xworm | bf9c7574e3ca23a96e317b42385aee11a982ab20649a6954d507e9c76b4044b5

General

Target

ArchevodXWormexe.exe
Size

1.1MB
MD5

87243804ebf481b95392b3ec64774297
SHA1

ff945fbb4577b5b8939d6f80367c5e4b6cdef99b
SHA256

bf9c7574e3ca23a96e317b42385aee11a982ab20649a6954d507e9c76b4044b5
SHA512

4eadcccd6d39679e053501f2680637d4855d2ea0d5e7fb753718b25ba4866cb05847e80db7568393db41bae29c803a9d593e92db8285fee553cf3efd91e77ce5
SSDEEP

24576:e8JiMsfQ2FsbQM9ULXwbZnr9UbjAyFEHn7h98ll2cXVuF0wG1oVNMzV:emTRMM9WXwlr9TyyHnE/2cXVborMx

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

topics-junior.at.ply.gg:45283

Attributes

install_file
explorer.exe

Signatures

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ArchevodXWormexe.lnk	ArchevodXWormexe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ArchevodXWormexe.lnk	ArchevodXWormexe.exe

Executes dropped EXE 2 IoCs

pid	Process
1656	ArchevodXWormexe.exe
1828	ArchevodXWormexe.exe

Loads dropped DLL 1 IoCs

pid	Process
2040	ArchevodXWormexe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Windows\CurrentVersion\Run\ArchevodXWormexe = "C:\\Users\\Admin\\AppData\\Roaming\\ArchevodXWormexe.exe"	ArchevodXWormexe.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
2040	ArchevodXWormexe.exe
2040	ArchevodXWormexe.exe
2040	ArchevodXWormexe.exe
2040	ArchevodXWormexe.exe
2040	ArchevodXWormexe.exe
1656	ArchevodXWormexe.exe
2040	ArchevodXWormexe.exe
2040	ArchevodXWormexe.exe
2040	ArchevodXWormexe.exe
1828	ArchevodXWormexe.exe
2040	ArchevodXWormexe.exe
2040	ArchevodXWormexe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2040	ArchevodXWormexe.exe
2012	powershell.exe
1944	powershell.exe
928	powershell.exe
2040	ArchevodXWormexe.exe
1656	ArchevodXWormexe.exe
1828	ArchevodXWormexe.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	ArchevodXWormexe.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	2040	ArchevodXWormexe.exe
Token: SeDebugPrivilege	1656	ArchevodXWormexe.exe
Token: SeDebugPrivilege	1828	ArchevodXWormexe.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2040	ArchevodXWormexe.exe
2040	ArchevodXWormexe.exe
1656	ArchevodXWormexe.exe
1828	ArchevodXWormexe.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2012	2040	ArchevodXWormexe.exe	29
PID 2040 wrote to memory of 2012	2040	ArchevodXWormexe.exe	29
PID 2040 wrote to memory of 2012	2040	ArchevodXWormexe.exe	29
PID 2040 wrote to memory of 2012	2040	ArchevodXWormexe.exe	29
PID 2040 wrote to memory of 1944	2040	ArchevodXWormexe.exe	31
PID 2040 wrote to memory of 1944	2040	ArchevodXWormexe.exe	31
PID 2040 wrote to memory of 1944	2040	ArchevodXWormexe.exe	31
PID 2040 wrote to memory of 1944	2040	ArchevodXWormexe.exe	31
PID 2040 wrote to memory of 928	2040	ArchevodXWormexe.exe	33
PID 2040 wrote to memory of 928	2040	ArchevodXWormexe.exe	33
PID 2040 wrote to memory of 928	2040	ArchevodXWormexe.exe	33
PID 2040 wrote to memory of 928	2040	ArchevodXWormexe.exe	33
PID 2040 wrote to memory of 1788	2040	ArchevodXWormexe.exe	35
PID 2040 wrote to memory of 1788	2040	ArchevodXWormexe.exe	35
PID 2040 wrote to memory of 1788	2040	ArchevodXWormexe.exe	35
PID 2040 wrote to memory of 1788	2040	ArchevodXWormexe.exe	35
PID 1992 wrote to memory of 1656	1992	taskeng.exe	38
PID 1992 wrote to memory of 1656	1992	taskeng.exe	38
PID 1992 wrote to memory of 1656	1992	taskeng.exe	38
PID 1992 wrote to memory of 1656	1992	taskeng.exe	38
PID 1992 wrote to memory of 1828	1992	taskeng.exe	39
PID 1992 wrote to memory of 1828	1992	taskeng.exe	39
PID 1992 wrote to memory of 1828	1992	taskeng.exe	39
PID 1992 wrote to memory of 1828	1992	taskeng.exe	39

C:\Users\Admin\AppData\Local\Temp\ArchevodXWormexe.exe
"C:\Users\Admin\AppData\Local\Temp\ArchevodXWormexe.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ArchevodXWormexe.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ArchevodXWormexe.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ArchevodXWormexe.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ArchevodXWormexe" /tr "C:\Users\Admin\AppData\Roaming\ArchevodXWormexe.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1788

C:\Windows\system32\taskeng.exe
taskeng.exe {7DA84736-64C7-4A9C-ABED-DA9A20FFF9D8} S-1-5-21-1437583205-2177757337-340526699-1000:XVLNHWCX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Roaming\ArchevodXWormexe.exe
  C:\Users\Admin\AppData\Roaming\ArchevodXWormexe.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1656
- C:\Users\Admin\AppData\Roaming\ArchevodXWormexe.exe
  C:\Users\Admin\AppData\Roaming\ArchevodXWormexe.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ArchevodXWormexe.exe

Filesize
1.1MB

MD5
87243804ebf481b95392b3ec64774297

SHA1
ff945fbb4577b5b8939d6f80367c5e4b6cdef99b

SHA256
bf9c7574e3ca23a96e317b42385aee11a982ab20649a6954d507e9c76b4044b5

SHA512
4eadcccd6d39679e053501f2680637d4855d2ea0d5e7fb753718b25ba4866cb05847e80db7568393db41bae29c803a9d593e92db8285fee553cf3efd91e77ce5

Download Submit
C:\Users\Admin\AppData\Roaming\ArchevodXWormexe.exe

Filesize
1.1MB

MD5
87243804ebf481b95392b3ec64774297

SHA1
ff945fbb4577b5b8939d6f80367c5e4b6cdef99b

SHA256
bf9c7574e3ca23a96e317b42385aee11a982ab20649a6954d507e9c76b4044b5

SHA512
4eadcccd6d39679e053501f2680637d4855d2ea0d5e7fb753718b25ba4866cb05847e80db7568393db41bae29c803a9d593e92db8285fee553cf3efd91e77ce5

Download Submit
C:\Users\Admin\AppData\Roaming\ArchevodXWormexe.exe

Filesize
1.1MB

MD5
87243804ebf481b95392b3ec64774297

SHA1
ff945fbb4577b5b8939d6f80367c5e4b6cdef99b

SHA256
bf9c7574e3ca23a96e317b42385aee11a982ab20649a6954d507e9c76b4044b5

SHA512
4eadcccd6d39679e053501f2680637d4855d2ea0d5e7fb753718b25ba4866cb05847e80db7568393db41bae29c803a9d593e92db8285fee553cf3efd91e77ce5

Download Submit
C:\Users\Admin\AppData\Roaming\ArchevodXWormexe.exe

Filesize
1.1MB

MD5
87243804ebf481b95392b3ec64774297

SHA1
ff945fbb4577b5b8939d6f80367c5e4b6cdef99b

SHA256
bf9c7574e3ca23a96e317b42385aee11a982ab20649a6954d507e9c76b4044b5

SHA512
4eadcccd6d39679e053501f2680637d4855d2ea0d5e7fb753718b25ba4866cb05847e80db7568393db41bae29c803a9d593e92db8285fee553cf3efd91e77ce5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\124WASJSHLVU29FMVGG0.temp

Filesize
7KB

MD5
e970f5c6533b17e57faa0213b7dcae03

SHA1
22868017b94eaa0378f05d40e0449b8eaa2c9787

SHA256
7e1e2954ef5e8d022a3262c187603adfe88490df189903197de9472cc51ed07d

SHA512
56f69563e19bfe997923626eda6ca7ce2cdac113e590a371b8ef454b61d55089e3116ec4beb6d7fb4e0250d4a9f7fc62ea3a69041ae3a4a3139c891223bdee2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e970f5c6533b17e57faa0213b7dcae03

SHA1
22868017b94eaa0378f05d40e0449b8eaa2c9787

SHA256
7e1e2954ef5e8d022a3262c187603adfe88490df189903197de9472cc51ed07d

SHA512
56f69563e19bfe997923626eda6ca7ce2cdac113e590a371b8ef454b61d55089e3116ec4beb6d7fb4e0250d4a9f7fc62ea3a69041ae3a4a3139c891223bdee2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e970f5c6533b17e57faa0213b7dcae03

SHA1
22868017b94eaa0378f05d40e0449b8eaa2c9787

SHA256
7e1e2954ef5e8d022a3262c187603adfe88490df189903197de9472cc51ed07d

SHA512
56f69563e19bfe997923626eda6ca7ce2cdac113e590a371b8ef454b61d55089e3116ec4beb6d7fb4e0250d4a9f7fc62ea3a69041ae3a4a3139c891223bdee2d

Download Submit
\Users\Admin\AppData\Roaming\ArchevodXWormexe.exe

Filesize
1.1MB

MD5
87243804ebf481b95392b3ec64774297

SHA1
ff945fbb4577b5b8939d6f80367c5e4b6cdef99b

SHA256
bf9c7574e3ca23a96e317b42385aee11a982ab20649a6954d507e9c76b4044b5

SHA512
4eadcccd6d39679e053501f2680637d4855d2ea0d5e7fb753718b25ba4866cb05847e80db7568393db41bae29c803a9d593e92db8285fee553cf3efd91e77ce5

Download Submit
memory/928-72-0x00000000026D0000-0x0000000002710000-memory.dmp

Filesize
256KB

Download
memory/928-73-0x00000000026D0000-0x0000000002710000-memory.dmp

Filesize
256KB

Download
memory/1656-95-0x0000000000170000-0x00000000004E8000-memory.dmp

Filesize
3.5MB

Download
memory/1656-94-0x0000000000170000-0x00000000004E8000-memory.dmp

Filesize
3.5MB

Download
memory/1656-97-0x0000000000170000-0x00000000004E8000-memory.dmp

Filesize
3.5MB

Download
memory/1828-106-0x0000000000C00000-0x0000000000F78000-memory.dmp

Filesize
3.5MB

Download
memory/1828-105-0x0000000000C00000-0x0000000000F78000-memory.dmp

Filesize
3.5MB

Download
memory/1828-108-0x0000000000C00000-0x0000000000F78000-memory.dmp

Filesize
3.5MB

Download
memory/1944-65-0x0000000002440000-0x0000000002480000-memory.dmp

Filesize
256KB

Download
memory/2012-59-0x0000000002590000-0x00000000025D0000-memory.dmp

Filesize
256KB

Download
memory/2040-84-0x0000000002A50000-0x0000000002A90000-memory.dmp

Filesize
256KB

Download
memory/2040-85-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2040-87-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2040-54-0x0000000000DA0000-0x0000000001118000-memory.dmp

Filesize
3.5MB

Download
memory/2040-55-0x0000000002A50000-0x0000000002A90000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads