xworm | e46d80f1b4a81c1aaafdda010b0db0eca9c0957a1a3990671d583247d33371ff

General

Target

fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe
Size

34KB
MD5

b1277c96cd2cabd50382318e95179713
SHA1

5da077cec493cfee0d9ec1905d9882efa8a8d284
SHA256

fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11
SHA512

4d28ed36ce3d3bbc6d96e4ed76e95604edd10a2eabf60001dcaf611269358e70bebe71a6d2ebfa2a747c3e2feac9e8f3c2f913b3fabdaab2b327c4f46bafd36e
SSDEEP

768:/pabA1ZUxNkLACVVickNVFy19JR6aO/hnt:fn2Nk8hcAF49JR6aO/v

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

dzn.ddns.net:5552

Mutex

mT1l25650AkcpwGy

Attributes

Install_directory
%Temp%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2100-0-0x0000000000E10000-0x0000000000E1E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

Processes:

fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.lnk	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.lnk	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe"	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1940 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3048 powershell.exe
2676 powershell.exe
2368 powershell.exe

pid	process
1940	schtasks.exe

pid	process
3048	powershell.exe
2676	powershell.exe
2368	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exepowershell.exepowershell.exepowershell.exefe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exefe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe

description	pid	process
Token: SeDebugPrivilege	2100	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	2100	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe
Token: SeDebugPrivilege	108	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe
Token: SeDebugPrivilege	1184	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exetaskeng.exe

description	pid	process	target process
PID 2100 wrote to memory of 3048	2100	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe	powershell.exe
PID 2100 wrote to memory of 3048	2100	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe	powershell.exe
PID 2100 wrote to memory of 3048	2100	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe	powershell.exe
PID 2100 wrote to memory of 2676	2100	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe	powershell.exe
PID 2100 wrote to memory of 2676	2100	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe	powershell.exe
PID 2100 wrote to memory of 2676	2100	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe	powershell.exe
PID 2100 wrote to memory of 2368	2100	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe	powershell.exe
PID 2100 wrote to memory of 2368	2100	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe	powershell.exe
PID 2100 wrote to memory of 2368	2100	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe	powershell.exe
PID 2100 wrote to memory of 1940	2100	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe	schtasks.exe
PID 2100 wrote to memory of 1940	2100	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe	schtasks.exe
PID 2100 wrote to memory of 1940	2100	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe	schtasks.exe
PID 2760 wrote to memory of 108	2760	taskeng.exe	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe
PID 2760 wrote to memory of 108	2760	taskeng.exe	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe
PID 2760 wrote to memory of 108	2760	taskeng.exe	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe
PID 2760 wrote to memory of 1184	2760	taskeng.exe	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe
PID 2760 wrote to memory of 1184	2760	taskeng.exe	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe
PID 2760 wrote to memory of 1184	2760	taskeng.exe	fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe
"C:\Users\Admin\AppData\Local\Temp\fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11" /tr "C:\Users\Admin\AppData\Local\Temp\fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe"
2⤵
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\taskeng.exe
taskeng.exe {90D668F6-7868-4A2D-8DFA-E80BA9CF58CA} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Local\Temp\fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe
C:\Users\Admin\AppData\Local\Temp\fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:108

C:\Users\Admin\AppData\Local\Temp\fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe
C:\Users\Admin\AppData\Local\Temp\fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1184

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0POL0RXC39L5XSB5VLSS.temp
Filesize
7KB

MD5
a460ab7f070f0c124d6e0477e05d0450

SHA1
85f5d3fb5f6f4b422d1ee5be7e6c126411e3a212

SHA256
c578de294fe5f74a3dfd9a6a80801b4d474cf57ea135e479b8f2f8decc220ac0

SHA512
2ca658cc92e94f21fce1cf90bb48156f751e84f3d2b1c90d173bf780fdd6a89e9a449487031f4fff9cb843318c4ca65819c9064eaa001b2ec448216453d1522d

Download Submit
memory/108-43-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/108-44-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/1184-47-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/1184-46-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2100-41-0x000000001B0C0000-0x000000001B140000-memory.dmp

Filesize
512KB

Download
memory/2100-0-0x0000000000E10000-0x0000000000E1E000-memory.dmp

Filesize
56KB

Download
memory/2100-42-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2100-1-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2368-39-0x000007FEEEBF0000-0x000007FEEF58D000-memory.dmp

Filesize
9.6MB

Download
memory/2368-36-0x000007FEEEBF0000-0x000007FEEF58D000-memory.dmp

Filesize
9.6MB

Download
memory/2368-37-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2368-38-0x0000000002A04000-0x0000000002A07000-memory.dmp

Filesize
12KB

Download
memory/2368-35-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2368-34-0x000007FEEEBF0000-0x000007FEEF58D000-memory.dmp

Filesize
9.6MB

Download
memory/2676-23-0x0000000002920000-0x0000000002928000-memory.dmp

Filesize
32KB

Download
memory/2676-24-0x000007FEEE250000-0x000007FEEEBED000-memory.dmp

Filesize
9.6MB

Download
memory/2676-25-0x0000000002DA0000-0x0000000002E20000-memory.dmp

Filesize
512KB

Download
memory/2676-27-0x0000000002DA0000-0x0000000002E20000-memory.dmp

Filesize
512KB

Download
memory/2676-26-0x0000000002DA0000-0x0000000002E20000-memory.dmp

Filesize
512KB

Download
memory/2676-28-0x000007FEEE250000-0x000007FEEEBED000-memory.dmp

Filesize
9.6MB

Download
memory/2676-21-0x000007FEEE250000-0x000007FEEEBED000-memory.dmp

Filesize
9.6MB

Download
memory/2676-22-0x0000000002DA0000-0x0000000002E20000-memory.dmp

Filesize
512KB

Download
memory/2676-20-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/3048-10-0x000007FEEEBF0000-0x000007FEEF58D000-memory.dmp

Filesize
9.6MB

Download
memory/3048-11-0x0000000002EE4000-0x0000000002EE7000-memory.dmp

Filesize
12KB

Download
memory/3048-13-0x0000000002EE0000-0x0000000002F60000-memory.dmp

Filesize
512KB

Download
memory/3048-14-0x000007FEEEBF0000-0x000007FEEF58D000-memory.dmp

Filesize
9.6MB

Download
memory/3048-12-0x0000000002EE0000-0x0000000002F60000-memory.dmp

Filesize
512KB

Download
memory/3048-9-0x0000000002EE0000-0x0000000002F60000-memory.dmp

Filesize
512KB

Download
memory/3048-8-0x000007FEEEBF0000-0x000007FEEF58D000-memory.dmp

Filesize
9.6MB

Download
memory/3048-7-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/3048-6-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads