xworm | 3083471838ca2c7f5c63ffde807c0cf2be168ec3c41c13eb80c49224bf7473c6

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Ëè÷íûé.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Modifies Installed Components in the registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Sets file execution options in registry 2 TTPs 4 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	Ëè÷íûé.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ëè÷íûé.exe"	Ëè÷íûé.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	Ëè÷íûé.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ëè÷íûé.exe"	Ëè÷íûé.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xw.lnk	xw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xw.lnk	xw.exe

Executes dropped EXE 4 IoCs

pid	Process
4156	Ëè÷íûé.exe
1404	xw.exe
3700	Ëè÷íûé.exe
4084	xw.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral31/files/0x0008000000023208-4.dat	upx
behavioral31/files/0x0008000000023208-7.dat	upx
behavioral31/files/0x0008000000023208-8.dat	upx
behavioral31/memory/4156-11-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral31/files/0x0008000000023208-24.dat	upx
behavioral31/memory/3700-25-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral31/memory/3700-29-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral31/memory/4156-46-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral31/memory/4156-56-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral31/memory/4156-80-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral31/memory/4156-104-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral31/memory/4156-125-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral31/memory/4156-148-0x0000000000400000-0x0000000000553000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Qwe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ëè÷íûé.exe"	Ëè÷íûé.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xw = "C:\\Users\\Admin\\AppData\\Roaming\\xw.exe"	xw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
1316	schtasks.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{ACA9FD39-9D20-4538-A14A-B35CF18F90FD}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe
4156	Ëè÷íûé.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	xw.exe
Token: SeShutdownPrivilege	4148	explorer.exe
Token: SeCreatePagefilePrivilege	4148	explorer.exe
Token: SeShutdownPrivilege	4148	explorer.exe
Token: SeCreatePagefilePrivilege	4148	explorer.exe
Token: SeShutdownPrivilege	4148	explorer.exe
Token: SeCreatePagefilePrivilege	4148	explorer.exe
Token: SeShutdownPrivilege	4148	explorer.exe
Token: SeCreatePagefilePrivilege	4148	explorer.exe
Token: SeDebugPrivilege	1404	xw.exe
Token: SeDebugPrivilege	4084	xw.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3616 wrote to memory of 4156	3616	build.exe	82
PID 3616 wrote to memory of 4156	3616	build.exe	82
PID 3616 wrote to memory of 4156	3616	build.exe	82
PID 3616 wrote to memory of 1404	3616	build.exe	83
PID 3616 wrote to memory of 1404	3616	build.exe	83
PID 1404 wrote to memory of 1316	1404	xw.exe	91
PID 1404 wrote to memory of 1316	1404	xw.exe	91

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Ëè÷íûé.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Ëè÷íûé.exe

C:\Users\Admin\AppData\Local\Temp\xw\build.exe
"C:\Users\Admin\AppData\Local\Temp\xw\build.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Users\Admin\AppData\Local\Temp\Ëè÷íûé.exe
  "C:\Users\Admin\AppData\Local\Temp\Ëè÷íûé.exe"
  2⤵
  - UAC bypass
  - Sets file execution options in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - System policy modification
  PID:4156
- C:\Users\Admin\AppData\Local\Temp\xw.exe
  "C:\Users\Admin\AppData\Local\Temp\xw.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "xw" /tr "C:\Users\Admin\AppData\Roaming\xw.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1316

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4148

C:\Users\Admin\AppData\Local\Temp\Ëè÷íûé.exe
C:\Users\Admin\AppData\Local\Temp\Ëè÷íûé.exe explorer.exe
1⤵
- Executes dropped EXE
PID:3700

C:\Users\Admin\AppData\Roaming\xw.exe
C:\Users\Admin\AppData\Roaming\xw.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry