xworm | 0e079477b2c5072f876fabdd5339ce96ed42a55361fb445d1c9bbe1282bf4850

General

Target

my men.exe
Size

679KB
MD5

98a2d7aee74efe11a83e1514199a1346
SHA1

758365522b6a9eebe7ec5a10f4f260d3ffcd285a
SHA256

0e079477b2c5072f876fabdd5339ce96ed42a55361fb445d1c9bbe1282bf4850
SHA512

3f0c83af88c1f2b067ad56d458719cc1641a6aa672eea68adb0adc6dd25f7306dc9b8e018021828f61d514d74437683671e23e9eb731d865007335ec403722b5
SSDEEP

3072:gti/b34bfUYCZS6jBPbZ8L2SdoYBUBk1pfApjgrD1xJiS+F4Hsi2I/7X88eXrspS:P3ZS6jBPl8LDdSqIw

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:36301

character-acquisitions.gl.at.ply.gg:36301

Attributes

Install_directory
%ProgramData%
install_file
Hoodbyunlock.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0002000000029e10-4022.dat	family_xworm
behavioral1/memory/792-4023-0x0000000000990000-0x00000000009CA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hoodbyunlock.lnk	x.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hoodbyunlock.lnk	x.exe

Executes dropped EXE 1 IoCs

pid	Process
792	x.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
792	x.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	792	x.exe
Token: SeDebugPrivilege	792	x.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 3544	4856	my men.exe	80
PID 4856 wrote to memory of 3544	4856	my men.exe	80
PID 3544 wrote to memory of 1816	3544	cmd.exe	83
PID 3544 wrote to memory of 1816	3544	cmd.exe	83
PID 3544 wrote to memory of 1152	3544	cmd.exe	84
PID 3544 wrote to memory of 1152	3544	cmd.exe	84
PID 3544 wrote to memory of 792	3544	cmd.exe	85
PID 3544 wrote to memory of 792	3544	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\my men.exe
"C:\Users\Admin\AppData\Local\Temp\my men.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Psb8xgEG.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3544
- - C:\Windows\system32\findstr.exe
    findstr /e "'v" "C:\Users\Admin\AppData\Local\Temp\Psb8xgEG.bat"
    3⤵
    PID:1816
- - C:\Windows\system32\cscript.exe
    cscript //nologo C:\Users\Admin\AppData\Local\Temp\x.vbs
    3⤵
    PID:1152
- - C:\Users\Admin\AppData\Local\Temp\x.exe
    C:\Users\Admin\AppData\Local\Temp\x.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    PID:792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Psb8xgEG.bat

Filesize
337KB

MD5
ccaea73653a34af5dd4fe25c5c1832bc

SHA1
bcb90167312bc189aedbad3efe09579b0f5204a1

SHA256
62a64c90fc235fae4bb96ff0ce6e4a890a1f6bafee5edcabbad4e1f1ab587c8e

SHA512
229f43e706926b182d8f7ed2469d30d6d024b749516cef67c79f4f30b54e04bc8dd3ab410389397246f0b031cd3af06f8dd5b667ca77931736cf6da8b4e7d8c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\x

Filesize
281KB

MD5
ed0b1bbbac5f893507ba6fa5b311963d

SHA1
bb799a70e283928fdd899e8a073275d27df2c170

SHA256
779495879b280381bd2e521fa221ec114ff1561cdf177a36984b9cdc3a54c68f

SHA512
13e509e675835b13b944106acdce60e6448ae7b25ff9ff63d9d54bba70e964c13100fd213fcb00b45b7fbf58a2c7a9f40a0157e3833cd6ed2787b5c97eb4e465

Download Submit
C:\Users\Admin\AppData\Local\Temp\x

Filesize
17KB

MD5
1de810c272fb75775029a9fe482b527c

SHA1
b3c829a7baf9b5c5bf28260f8b82eefaffaa573e

SHA256
d266d7b93dc90266b9b71f3bdb57fd750d48513644766a0aaf3e763f0ec223cd

SHA512
6f90002cb93c5cd8f4e8f522e1c6bb4b75727e09afa737a720129a795fff48c8691e32899f2c87770615400890ce3e5c45c9c1690ae90e9b740e78f1c835aa0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
205KB

MD5
74d8f5a1e068a454ffaa5c8fd32a3e44

SHA1
46599d94edc83e67e6bde3579f61028e2bee7096

SHA256
59b203fcf387bfde09a17d954c9281f5743b0d0edb9c8d1fc481eb0165416fd0

SHA512
6d5e8aeb8a5139f31b0f8ed55655c0eb52b3e2589cf1e6ee3c13b06394ceba72da0dc5e01972386bd75b01d17c16e00d50fe2c1e3a2c4b2a5a6b70b0a753ec3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.vbs

Filesize
380B

MD5
ec9a2fb69a379d913a4e0a953cd3b97c

SHA1
a0303ed9f787c042071a1286bba43a5bbdd0679e

SHA256
cf8268d158bb819ef158ff6ccbed64d5e379148a0adb1f73a082a01d56d0286b

SHA512
fef8e24a680991046bd7dacd6079c7e48c3031fe46caae722ea93797ee16c052073ba97959e992ea71ac7ab72fbcedaa5cf4a410657aac4c10ad24de6935e9d6

Download Submit
memory/792-4023-0x0000000000990000-0x00000000009CA000-memory.dmp

Filesize
232KB

Download
memory/792-4025-0x00007FFE5F6E0000-0x00007FFE601A2000-memory.dmp

Filesize
10.8MB

Download
memory/792-4027-0x0000000001200000-0x0000000001210000-memory.dmp

Filesize
64KB

Download
memory/792-4032-0x00007FFE5F6E0000-0x00007FFE601A2000-memory.dmp

Filesize
10.8MB

Download
memory/792-4033-0x0000000001200000-0x0000000001210000-memory.dmp

Filesize
64KB

Download
memory/4856-3-0x00007FFE5F6E0000-0x00007FFE601A2000-memory.dmp

Filesize
10.8MB

Download
memory/4856-0-0x0000000000DA0000-0x0000000000E50000-memory.dmp

Filesize
704KB

Download
memory/4856-4026-0x00007FFE5F6E0000-0x00007FFE601A2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing