhLOSyoZV65:eXlAbCGL9/x1OSZZV65

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Mutex

PNfnJNqXASy2Le3d

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/2L3vs8UY

aes.plain

Signatures

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 2 IoCs

pid	Process
1164	20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46.exe
832	20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46 = "C:\\Users\\Admin\\AppData\\Roaming\\20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46.exe"	20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1656	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46.exe
Token: SeDebugPrivilege	1164	20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46.exe
Token: SeDebugPrivilege	832	20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 1656	1404	20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46.exe	28
PID 1404 wrote to memory of 1656	1404	20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46.exe	28
PID 1404 wrote to memory of 1656	1404	20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46.exe	28
PID 1664 wrote to memory of 1164	1664	taskeng.exe	31
PID 1664 wrote to memory of 1164	1664	taskeng.exe	31
PID 1664 wrote to memory of 1164	1664	taskeng.exe	31
PID 1664 wrote to memory of 832	1664	taskeng.exe	32
PID 1664 wrote to memory of 832	1664	taskeng.exe	32
PID 1664 wrote to memory of 832	1664	taskeng.exe	32

C:\Users\Admin\AppData\Local\Temp\20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46.exe
"C:\Users\Admin\AppData\Local\Temp\20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46" /tr "C:\Users\Admin\AppData\Roaming\20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1656

C:\Windows\system32\taskeng.exe
taskeng.exe {4C9E51A9-ED5E-41A0-B2B1-5D0E24D791F7} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Roaming\20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46.exe
  C:\Users\Admin\AppData\Roaming\20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Users\Admin\AppData\Roaming\20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46.exe
  C:\Users\Admin\AppData\Roaming\20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46.exe

Filesize
41KB

MD5
2ae3a0c040d6570d55d82d06f3d31584

SHA1
e69f8b020a5ea66426f00458c535b2f0ce336329

SHA256
20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46

SHA512
d87b5cd1c1e9c5c7c1a188f3abceba227035e1b2a8ceba7861e0d5f415868c21d75db5af9808d396a50c5e13e9a42534bd5630caa6869a3d658a2982db24d48d

Download Submit
C:\Users\Admin\AppData\Roaming\20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46.exe

Filesize
41KB

MD5
2ae3a0c040d6570d55d82d06f3d31584

SHA1
e69f8b020a5ea66426f00458c535b2f0ce336329

SHA256
20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46

SHA512
d87b5cd1c1e9c5c7c1a188f3abceba227035e1b2a8ceba7861e0d5f415868c21d75db5af9808d396a50c5e13e9a42534bd5630caa6869a3d658a2982db24d48d

Download Submit
C:\Users\Admin\AppData\Roaming\20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46.exe

Filesize
41KB

MD5
2ae3a0c040d6570d55d82d06f3d31584

SHA1
e69f8b020a5ea66426f00458c535b2f0ce336329

SHA256
20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46

SHA512
d87b5cd1c1e9c5c7c1a188f3abceba227035e1b2a8ceba7861e0d5f415868c21d75db5af9808d396a50c5e13e9a42534bd5630caa6869a3d658a2982db24d48d

Download Submit
memory/832-63-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/1164-60-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download
memory/1404-54-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/1404-55-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads