xworm | ee7dd18f59e73fc4569a7a2564d52d6ee55b19757f89f57b17e35f32eb88327b

General

Target

tmp.exe
Size

95KB
MD5

c83359f746eb240727873f83f3881db0
SHA1

d2bf8a67d2a29e8a48ad685e3e586fde9a7e48a6
SHA256

ee7dd18f59e73fc4569a7a2564d52d6ee55b19757f89f57b17e35f32eb88327b
SHA512

00c30f2c9e38b7b09be0e7729d70803c7ab7d3b9e6b29592119050319b176ba0ca6b79c513c3afce1de025a968c5e278468eda9ccdbe2a9415635a68e715b05a
SSDEEP

1536:n1C8TP7w1ZJFfw9VGzlxjrR751lNz0UCdkV/L7e:1CaP7wHnfw9QxlN5T6

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

needforrat.hopto.org:7000

Mutex

4DmqnprMzJEWl3vs

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral2/memory/4400-0-0x00000000008B0000-0x00000000008CE000-memory.dmp	family_xworm
behavioral2/files/0x000200000001e746-8.dat	family_xworm
behavioral2/files/0x000200000001e746-9.dat	family_xworm
behavioral2/files/0x000200000001e746-13.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	tmp.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp.exe	tmp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp.exe	tmp.exe

Executes dropped EXE 2 IoCs

pid	Process
1804	tmp.exe
440	tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tmp = "C:\\Users\\Admin\\AppData\\Roaming\\tmp.exe"	tmp.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
772	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4400	tmp.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 772	4400	tmp.exe	87
PID 4400 wrote to memory of 772	4400	tmp.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "tmp" /tr "C:\Users\Admin\AppData\Roaming\tmp.exe"
  2⤵
  - Creates scheduled task(s)
  PID:772

C:\Users\Admin\AppData\Roaming\tmp.exe
C:\Users\Admin\AppData\Roaming\tmp.exe
1⤵
- Executes dropped EXE
PID:1804

C:\Users\Admin\AppData\Roaming\tmp.exe
C:\Users\Admin\AppData\Roaming\tmp.exe
1⤵
- Executes dropped EXE
PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\tmp.exe.log

Filesize
1KB

MD5
a8a147915e3a996fdbe10b3a3f1e1bb2

SHA1
abc564c1be468d57e700913e7b6cf8f62d421263

SHA256
8b96a8557deea66696837af011843d6a82451ba57c8f9b5a2726a70818d6fc7e

SHA512
17b42f17ef60a9f625703172763f692e5ed2ca93564a97853dfa72bb0ac6305ef3267aea0b205938e3aa8eac10156d9d4f322b30d0329d92d647bcec6372731c

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
95KB

MD5
c83359f746eb240727873f83f3881db0

SHA1
d2bf8a67d2a29e8a48ad685e3e586fde9a7e48a6

SHA256
ee7dd18f59e73fc4569a7a2564d52d6ee55b19757f89f57b17e35f32eb88327b

SHA512
00c30f2c9e38b7b09be0e7729d70803c7ab7d3b9e6b29592119050319b176ba0ca6b79c513c3afce1de025a968c5e278468eda9ccdbe2a9415635a68e715b05a

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
95KB

MD5
c83359f746eb240727873f83f3881db0

SHA1
d2bf8a67d2a29e8a48ad685e3e586fde9a7e48a6

SHA256
ee7dd18f59e73fc4569a7a2564d52d6ee55b19757f89f57b17e35f32eb88327b

SHA512
00c30f2c9e38b7b09be0e7729d70803c7ab7d3b9e6b29592119050319b176ba0ca6b79c513c3afce1de025a968c5e278468eda9ccdbe2a9415635a68e715b05a

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
95KB

MD5
c83359f746eb240727873f83f3881db0

SHA1
d2bf8a67d2a29e8a48ad685e3e586fde9a7e48a6

SHA256
ee7dd18f59e73fc4569a7a2564d52d6ee55b19757f89f57b17e35f32eb88327b

SHA512
00c30f2c9e38b7b09be0e7729d70803c7ab7d3b9e6b29592119050319b176ba0ca6b79c513c3afce1de025a968c5e278468eda9ccdbe2a9415635a68e715b05a

Download Submit
memory/440-15-0x00007FFF6D330000-0x00007FFF6DDF1000-memory.dmp

Filesize
10.8MB

Download
memory/440-16-0x00007FFF6D330000-0x00007FFF6DDF1000-memory.dmp

Filesize
10.8MB

Download
memory/1804-10-0x00007FFF6D330000-0x00007FFF6DDF1000-memory.dmp

Filesize
10.8MB

Download
memory/1804-12-0x00007FFF6D330000-0x00007FFF6DDF1000-memory.dmp

Filesize
10.8MB

Download
memory/4400-7-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/4400-6-0x00007FFF6D330000-0x00007FFF6DDF1000-memory.dmp

Filesize
10.8MB

Download
memory/4400-0-0x00000000008B0000-0x00000000008CE000-memory.dmp

Filesize
120KB

Download
memory/4400-2-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/4400-1-0x00007FFF6D330000-0x00007FFF6DDF1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads