xworm | d3560973cf6d7a1faea04ff7aaabc5fac5c8e2c7d5aacbd2fae8423f118ad1ba

General

Target

1220.exe
Size

287KB
MD5

c9ca161c6fe1c897fe79456bced7385a
SHA1

2ed335957b7ae95fcdb9b580b77069d02a7bdd55
SHA256

d3560973cf6d7a1faea04ff7aaabc5fac5c8e2c7d5aacbd2fae8423f118ad1ba
SHA512

9e03cf95d18e885bc49d3143e90a55a8547dae4f991d44103c35abb299a24b0c164409ab33069df94783f0bff769a19b58eb453231d3c53817840c44b424eaa2
SSDEEP

3072:u+SRE3U354nnJDeWmlaiaozyBRIQQ2PIbBtelpGp6ClHtVWp4+f8MMMMMMMMMMQO:25MJ6zVtWIQQ2emI6ClHtVWpaV

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

C2

johnnew12.duckdns.org:7000

Mutex

NMFvSsFfSThofIzP

Attributes

install_file
USB.exe

aes.plain

Signatures

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Executes dropped EXE 4 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exe

pid process

1524 svchost.exe
1948 svchost.exe
1608 svchost.exe
1380 svchost.exe

pid	process
1524	svchost.exe
1948	svchost.exe
1608	svchost.exe
1380	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1220.exesvchost.exesvchost.exe

description	pid	process	target process
PID 1448 set thread context of 1076	1448	1220.exe	1220.exe
PID 1524 set thread context of 1948	1524	svchost.exe	svchost.exe
PID 1608 set thread context of 1380	1608	svchost.exe	svchost.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

876 schtasks.exe
1868 schtasks.exe
916 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1220.exe

pid process

1076 1220.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1220.exesvchost.exe

description pid process

Token: SeDebugPrivilege 1076 1220.exe
Token: SeDebugPrivilege 1948 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1220.exe

pid process

1076 1220.exe

pid	process
876	schtasks.exe
1868	schtasks.exe
916	schtasks.exe

pid	process
1076	1220.exe

description	pid	process
Token: SeDebugPrivilege	1076	1220.exe
Token: SeDebugPrivilege	1948	svchost.exe

pid	process
1076	1220.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1220.execmd.exetaskeng.exesvchost.execmd.exesvchost.exe

description	pid	process	target process
PID 1448 wrote to memory of 1076	1448	1220.exe	1220.exe
PID 1448 wrote to memory of 1076	1448	1220.exe	1220.exe
PID 1448 wrote to memory of 1076	1448	1220.exe	1220.exe
PID 1448 wrote to memory of 1076	1448	1220.exe	1220.exe
PID 1448 wrote to memory of 1076	1448	1220.exe	1220.exe
PID 1448 wrote to memory of 1076	1448	1220.exe	1220.exe
PID 1448 wrote to memory of 1076	1448	1220.exe	1220.exe
PID 1448 wrote to memory of 1076	1448	1220.exe	1220.exe
PID 1448 wrote to memory of 1076	1448	1220.exe	1220.exe
PID 1448 wrote to memory of 1920	1448	1220.exe	cmd.exe
PID 1448 wrote to memory of 1920	1448	1220.exe	cmd.exe
PID 1448 wrote to memory of 1920	1448	1220.exe	cmd.exe
PID 1448 wrote to memory of 1920	1448	1220.exe	cmd.exe
PID 1448 wrote to memory of 780	1448	1220.exe	cmd.exe
PID 1448 wrote to memory of 780	1448	1220.exe	cmd.exe
PID 1448 wrote to memory of 780	1448	1220.exe	cmd.exe
PID 1448 wrote to memory of 780	1448	1220.exe	cmd.exe
PID 1448 wrote to memory of 1496	1448	1220.exe	cmd.exe
PID 1448 wrote to memory of 1496	1448	1220.exe	cmd.exe
PID 1448 wrote to memory of 1496	1448	1220.exe	cmd.exe
PID 1448 wrote to memory of 1496	1448	1220.exe	cmd.exe
PID 780 wrote to memory of 876	780	cmd.exe	schtasks.exe
PID 780 wrote to memory of 876	780	cmd.exe	schtasks.exe
PID 780 wrote to memory of 876	780	cmd.exe	schtasks.exe
PID 780 wrote to memory of 876	780	cmd.exe	schtasks.exe
PID 744 wrote to memory of 1524	744	taskeng.exe	svchost.exe
PID 744 wrote to memory of 1524	744	taskeng.exe	svchost.exe
PID 744 wrote to memory of 1524	744	taskeng.exe	svchost.exe
PID 744 wrote to memory of 1524	744	taskeng.exe	svchost.exe
PID 1524 wrote to memory of 1948	1524	svchost.exe	svchost.exe
PID 1524 wrote to memory of 1948	1524	svchost.exe	svchost.exe
PID 1524 wrote to memory of 1948	1524	svchost.exe	svchost.exe
PID 1524 wrote to memory of 1948	1524	svchost.exe	svchost.exe
PID 1524 wrote to memory of 1948	1524	svchost.exe	svchost.exe
PID 1524 wrote to memory of 1948	1524	svchost.exe	svchost.exe
PID 1524 wrote to memory of 1948	1524	svchost.exe	svchost.exe
PID 1524 wrote to memory of 1948	1524	svchost.exe	svchost.exe
PID 1524 wrote to memory of 1948	1524	svchost.exe	svchost.exe
PID 1524 wrote to memory of 316	1524	svchost.exe	cmd.exe
PID 1524 wrote to memory of 316	1524	svchost.exe	cmd.exe
PID 1524 wrote to memory of 316	1524	svchost.exe	cmd.exe
PID 1524 wrote to memory of 316	1524	svchost.exe	cmd.exe
PID 1524 wrote to memory of 1212	1524	svchost.exe	cmd.exe
PID 1524 wrote to memory of 1212	1524	svchost.exe	cmd.exe
PID 1524 wrote to memory of 1212	1524	svchost.exe	cmd.exe
PID 1524 wrote to memory of 1212	1524	svchost.exe	cmd.exe
PID 1524 wrote to memory of 1444	1524	svchost.exe	cmd.exe
PID 1524 wrote to memory of 1444	1524	svchost.exe	cmd.exe
PID 1524 wrote to memory of 1444	1524	svchost.exe	cmd.exe
PID 1524 wrote to memory of 1444	1524	svchost.exe	cmd.exe
PID 1212 wrote to memory of 1868	1212	cmd.exe	schtasks.exe
PID 1212 wrote to memory of 1868	1212	cmd.exe	schtasks.exe
PID 1212 wrote to memory of 1868	1212	cmd.exe	schtasks.exe
PID 1212 wrote to memory of 1868	1212	cmd.exe	schtasks.exe
PID 744 wrote to memory of 1608	744	taskeng.exe	svchost.exe
PID 744 wrote to memory of 1608	744	taskeng.exe	svchost.exe
PID 744 wrote to memory of 1608	744	taskeng.exe	svchost.exe
PID 744 wrote to memory of 1608	744	taskeng.exe	svchost.exe
PID 1608 wrote to memory of 1380	1608	svchost.exe	svchost.exe
PID 1608 wrote to memory of 1380	1608	svchost.exe	svchost.exe
PID 1608 wrote to memory of 1380	1608	svchost.exe	svchost.exe
PID 1608 wrote to memory of 1380	1608	svchost.exe	svchost.exe
PID 1608 wrote to memory of 1380	1608	svchost.exe	svchost.exe
PID 1608 wrote to memory of 1380	1608	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\1220.exe
"C:\Users\Admin\AppData\Local\Temp\1220.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Local\Temp\1220.exe
"C:\Users\Admin\AppData\Local\Temp\1220.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1076

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
2⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:876

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\1220.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:1496

C:\Windows\system32\taskeng.exe
taskeng.exe {3360BF40-7367-452E-8545-B11B8A441CA2} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
3⤵
PID:316

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
3⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1868

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
3⤵
- Executes dropped EXE
PID:1380

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
3⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
PID:960

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
4⤵
- Creates scheduled task(s)
PID:916

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
3⤵
PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
287KB

MD5
c9ca161c6fe1c897fe79456bced7385a

SHA1
2ed335957b7ae95fcdb9b580b77069d02a7bdd55

SHA256
d3560973cf6d7a1faea04ff7aaabc5fac5c8e2c7d5aacbd2fae8423f118ad1ba

SHA512
9e03cf95d18e885bc49d3143e90a55a8547dae4f991d44103c35abb299a24b0c164409ab33069df94783f0bff769a19b58eb453231d3c53817840c44b424eaa2

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
287KB

MD5
c9ca161c6fe1c897fe79456bced7385a

SHA1
2ed335957b7ae95fcdb9b580b77069d02a7bdd55

SHA256
d3560973cf6d7a1faea04ff7aaabc5fac5c8e2c7d5aacbd2fae8423f118ad1ba

SHA512
9e03cf95d18e885bc49d3143e90a55a8547dae4f991d44103c35abb299a24b0c164409ab33069df94783f0bff769a19b58eb453231d3c53817840c44b424eaa2

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
287KB

MD5
c9ca161c6fe1c897fe79456bced7385a

SHA1
2ed335957b7ae95fcdb9b580b77069d02a7bdd55

SHA256
d3560973cf6d7a1faea04ff7aaabc5fac5c8e2c7d5aacbd2fae8423f118ad1ba

SHA512
9e03cf95d18e885bc49d3143e90a55a8547dae4f991d44103c35abb299a24b0c164409ab33069df94783f0bff769a19b58eb453231d3c53817840c44b424eaa2

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
287KB

MD5
c9ca161c6fe1c897fe79456bced7385a

SHA1
2ed335957b7ae95fcdb9b580b77069d02a7bdd55

SHA256
d3560973cf6d7a1faea04ff7aaabc5fac5c8e2c7d5aacbd2fae8423f118ad1ba

SHA512
9e03cf95d18e885bc49d3143e90a55a8547dae4f991d44103c35abb299a24b0c164409ab33069df94783f0bff769a19b58eb453231d3c53817840c44b424eaa2

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
287KB

MD5
c9ca161c6fe1c897fe79456bced7385a

SHA1
2ed335957b7ae95fcdb9b580b77069d02a7bdd55

SHA256
d3560973cf6d7a1faea04ff7aaabc5fac5c8e2c7d5aacbd2fae8423f118ad1ba

SHA512
9e03cf95d18e885bc49d3143e90a55a8547dae4f991d44103c35abb299a24b0c164409ab33069df94783f0bff769a19b58eb453231d3c53817840c44b424eaa2

Download Submit
memory/1076-68-0x0000000004950000-0x0000000004990000-memory.dmp

Filesize
256KB

Download
memory/1076-57-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1076-61-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1076-63-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1076-65-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1076-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1076-69-0x0000000004950000-0x0000000004990000-memory.dmp

Filesize
256KB

Download
memory/1076-59-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1076-58-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1076-56-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1380-92-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1448-54-0x0000000000AD0000-0x0000000000B1C000-memory.dmp

Filesize
304KB

Download
memory/1448-55-0x0000000002090000-0x00000000020D0000-memory.dmp

Filesize
256KB

Download
memory/1524-73-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download
memory/1524-72-0x0000000000E40000-0x0000000000E8C000-memory.dmp

Filesize
304KB

Download
memory/1608-86-0x0000000001010000-0x000000000105C000-memory.dmp

Filesize
304KB

Download
memory/1608-87-0x0000000000E60000-0x0000000000EA0000-memory.dmp

Filesize
256KB

Download
memory/1948-78-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads