xworm | 8641f88b89c9076ece3ee571baa4b3c93ba3ac3883e90fe5f894dc41e3b7bdc7

General

Target

Ro-exec/loader-upd.exe
Size

70KB
MD5

573bd20fc8382d92a7ae9eae51e738e3
SHA1

55006093429df791f27e91a66e5ee63a81382b28
SHA256

09036ffa342f9e5bb1e31a867dcc3b60db011baba8c0d202aff1d33195cbe729
SHA512

d38736acff4128d6ce9ea17ee609ca33a37ac88f2c994cf4caf7f0eb62406a8963c33531b9f3cd020974d892c2751f3a4f67ce13ed6ba6080f97c406ccbb4aca
SSDEEP

1536:PmMfwrNATngx6fPLgD9vYebv2S5NiwWW6N9dOoihkAO:LCmn463UD6ebv242FzOoiSAO

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%Public%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/UWpQULMP

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral7/memory/3592-0-0x00000000000D0000-0x00000000000E8000-memory.dmp	family_xworm
behavioral7/files/0x000700000002aa01-66.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 2 IoCs

pid	Process
4272	svchost.exe
3948	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Public\\svchost.exe"	loader-upd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	pastebin.com
2	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4904	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3592	loader-upd.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4104	powershell.exe
4104	powershell.exe
3828	powershell.exe
3828	powershell.exe
2148	powershell.exe
2148	powershell.exe
4684	powershell.exe
4684	powershell.exe
3592	loader-upd.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3592	loader-upd.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	3592	loader-upd.exe
Token: SeDebugPrivilege	4272	svchost.exe
Token: SeDebugPrivilege	3948	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3592	loader-upd.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 4104	3592	loader-upd.exe	80
PID 3592 wrote to memory of 4104	3592	loader-upd.exe	80
PID 3592 wrote to memory of 3828	3592	loader-upd.exe	82
PID 3592 wrote to memory of 3828	3592	loader-upd.exe	82
PID 3592 wrote to memory of 2148	3592	loader-upd.exe	84
PID 3592 wrote to memory of 2148	3592	loader-upd.exe	84
PID 3592 wrote to memory of 4684	3592	loader-upd.exe	86
PID 3592 wrote to memory of 4684	3592	loader-upd.exe	86
PID 3592 wrote to memory of 4904	3592	loader-upd.exe	88
PID 3592 wrote to memory of 4904	3592	loader-upd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Ro-exec\loader-upd.exe
"C:\Users\Admin\AppData\Local\Temp\Ro-exec\loader-upd.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Ro-exec\loader-upd.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'loader-upd.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\svchost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4684
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4904

C:\Users\Public\svchost.exe
C:\Users\Public\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Users\Public\svchost.exe
C:\Users\Public\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e07eea85a8893f23fb814cf4b3ed974c

SHA1
8a8125b2890bbddbfc3531d0ee4393dbbf5936fe

SHA256
83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea

SHA512
9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uf1yvyay.3as.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\svchost.exe

Filesize
70KB

MD5
573bd20fc8382d92a7ae9eae51e738e3

SHA1
55006093429df791f27e91a66e5ee63a81382b28

SHA256
09036ffa342f9e5bb1e31a867dcc3b60db011baba8c0d202aff1d33195cbe729

SHA512
d38736acff4128d6ce9ea17ee609ca33a37ac88f2c994cf4caf7f0eb62406a8963c33531b9f3cd020974d892c2751f3a4f67ce13ed6ba6080f97c406ccbb4aca

Download Submit
memory/2148-41-0x00007FF868A90000-0x00007FF869552000-memory.dmp

Filesize
10.8MB

Download
memory/2148-43-0x000001C1B3D00000-0x000001C1B3D10000-memory.dmp

Filesize
64KB

Download
memory/2148-48-0x00007FF868A90000-0x00007FF869552000-memory.dmp

Filesize
10.8MB

Download
memory/2148-46-0x000001C1B3D00000-0x000001C1B3D10000-memory.dmp

Filesize
64KB

Download
memory/2148-42-0x000001C1B3D00000-0x000001C1B3D10000-memory.dmp

Filesize
64KB

Download
memory/3592-65-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/3592-1-0x00007FF868A90000-0x00007FF869552000-memory.dmp

Filesize
10.8MB

Download
memory/3592-0-0x00000000000D0000-0x00000000000E8000-memory.dmp

Filesize
96KB

Download
memory/3592-45-0x00007FF868A90000-0x00007FF869552000-memory.dmp

Filesize
10.8MB

Download
memory/3592-64-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/3828-28-0x00000105BABD0000-0x00000105BABE0000-memory.dmp

Filesize
64KB

Download
memory/3828-32-0x00007FF868A90000-0x00007FF869552000-memory.dmp

Filesize
10.8MB

Download
memory/3828-29-0x00000105BABD0000-0x00000105BABE0000-memory.dmp

Filesize
64KB

Download
memory/3828-27-0x00007FF868A90000-0x00007FF869552000-memory.dmp

Filesize
10.8MB

Download
memory/3948-74-0x00007FF868A90000-0x00007FF869552000-memory.dmp

Filesize
10.8MB

Download
memory/3948-73-0x00007FF868A90000-0x00007FF869552000-memory.dmp

Filesize
10.8MB

Download
memory/4104-17-0x00007FF868A90000-0x00007FF869552000-memory.dmp

Filesize
10.8MB

Download
memory/4104-14-0x0000021C6C8B0000-0x0000021C6C8C0000-memory.dmp

Filesize
64KB

Download
memory/4104-13-0x0000021C6C8B0000-0x0000021C6C8C0000-memory.dmp

Filesize
64KB

Download
memory/4104-12-0x0000021C6C8B0000-0x0000021C6C8C0000-memory.dmp

Filesize
64KB

Download
memory/4104-11-0x00007FF868A90000-0x00007FF869552000-memory.dmp

Filesize
10.8MB

Download
memory/4104-10-0x0000021C54290000-0x0000021C542B2000-memory.dmp

Filesize
136KB

Download
memory/4272-68-0x00007FF868A90000-0x00007FF869552000-memory.dmp

Filesize
10.8MB

Download
memory/4272-70-0x00007FF868A90000-0x00007FF869552000-memory.dmp

Filesize
10.8MB

Download
memory/4684-60-0x0000027BF3F00000-0x0000027BF3F10000-memory.dmp

Filesize
64KB

Download
memory/4684-59-0x0000027BF3F00000-0x0000027BF3F10000-memory.dmp

Filesize
64KB

Download
memory/4684-62-0x00007FF868A90000-0x00007FF869552000-memory.dmp

Filesize
10.8MB

Download
memory/4684-58-0x00007FF868A90000-0x00007FF869552000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads