xworm | 129577a032e9a1587de4d3b328653a486421f85db2c395d6f6804f4d07748102

General

Target

LOIC.exe
Size

209KB
MD5

7cb9f6a59e68b2ff13af6c629db1ab54
SHA1

727d438190baabbc3986d5721260a484f535d498
SHA256

129577a032e9a1587de4d3b328653a486421f85db2c395d6f6804f4d07748102
SHA512

2708ec99536157eba955d80b9c959442a1fc471a2937579dcb1c26fc2736f1eab168ee833c88677e022384fdd23ce4de08d41929089a7400548ca2cd90cb3928
SSDEEP

6144:5SsXvMGBQynRGt+oVRkgym5gWoIBaU0MAovCyJZG3g9m:5S60QhRtjgymqWjoT3j

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

ftap-29332.portmap.host:29332

Attributes

install_file
svchost.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/1952-107-0x000000001ACF0000-0x000000001ACFC000-memory.dmp	disable_win_def

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 2 IoCs

pid	Process
1152	LOICCONFIG.exe
1952	xw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\xw = "C:\\Users\\Public\\xw.exe"	LOIC.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1952	xw.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1240	LOIC.exe
1756	powershell.exe
952	powershell.exe
1776	powershell.exe
1952	xw.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1240	LOIC.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	1952	xw.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1952	xw.exe
Token: SeShutdownPrivilege	1952	xw.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1952	xw.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 1152	1240	LOIC.exe	28
PID 1240 wrote to memory of 1152	1240	LOIC.exe	28
PID 1240 wrote to memory of 1152	1240	LOIC.exe	28
PID 1240 wrote to memory of 1152	1240	LOIC.exe	28
PID 1240 wrote to memory of 1756	1240	LOIC.exe	29
PID 1240 wrote to memory of 1756	1240	LOIC.exe	29
PID 1240 wrote to memory of 1756	1240	LOIC.exe	29
PID 1240 wrote to memory of 1952	1240	LOIC.exe	31
PID 1240 wrote to memory of 1952	1240	LOIC.exe	31
PID 1240 wrote to memory of 1952	1240	LOIC.exe	31
PID 1952 wrote to memory of 952	1952	xw.exe	32
PID 1952 wrote to memory of 952	1952	xw.exe	32
PID 1952 wrote to memory of 952	1952	xw.exe	32
PID 1952 wrote to memory of 1776	1952	xw.exe	34
PID 1952 wrote to memory of 1776	1952	xw.exe	34
PID 1952 wrote to memory of 1776	1952	xw.exe	34

C:\Users\Admin\AppData\Local\Temp\LOIC.exe
"C:\Users\Admin\AppData\Local\Temp\LOIC.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Local\Temp\LOICCONFIG.exe
  "C:\Users\Admin\AppData\Local\Temp\LOICCONFIG.exe"
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\xw.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Users\Public\xw.exe
  "C:\Users\Public\xw.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\xw.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'xw.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LOICCONFIG.exe

Filesize
263KB

MD5
8ffce13e81f70d522d8f7174b603c878

SHA1
5c94c5908d3ac5ce07f2e684a0d503673e01f2e3

SHA256
05ee881ff93cbaf6d0f276bfb1018c1291fc47832c2b46a756980eb67477ffb2

SHA512
1fcb89546387b232dfe7b9c84af180688ec1ade341a3a6c9f9f05f5676b44eec986d9606b597d1f23f8e0ea675d3429c9905e2d5470dcc1bc9ffe50e39a0f524

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOICCONFIG.exe

Filesize
263KB

MD5
8ffce13e81f70d522d8f7174b603c878

SHA1
5c94c5908d3ac5ce07f2e684a0d503673e01f2e3

SHA256
05ee881ff93cbaf6d0f276bfb1018c1291fc47832c2b46a756980eb67477ffb2

SHA512
1fcb89546387b232dfe7b9c84af180688ec1ade341a3a6c9f9f05f5676b44eec986d9606b597d1f23f8e0ea675d3429c9905e2d5470dcc1bc9ffe50e39a0f524

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOICCONFIG.exe

Filesize
263KB

MD5
8ffce13e81f70d522d8f7174b603c878

SHA1
5c94c5908d3ac5ce07f2e684a0d503673e01f2e3

SHA256
05ee881ff93cbaf6d0f276bfb1018c1291fc47832c2b46a756980eb67477ffb2

SHA512
1fcb89546387b232dfe7b9c84af180688ec1ade341a3a6c9f9f05f5676b44eec986d9606b597d1f23f8e0ea675d3429c9905e2d5470dcc1bc9ffe50e39a0f524

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1D95MH2UHRNL6M6RL9KX.temp

Filesize
7KB

MD5
1d4a59302e94ebcc26c208fb7161a199

SHA1
ddd570bddc09bbf306e37e803aef81eacc366432

SHA256
913e64ede1d3af1b562e034015e4a60a9795af2842d7734d2615a997dda5ffa4

SHA512
7e4413596fca9d6e49e9038c158fdfc17fff7c130544c7e397ca737c0323e3eb5d2e6d41d25e02ffaa73024b8e52f198aae0cba79d5224ad48ba0f7c7f3ef6a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1d4a59302e94ebcc26c208fb7161a199

SHA1
ddd570bddc09bbf306e37e803aef81eacc366432

SHA256
913e64ede1d3af1b562e034015e4a60a9795af2842d7734d2615a997dda5ffa4

SHA512
7e4413596fca9d6e49e9038c158fdfc17fff7c130544c7e397ca737c0323e3eb5d2e6d41d25e02ffaa73024b8e52f198aae0cba79d5224ad48ba0f7c7f3ef6a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1d4a59302e94ebcc26c208fb7161a199

SHA1
ddd570bddc09bbf306e37e803aef81eacc366432

SHA256
913e64ede1d3af1b562e034015e4a60a9795af2842d7734d2615a997dda5ffa4

SHA512
7e4413596fca9d6e49e9038c158fdfc17fff7c130544c7e397ca737c0323e3eb5d2e6d41d25e02ffaa73024b8e52f198aae0cba79d5224ad48ba0f7c7f3ef6a6

Download Submit
C:\Users\Public\xw.exe

Filesize
77KB

MD5
cf9bb6bcb4e51296329600f209a65ee0

SHA1
a3158e2ffc0f6dc6bc9d73db70ca1545444f9c56

SHA256
b50f8c77e619bd96d9b7759790c1efddcab22d0ce0490cb0fd393936ea7ae1cd

SHA512
3b3994ba2a609751658b1dfb29a542f74d5904e0507d3e13859a3dd82195a9640d16fc527f68a2e609bf368582a59bfe67ca850a0e5cfd1c58d7ee7a993f3bc6

Download Submit
C:\Users\Public\xw.exe

Filesize
77KB

MD5
cf9bb6bcb4e51296329600f209a65ee0

SHA1
a3158e2ffc0f6dc6bc9d73db70ca1545444f9c56

SHA256
b50f8c77e619bd96d9b7759790c1efddcab22d0ce0490cb0fd393936ea7ae1cd

SHA512
3b3994ba2a609751658b1dfb29a542f74d5904e0507d3e13859a3dd82195a9640d16fc527f68a2e609bf368582a59bfe67ca850a0e5cfd1c58d7ee7a993f3bc6

Download Submit
memory/952-90-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/952-87-0x000000001B0E0000-0x000000001B3C2000-memory.dmp

Filesize
2.9MB

Download
memory/952-88-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/952-89-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/952-91-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/1152-69-0x0000000001FC0000-0x0000000002000000-memory.dmp

Filesize
256KB

Download
memory/1152-103-0x0000000001FC0000-0x0000000002000000-memory.dmp

Filesize
256KB

Download
memory/1152-105-0x0000000001FC0000-0x0000000002000000-memory.dmp

Filesize
256KB

Download
memory/1152-80-0x0000000001FC0000-0x0000000002000000-memory.dmp

Filesize
256KB

Download
memory/1240-54-0x0000000000B20000-0x0000000000B5A000-memory.dmp

Filesize
232KB

Download
memory/1240-55-0x000000001B8C0000-0x000000001B940000-memory.dmp

Filesize
512KB

Download
memory/1756-104-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/1756-71-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/1756-72-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/1756-70-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/1756-68-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/1756-67-0x000000001B1B0000-0x000000001B492000-memory.dmp

Filesize
2.9MB

Download
memory/1776-97-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/1776-99-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/1776-101-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/1776-100-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/1776-102-0x000000000243B000-0x0000000002472000-memory.dmp

Filesize
220KB

Download
memory/1776-98-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/1952-79-0x0000000000FA0000-0x0000000000FBA000-memory.dmp

Filesize
104KB

Download
memory/1952-81-0x000000001B050000-0x000000001B0D0000-memory.dmp

Filesize
512KB

Download
memory/1952-106-0x000000001B050000-0x000000001B0D0000-memory.dmp

Filesize
512KB

Download
memory/1952-107-0x000000001ACF0000-0x000000001ACFC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing