xworm | 2dcc9c629488710a424dba2eefcfbecbf1edcc092a8387be7929db59f9692e71

General

Target

PrivateChat V2.0.exe
Size

87KB
MD5

4e0daa19b125c8e2703e9de440b1340b
SHA1

8dd7592a40384093ab296ea4a0ae14102441b884
SHA256

2dcc9c629488710a424dba2eefcfbecbf1edcc092a8387be7929db59f9692e71
SHA512

8bf90f3d89e0592b5e5f1f6b1d5a362b1db84612eb8f737bec7e17c25e8e9748dd0293e40addea8f77c4f49e7e3a1e345ff78e1ee150dc29bfb643bbdb78e040
SSDEEP

1536:SPvg251EzYY2MkcqhQP6xY9G+beYZFy+U0/A1OG36zvO5d2LueRISbfX:SPvg2szr5kcqhgx8+be+yTL+OjOusr

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

C2

employees-resolution.gl.at.ply.gg:35582

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2032-0-0x00000000009C0000-0x00000000009DC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1164	powershell.exe
2484	powershell.exe
2032	PrivateChat V2.0.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	PrivateChat V2.0.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2032	PrivateChat V2.0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2032	PrivateChat V2.0.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1164	2032	PrivateChat V2.0.exe	28
PID 2032 wrote to memory of 1164	2032	PrivateChat V2.0.exe	28
PID 2032 wrote to memory of 1164	2032	PrivateChat V2.0.exe	28
PID 2032 wrote to memory of 2484	2032	PrivateChat V2.0.exe	30
PID 2032 wrote to memory of 2484	2032	PrivateChat V2.0.exe	30
PID 2032 wrote to memory of 2484	2032	PrivateChat V2.0.exe	30

C:\Users\Admin\AppData\Local\Temp\PrivateChat V2.0.exe
"C:\Users\Admin\AppData\Local\Temp\PrivateChat V2.0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\PrivateChat V2.0.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PrivateChat V2.0.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
43641e3fcc39a777f8784f801e04d154

SHA1
7116bbeef380b61b8941e55e11dd5bc989b09d46

SHA256
cf06bd819cc342017e609ce2adc9b6a08729c5ad86c8176b17308a88eadab662

SHA512
a4e11183c4b1a2cf06434208a6181e57eb82c98f451404a0f5aae9b1b0ec5a3898cbb3d3ea071ca9965abbc4f5ae9b00fda6dadefaec712249f890e148b590fd

Download Submit
memory/1164-14-0x000007FEF21F0000-0x000007FEF2B8D000-memory.dmp

Filesize
9.6MB

Download
memory/1164-7-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/1164-13-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Filesize
512KB

Download
memory/1164-8-0x000007FEF21F0000-0x000007FEF2B8D000-memory.dmp

Filesize
9.6MB

Download
memory/1164-9-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Filesize
512KB

Download
memory/1164-10-0x000007FEF21F0000-0x000007FEF2B8D000-memory.dmp

Filesize
9.6MB

Download
memory/1164-11-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Filesize
512KB

Download
memory/1164-12-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Filesize
512KB

Download
memory/1164-6-0x000000001B370000-0x000000001B652000-memory.dmp

Filesize
2.9MB

Download
memory/2032-0-0x00000000009C0000-0x00000000009DC000-memory.dmp

Filesize
112KB

Download
memory/2032-30-0x000000001B290000-0x000000001B310000-memory.dmp

Filesize
512KB

Download
memory/2032-1-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2032-29-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2032-28-0x000000001B290000-0x000000001B310000-memory.dmp

Filesize
512KB

Download
memory/2484-22-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/2484-21-0x000007FEEF420000-0x000007FEEFDBD000-memory.dmp

Filesize
9.6MB

Download
memory/2484-27-0x000007FEEF420000-0x000007FEEFDBD000-memory.dmp

Filesize
9.6MB

Download
memory/2484-26-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2484-25-0x000007FEEF420000-0x000007FEEFDBD000-memory.dmp

Filesize
9.6MB

Download
memory/2484-24-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2484-20-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/2484-23-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing