xworm | 7e54c4f16a70a0d290abf816d88928cf16061de39c15d09378248b5d1fb7304a

General

Target

1515.exe
Size

346KB
MD5

e15aaf4124d69f37a69dcaaaa3ae91a7
SHA1

9c9d8a64440572e425effbb1cf8164a0f9c0a2b3
SHA256

7e54c4f16a70a0d290abf816d88928cf16061de39c15d09378248b5d1fb7304a
SHA512

3882169d67702365762d427a9b7ab766e3571f85b65bd06466549ec56bf8b8ac985f11b664513c4ba0832aae645386651f492a4fa22e5ae5be0f077972e6dd2b
SSDEEP

6144:hAt2bbee+GIIIIIIIhIIIIIIIIIIIIIIIU:OtMep

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

chapter-thomson.gl.at.ply.gg:33483

Attributes

Install_directory
%Userprofile%
install_file
steam.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1632-0-0x0000000000BC0000-0x0000000000C1C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Deletes itself 1 IoCs

pid	Process
1784	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\steam.lnk	1515.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\steam.lnk	1515.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\steam = "C:\\Users\\Admin\\steam.exe"	1515.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2708	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2920	timeout.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1632	1515.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1512	powershell.exe
2632	powershell.exe
2608	powershell.exe
2544	powershell.exe
1632	1515.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	1515.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	1632	1515.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1632	1515.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1512	1632	1515.exe	28
PID 1632 wrote to memory of 1512	1632	1515.exe	28
PID 1632 wrote to memory of 1512	1632	1515.exe	28
PID 1632 wrote to memory of 2632	1632	1515.exe	30
PID 1632 wrote to memory of 2632	1632	1515.exe	30
PID 1632 wrote to memory of 2632	1632	1515.exe	30
PID 1632 wrote to memory of 2608	1632	1515.exe	32
PID 1632 wrote to memory of 2608	1632	1515.exe	32
PID 1632 wrote to memory of 2608	1632	1515.exe	32
PID 1632 wrote to memory of 2544	1632	1515.exe	34
PID 1632 wrote to memory of 2544	1632	1515.exe	34
PID 1632 wrote to memory of 2544	1632	1515.exe	34
PID 1632 wrote to memory of 2708	1632	1515.exe	36
PID 1632 wrote to memory of 2708	1632	1515.exe	36
PID 1632 wrote to memory of 2708	1632	1515.exe	36
PID 1632 wrote to memory of 1032	1632	1515.exe	39
PID 1632 wrote to memory of 1032	1632	1515.exe	39
PID 1632 wrote to memory of 1032	1632	1515.exe	39
PID 1632 wrote to memory of 1784	1632	1515.exe	41
PID 1632 wrote to memory of 1784	1632	1515.exe	41
PID 1632 wrote to memory of 1784	1632	1515.exe	41
PID 1784 wrote to memory of 2920	1784	cmd.exe	43
PID 1784 wrote to memory of 2920	1784	cmd.exe	43
PID 1784 wrote to memory of 2920	1784	cmd.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1515.exe
"C:\Users\Admin\AppData\Local\Temp\1515.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1515.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1515.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\steam.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'steam.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "steam" /tr "C:\Users\Admin\steam.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2708
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "steam"
  2⤵
  PID:1032
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7214.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7214.tmp.bat

Filesize
156B

MD5
cc5756c9c48c93302d925372b0e656e1

SHA1
1e095ce2e7bc68531d650b90234e4f7683690820

SHA256
5af599bf8b1ac11b9b5b93460f4b2c9efe496d9fed834970896579d76347ed55

SHA512
61bcd2cfa5613a18ca50e41ca83f11dc5fb370b3479ef2a95b45b832c1d9de337db14dfd931aa767193d0e99e68ca81e40040dee0b72e1f230a4a8fc912aca1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bd9ce5e188eac8dd2d424dc0ad83d4e5

SHA1
8c9b86ed4fd05e99364edab218f4586ba0f40966

SHA256
944cd502b52834ce8184fe86c2a95799f0f4c75623ff37d1c79ee9e9ee8e804b

SHA512
751ba77ff4837e7562de416eba6565dc0c86171f5ca2f39f9fd814db3125fd528bbf94016a0f2263f24d4934939748eb4ad01e0e6916854383570c25c1ed8163

Download Submit
memory/1512-11-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/1512-7-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/1512-8-0x000007FEF1F60000-0x000007FEF28FD000-memory.dmp

Filesize
9.6MB

Download
memory/1512-12-0x000007FEF1F60000-0x000007FEF28FD000-memory.dmp

Filesize
9.6MB

Download
memory/1512-10-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/1512-9-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/1512-13-0x000007FEF1F60000-0x000007FEF28FD000-memory.dmp

Filesize
9.6MB

Download
memory/1512-6-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/1632-0-0x0000000000BC0000-0x0000000000C1C000-memory.dmp

Filesize
368KB

Download
memory/1632-68-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/1632-1-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/1632-56-0x000000001B1E0000-0x000000001B260000-memory.dmp

Filesize
512KB

Download
memory/1632-50-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/2544-44-0x000007FEEED70000-0x000007FEEF70D000-memory.dmp

Filesize
9.6MB

Download
memory/2544-47-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/2544-51-0x000007FEEED70000-0x000007FEEF70D000-memory.dmp

Filesize
9.6MB

Download
memory/2544-46-0x000007FEEED70000-0x000007FEEF70D000-memory.dmp

Filesize
9.6MB

Download
memory/2544-48-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/2544-49-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/2544-45-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/2608-37-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/2608-35-0x000007FEF1F60000-0x000007FEF28FD000-memory.dmp

Filesize
9.6MB

Download
memory/2608-34-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/2608-38-0x000007FEF1F60000-0x000007FEF28FD000-memory.dmp

Filesize
9.6MB

Download
memory/2608-36-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/2608-33-0x000007FEF1F60000-0x000007FEF28FD000-memory.dmp

Filesize
9.6MB

Download
memory/2632-22-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/2632-23-0x000007FEEED70000-0x000007FEEF70D000-memory.dmp

Filesize
9.6MB

Download
memory/2632-27-0x000007FEEED70000-0x000007FEEF70D000-memory.dmp

Filesize
9.6MB

Download
memory/2632-26-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/2632-24-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/2632-25-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/2632-21-0x000007FEEED70000-0x000007FEEF70D000-memory.dmp

Filesize
9.6MB

Download
memory/2632-20-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2632-19-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads