xworm | 250eda084776cd02c04ab1dfcffde5555218310351b9c88258f7236df10aeda0

General

Target

Loader1.exe
Size

119KB
MD5

991c63fffe62b6b237cad9203c5ef6eb
SHA1

36aa371799529fc70bbcc9a645eb15929fa06de2
SHA256

250eda084776cd02c04ab1dfcffde5555218310351b9c88258f7236df10aeda0
SHA512

b6b76ee6c21c35a4c1f10d33094e7340aef38646baaafcc86eb29385b29e89ebabf2626af3cd53ab115c4ce564c74052d4aa65d270e4a6e54e5e724646d8e432
SSDEEP

3072:VHlQLfyczsS2sJYnZwGrVYTGX8YhmMa0RYRitL:VHlcfTzD1OnOXGMJgRWi

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

expected-identifies.gl.at.ply.gg:28789

Attributes

Install_directory
%ProgramData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RunBeforeXLoader.exe	family_xworm
behavioral1/memory/3012-14-0x0000000000850000-0x0000000000868000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

Processes:

RunBeforeXLoader.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	RunBeforeXLoader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	RunBeforeXLoader.exe

Executes dropped EXE 2 IoCs

Processes:

Loader.exeRunBeforeXLoader.exe

pid process

2380 Loader.exe
3012 RunBeforeXLoader.exe
Loads dropped DLL 1 IoCs

Processes:

Loader1.exe

pid process

2880 Loader1.exe

pid	process
2380	Loader.exe
3012	RunBeforeXLoader.exe

pid	process
2880	Loader1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RunBeforeXLoader.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost.exe"	RunBeforeXLoader.exe

Drops file in Windows directory 1 IoCs

Processes:

Loader1.exe

description ioc process

File created C:\Windows\Loader.exe Loader1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2408 2380 WerFault.exe Loader.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2696 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1668 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

RunBeforeXLoader.exe

pid process

3012 RunBeforeXLoader.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RunBeforeXLoader.exe

description pid process

Token: SeDebugPrivilege 3012 RunBeforeXLoader.exe
Token: SeDebugPrivilege 3012 RunBeforeXLoader.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RunBeforeXLoader.exe

pid process

3012 RunBeforeXLoader.exe

description	ioc	process
File created	C:\Windows\Loader.exe	Loader1.exe

pid	pid_target	process	target process
2408	2380	WerFault.exe	Loader.exe

pid	process
2696	schtasks.exe

pid	process
1668	timeout.exe

pid	process
3012	RunBeforeXLoader.exe

description	pid	process
Token: SeDebugPrivilege	3012	RunBeforeXLoader.exe
Token: SeDebugPrivilege	3012	RunBeforeXLoader.exe

pid	process
3012	RunBeforeXLoader.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Loader1.exeLoader.exeRunBeforeXLoader.execmd.exe

description	pid	process	target process
PID 2880 wrote to memory of 2380	2880	Loader1.exe	Loader.exe
PID 2880 wrote to memory of 2380	2880	Loader1.exe	Loader.exe
PID 2880 wrote to memory of 2380	2880	Loader1.exe	Loader.exe
PID 2880 wrote to memory of 2380	2880	Loader1.exe	Loader.exe
PID 2880 wrote to memory of 3012	2880	Loader1.exe	RunBeforeXLoader.exe
PID 2880 wrote to memory of 3012	2880	Loader1.exe	RunBeforeXLoader.exe
PID 2880 wrote to memory of 3012	2880	Loader1.exe	RunBeforeXLoader.exe
PID 2880 wrote to memory of 3012	2880	Loader1.exe	RunBeforeXLoader.exe
PID 2380 wrote to memory of 2408	2380	Loader.exe	WerFault.exe
PID 2380 wrote to memory of 2408	2380	Loader.exe	WerFault.exe
PID 2380 wrote to memory of 2408	2380	Loader.exe	WerFault.exe
PID 2380 wrote to memory of 2408	2380	Loader.exe	WerFault.exe
PID 3012 wrote to memory of 2696	3012	RunBeforeXLoader.exe	schtasks.exe
PID 3012 wrote to memory of 2696	3012	RunBeforeXLoader.exe	schtasks.exe
PID 3012 wrote to memory of 2696	3012	RunBeforeXLoader.exe	schtasks.exe
PID 3012 wrote to memory of 1188	3012	RunBeforeXLoader.exe	schtasks.exe
PID 3012 wrote to memory of 1188	3012	RunBeforeXLoader.exe	schtasks.exe
PID 3012 wrote to memory of 1188	3012	RunBeforeXLoader.exe	schtasks.exe
PID 3012 wrote to memory of 1844	3012	RunBeforeXLoader.exe	cmd.exe
PID 3012 wrote to memory of 1844	3012	RunBeforeXLoader.exe	cmd.exe
PID 3012 wrote to memory of 1844	3012	RunBeforeXLoader.exe	cmd.exe
PID 1844 wrote to memory of 1668	1844	cmd.exe	timeout.exe
PID 1844 wrote to memory of 1668	1844	cmd.exe	timeout.exe
PID 1844 wrote to memory of 1668	1844	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader1.exe
"C:\Users\Admin\AppData\Local\Temp\Loader1.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\Loader.exe
"C:\Windows\Loader.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 624
3⤵
- Program crash
PID:2408

C:\Users\Admin\AppData\Local\Temp\RunBeforeXLoader.exe
"C:\Users\Admin\AppData\Local\Temp\RunBeforeXLoader.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
3⤵
- Creates scheduled task(s)
PID:2696

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "svchost"
3⤵
PID:1188

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp732D.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp732D.tmp.bat

Filesize
168B

MD5
4d0fcd05edbbba8dafe8fde8e69526c4

SHA1
af20baab9909fe36ce3a3ba9dd047f04c690e7ff

SHA256
5ee666188cd27732c10084e2a032a0a3c3f550276ea5dbfbe3dfc3f19346a4ab

SHA512
955f618f9670186a22feafa0288e05377ba893ca8587cad93de21b622040a7937cebba6475cfdcf92cd39e03e0bbf4d9f4f7520bbffda4d7e3bc324977b27d12

Download Submit
C:\Windows\Loader.exe

Filesize
40KB

MD5
625a931cad6e8da72f1bbf3c37d65aa0

SHA1
2d54ebbe1691eeb0b097d0d0b0c5b071e30158c9

SHA256
c3cca8cdf2c5039022983f9f578f5474766c682caa3ecc3bb853269136e7e41d

SHA512
a961cb80b72908f7dd7e5897102bae75e2326b39b2eef68f1c3c8dcfea16ff666acd082a5e7114909da87b5f45369c920eaf0e47b1a3259b38aa303ab41d340b

Download Submit
\Users\Admin\AppData\Local\Temp\RunBeforeXLoader.exe

Filesize
73KB

MD5
312382a33d486601306789a01d0003d4

SHA1
feaafd132fbc62a481c20c29831f5184821cf23d

SHA256
c62a66fef3933991b01074a3ce881ff87ac605eed8d4b34fa0c98ac5f987d136

SHA512
58092c4affe2ebb0e47c5fe0a51fc41cf2652b7f29fa1fe5c9cbbe19b427dda85e6b8d4ddec69f543e0a3cfb3cae19820a04d9c789ef56c9e9253bd3584db59c

Download Submit
memory/2380-16-0x00000000049C0000-0x0000000004A00000-memory.dmp

Filesize
256KB

Download
memory/2380-13-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2380-23-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2380-25-0x00000000049C0000-0x0000000004A00000-memory.dmp

Filesize
256KB

Download
memory/2380-12-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3012-14-0x0000000000850000-0x0000000000868000-memory.dmp

Filesize
96KB

Download
memory/3012-15-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/3012-21-0x000000001B150000-0x000000001B1D0000-memory.dmp

Filesize
512KB

Download
memory/3012-22-0x0000000001FC0000-0x0000000001FCC000-memory.dmp

Filesize
48KB

Download
memory/3012-24-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/3012-37-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads