xworm | 73c98ac5911fd4f4ab09fc5361c34292a69ea3f528cc5b26f620efe4bbf3ddd2

General

Target

RECODE 1.4.exe
Size

326KB
MD5

fb2bf1f855b1aaff5d2d75b6ff48ec89
SHA1

318f3ad4db3aef7e617f1e262b3669214ae7fb3b
SHA256

73c98ac5911fd4f4ab09fc5361c34292a69ea3f528cc5b26f620efe4bbf3ddd2
SHA512

c1b9dc09ff20cf6fd3268c6764157e55daf49e4fe6dccff19fbfbe1d8f2de876ea3395560341629a1459336ddfca445bd5d9739355eb9acb1538bf96d3ae53de
SSDEEP

6144:x1nbyCFfLZz+GIIIIIIIhIIIIIIIIIIIIIIIU:iILZU

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

C2

safe-towers.gl.at.ply.gg:30351

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1688-0-0x0000000000120000-0x0000000000178000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2292	powershell.exe
2420	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	RECODE 1.4.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	1688	RECODE 1.4.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2292	1688	RECODE 1.4.exe	29
PID 1688 wrote to memory of 2292	1688	RECODE 1.4.exe	29
PID 1688 wrote to memory of 2292	1688	RECODE 1.4.exe	29
PID 1688 wrote to memory of 2420	1688	RECODE 1.4.exe	31
PID 1688 wrote to memory of 2420	1688	RECODE 1.4.exe	31
PID 1688 wrote to memory of 2420	1688	RECODE 1.4.exe	31

C:\Users\Admin\AppData\Local\Temp\RECODE 1.4.exe
"C:\Users\Admin\AppData\Local\Temp\RECODE 1.4.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RECODE 1.4.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RECODE 1.4.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
41a0225c16191b0e474cd15d57c872ed

SHA1
d1fce81ef916594b1e8c9ae004774cdaa282a650

SHA256
c32db57463e00b1b3d0d299b1775d895c36b2c9137f701f13c13cd8f57b84d40

SHA512
2d22ef39047735a91be386dadb1034176ad5c90c1162a9b56ca5dda408c2f81890a151c4db172ed3b203bb41e7fded1ba2e772d3e34c479764d167194605b6df

Download Submit
memory/1688-0-0x0000000000120000-0x0000000000178000-memory.dmp

Filesize
352KB

Download
memory/1688-1-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/1688-2-0x000000001B2D0000-0x000000001B350000-memory.dmp

Filesize
512KB

Download
memory/1688-30-0x000000001B2D0000-0x000000001B350000-memory.dmp

Filesize
512KB

Download
memory/1688-28-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2292-14-0x000007FEEDEA0000-0x000007FEEE83D000-memory.dmp

Filesize
9.6MB

Download
memory/2292-11-0x000007FEEDEA0000-0x000007FEEE83D000-memory.dmp

Filesize
9.6MB

Download
memory/2292-12-0x0000000001F30000-0x0000000001FB0000-memory.dmp

Filesize
512KB

Download
memory/2292-13-0x0000000001F30000-0x0000000001FB0000-memory.dmp

Filesize
512KB

Download
memory/2292-10-0x0000000001F30000-0x0000000001FB0000-memory.dmp

Filesize
512KB

Download
memory/2292-9-0x000007FEEDEA0000-0x000007FEEE83D000-memory.dmp

Filesize
9.6MB

Download
memory/2292-7-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download
memory/2292-8-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2420-23-0x00000000023A0000-0x0000000002420000-memory.dmp

Filesize
512KB

Download
memory/2420-21-0x000007FEED500000-0x000007FEEDE9D000-memory.dmp

Filesize
9.6MB

Download
memory/2420-24-0x00000000023A0000-0x0000000002420000-memory.dmp

Filesize
512KB

Download
memory/2420-25-0x000007FEED500000-0x000007FEEDE9D000-memory.dmp

Filesize
9.6MB

Download
memory/2420-26-0x00000000023A0000-0x0000000002420000-memory.dmp

Filesize
512KB

Download
memory/2420-27-0x00000000023A0000-0x0000000002420000-memory.dmp

Filesize
512KB

Download
memory/2420-22-0x0000000001E40000-0x0000000001E48000-memory.dmp

Filesize
32KB

Download
memory/2420-29-0x000007FEED500000-0x000007FEEDE9D000-memory.dmp

Filesize
9.6MB

Download
memory/2420-20-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing