xworm | 3499cb420b4427901addf0c49bb2a156a0127835e6805cdb4567979c2f90cc1e

General

Target

00987654345678.exe
Size

833KB
MD5

a849578e8bd54ed3528453a03dcd8760
SHA1

fc3ea5f444fe938916b5be4cf50153950e793c12
SHA256

c6af80e6ed0b9f93b7e14e956dac74d7affe71097f9ab14786e8fdd0469f4d25
SHA512

846f8b31be8499ac17e42e9716bb6fa5b31003563f694c445ea55148855e0c0bc622b7c45049bd6b45b60d041a2ca2ef4f1dcbac0df829bc4684fdab208508b4
SSDEEP

12288:R4YIM64tl6UqjSds3Yfg8TgDJavO3LnXnvAQWWftmUsFVAZL/xtjk65ek2w5KM/:RkYnsd1dMyF/xtj75T2a

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

103.187.4.59:62400

Mutex

4hR1Z1dxAKjfBlJg

Attributes

install_file
USB.exe

aes.plain

Signatures

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

Processes:

jsc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jsc.exe	jsc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jsc.exe	jsc.exe

Executes dropped EXE 2 IoCs

Processes:

jsc.exejsc.exe

pid process

4688 jsc.exe
1572 jsc.exe

pid	process
4688	jsc.exe
1572	jsc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsc = "C:\\Users\\Admin\\AppData\\Roaming\\jsc.exe"	jsc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

00987654345678.exe

description pid process target process

PID 3360 set thread context of 380 3360 00987654345678.exe jsc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1872 schtasks.exe

description	pid	process	target process
PID 3360 set thread context of 380	3360	00987654345678.exe	jsc.exe

pid	process
1872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

00987654345678.exe

pid	process
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe
3360	00987654345678.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

00987654345678.exe

description pid process

Token: SeDebugPrivilege 3360 00987654345678.exe

description	pid	process
Token: SeDebugPrivilege	3360	00987654345678.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

00987654345678.exejsc.exe

description	pid	process	target process
PID 3360 wrote to memory of 4700	3360	00987654345678.exe	CasPol.exe
PID 3360 wrote to memory of 4700	3360	00987654345678.exe	CasPol.exe
PID 3360 wrote to memory of 1592	3360	00987654345678.exe	aspnet_regbrowsers.exe
PID 3360 wrote to memory of 1592	3360	00987654345678.exe	aspnet_regbrowsers.exe
PID 3360 wrote to memory of 2620	3360	00987654345678.exe	dfsvc.exe
PID 3360 wrote to memory of 2620	3360	00987654345678.exe	dfsvc.exe
PID 3360 wrote to memory of 1516	3360	00987654345678.exe	RegSvcs.exe
PID 3360 wrote to memory of 1516	3360	00987654345678.exe	RegSvcs.exe
PID 3360 wrote to memory of 1164	3360	00987654345678.exe	ComSvcConfig.exe
PID 3360 wrote to memory of 1164	3360	00987654345678.exe	ComSvcConfig.exe
PID 3360 wrote to memory of 2432	3360	00987654345678.exe	ServiceModelReg.exe
PID 3360 wrote to memory of 2432	3360	00987654345678.exe	ServiceModelReg.exe
PID 3360 wrote to memory of 2184	3360	00987654345678.exe	mscorsvw.exe
PID 3360 wrote to memory of 2184	3360	00987654345678.exe	mscorsvw.exe
PID 3360 wrote to memory of 3052	3360	00987654345678.exe	ilasm.exe
PID 3360 wrote to memory of 3052	3360	00987654345678.exe	ilasm.exe
PID 3360 wrote to memory of 4348	3360	00987654345678.exe	csc.exe
PID 3360 wrote to memory of 4348	3360	00987654345678.exe	csc.exe
PID 3360 wrote to memory of 2400	3360	00987654345678.exe	DataSvcUtil.exe
PID 3360 wrote to memory of 2400	3360	00987654345678.exe	DataSvcUtil.exe
PID 3360 wrote to memory of 1264	3360	00987654345678.exe	Microsoft.Workflow.Compiler.exe
PID 3360 wrote to memory of 1264	3360	00987654345678.exe	Microsoft.Workflow.Compiler.exe
PID 3360 wrote to memory of 1600	3360	00987654345678.exe	MSBuild.exe
PID 3360 wrote to memory of 1600	3360	00987654345678.exe	MSBuild.exe
PID 3360 wrote to memory of 4800	3360	00987654345678.exe	AppLaunch.exe
PID 3360 wrote to memory of 4800	3360	00987654345678.exe	AppLaunch.exe
PID 3360 wrote to memory of 4812	3360	00987654345678.exe	InstallUtil.exe
PID 3360 wrote to memory of 4812	3360	00987654345678.exe	InstallUtil.exe
PID 3360 wrote to memory of 4884	3360	00987654345678.exe	AddInProcess.exe
PID 3360 wrote to memory of 4884	3360	00987654345678.exe	AddInProcess.exe
PID 3360 wrote to memory of 4828	3360	00987654345678.exe	AddInUtil.exe
PID 3360 wrote to memory of 4828	3360	00987654345678.exe	AddInUtil.exe
PID 3360 wrote to memory of 4236	3360	00987654345678.exe	aspnet_regiis.exe
PID 3360 wrote to memory of 4236	3360	00987654345678.exe	aspnet_regiis.exe
PID 3360 wrote to memory of 2024	3360	00987654345678.exe	ngen.exe
PID 3360 wrote to memory of 2024	3360	00987654345678.exe	ngen.exe
PID 3360 wrote to memory of 2500	3360	00987654345678.exe	aspnet_state.exe
PID 3360 wrote to memory of 2500	3360	00987654345678.exe	aspnet_state.exe
PID 3360 wrote to memory of 4612	3360	00987654345678.exe	WsatConfig.exe
PID 3360 wrote to memory of 4612	3360	00987654345678.exe	WsatConfig.exe
PID 3360 wrote to memory of 3416	3360	00987654345678.exe	EdmGen.exe
PID 3360 wrote to memory of 3416	3360	00987654345678.exe	EdmGen.exe
PID 3360 wrote to memory of 5084	3360	00987654345678.exe	aspnet_wp.exe
PID 3360 wrote to memory of 5084	3360	00987654345678.exe	aspnet_wp.exe
PID 3360 wrote to memory of 380	3360	00987654345678.exe	jsc.exe
PID 3360 wrote to memory of 380	3360	00987654345678.exe	jsc.exe
PID 3360 wrote to memory of 380	3360	00987654345678.exe	jsc.exe
PID 3360 wrote to memory of 380	3360	00987654345678.exe	jsc.exe
PID 3360 wrote to memory of 380	3360	00987654345678.exe	jsc.exe
PID 3360 wrote to memory of 380	3360	00987654345678.exe	jsc.exe
PID 3360 wrote to memory of 380	3360	00987654345678.exe	jsc.exe
PID 3360 wrote to memory of 380	3360	00987654345678.exe	jsc.exe
PID 380 wrote to memory of 1872	380	jsc.exe	schtasks.exe
PID 380 wrote to memory of 1872	380	jsc.exe	schtasks.exe
PID 380 wrote to memory of 1872	380	jsc.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\00987654345678.exe
"C:\Users\Admin\AppData\Local\Temp\00987654345678.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3360

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
2⤵
PID:4700

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
2⤵
PID:2620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
2⤵
PID:1164

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
2⤵
PID:1516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
PID:1592

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
2⤵
PID:2432

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
2⤵
PID:2184

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
2⤵
PID:3052

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
2⤵
PID:4348

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
2⤵
PID:2400

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
2⤵
PID:1264

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
2⤵
PID:1600

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
2⤵
PID:4800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
2⤵
PID:4812

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
2⤵
PID:4828

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
2⤵
PID:4236

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
2⤵
PID:4884

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
2⤵
PID:2024

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
2⤵
PID:3416

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
2⤵
PID:5084

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "jsc" /tr "C:\Users\Admin\AppData\Roaming\jsc.exe"
3⤵
- Creates scheduled task(s)
PID:1872

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
2⤵
PID:4612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
2⤵
PID:2500

C:\Users\Admin\AppData\Roaming\jsc.exe
C:\Users\Admin\AppData\Roaming\jsc.exe
1⤵
- Executes dropped EXE
PID:4688

C:\Users\Admin\AppData\Roaming\jsc.exe
C:\Users\Admin\AppData\Roaming\jsc.exe
1⤵
- Executes dropped EXE
PID:1572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jsc.exe.log

Filesize
135B

MD5
bb527fdbc763485b0662fccfd53aa00a

SHA1
86438ecbaf308b24fa264c7b6ececdabd1338dc0

SHA256
6158c0b5b794617aad8da6d671fef9ede9cab2aa9a9fad91d038739dff5cedbd

SHA512
2003e36806330552d7dd5e633f24a67f2f4226c12ee43a6f79bb709727dd52910ca5eaf336f9c1e5733c66bc3075ca24caca19d086be373b76aa08d3fa818106

Download Submit
C:\Users\Admin\AppData\Roaming\jsc.exe

Filesize
46KB

MD5
94c8e57a80dfca2482dedb87b93d4fd9

SHA1
5729e6c7d2f5ab760f0093b9d44f8ac0f876a803

SHA256
39e87f0edcdd15582cfefdfab1975aadd2c7ca1e3a5f07b1146ce3206f401bb5

SHA512
1798a3607b2b94732b52de51d2748c86f9453343b6d8a417e98e65ddb38e9198cdcb2f45bf60823cb429b312466b28c5103c7588f2c4ef69fa27bfdb4f4c67dc

Download Submit
C:\Users\Admin\AppData\Roaming\jsc.exe

Filesize
46KB

MD5
94c8e57a80dfca2482dedb87b93d4fd9

SHA1
5729e6c7d2f5ab760f0093b9d44f8ac0f876a803

SHA256
39e87f0edcdd15582cfefdfab1975aadd2c7ca1e3a5f07b1146ce3206f401bb5

SHA512
1798a3607b2b94732b52de51d2748c86f9453343b6d8a417e98e65ddb38e9198cdcb2f45bf60823cb429b312466b28c5103c7588f2c4ef69fa27bfdb4f4c67dc

Download Submit
C:\Users\Admin\AppData\Roaming\jsc.exe

Filesize
46KB

MD5
94c8e57a80dfca2482dedb87b93d4fd9

SHA1
5729e6c7d2f5ab760f0093b9d44f8ac0f876a803

SHA256
39e87f0edcdd15582cfefdfab1975aadd2c7ca1e3a5f07b1146ce3206f401bb5

SHA512
1798a3607b2b94732b52de51d2748c86f9453343b6d8a417e98e65ddb38e9198cdcb2f45bf60823cb429b312466b28c5103c7588f2c4ef69fa27bfdb4f4c67dc

Download Submit
memory/380-143-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/380-142-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/380-138-0x0000000005630000-0x00000000056CC000-memory.dmp

Filesize
624KB

Download
memory/380-137-0x0000000005BE0000-0x0000000006184000-memory.dmp

Filesize
5.6MB

Download
memory/380-135-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3360-133-0x000001BD39E60000-0x000001BD39F34000-memory.dmp

Filesize
848KB

Download
memory/3360-134-0x000001BD55130000-0x000001BD55140000-memory.dmp

Filesize
64KB

Download
memory/4688-146-0x0000000000930000-0x000000000093E000-memory.dmp

Filesize
56KB

Download
memory/4688-147-0x00000000052E0000-0x000000000539A000-memory.dmp

Filesize
744KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads