xworm | b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6

General

Target

b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe
Size

49KB
MD5

f8c0512008daff966ef349e7178d1239
SHA1

2a74048cf5009ab0f850e3992ffe7a453e3e18a5
SHA256

b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6
SHA512

f8c208da88e213f96531b09ea4cdffd82368373aeb9868f11e35135052cf80ffceb89c64da83969aa2df3505579fefc673a0e6346b3b6c361a7d29089f56a3fa
SSDEEP

768:FpJRqkmuoYiL7pr4y9iIn0N+LJwdFNt9cHpa6vOAh2HVXj+T3I:FpJRqVRNr42uNBFf9ipa6vOAwVST3I

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

91.92.252.220:7000

Mutex

MeDwR8PJidtfrQQa

Attributes

Install_directory
%AppData%
install_file
explorer.exe
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4576-0-0x00000000002B0000-0x00000000002C2000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\explorer.exe	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

Processes:

b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe

Executes dropped EXE 2 IoCs

Processes:

explorer.exeexplorer.exe

pid process

5912 explorer.exe
2424 explorer.exe

pid	process
5912	explorer.exe
2424	explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2420 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe

pid process

4576 b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe

flow	ioc
1	ip-api.com

pid	process
2420	schtasks.exe

pid	process
4576	b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeb019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe

pid	process
5784	powershell.exe
5784	powershell.exe
1152	powershell.exe
1152	powershell.exe
2532	powershell.exe
2532	powershell.exe
1460	powershell.exe
1460	powershell.exe
4576	b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exepowershell.exepowershell.exepowershell.exepowershell.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	4576	b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe
Token: SeDebugPrivilege	5784	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	4576	b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe
Token: SeDebugPrivilege	5912	explorer.exe
Token: SeDebugPrivilege	2424	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe

pid process

4576 b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe

pid	process
4576	b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe

description	pid	process	target process
PID 4576 wrote to memory of 5784	4576	b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe	powershell.exe
PID 4576 wrote to memory of 5784	4576	b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe	powershell.exe
PID 4576 wrote to memory of 1152	4576	b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe	powershell.exe
PID 4576 wrote to memory of 1152	4576	b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe	powershell.exe
PID 4576 wrote to memory of 2532	4576	b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe	powershell.exe
PID 4576 wrote to memory of 2532	4576	b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe	powershell.exe
PID 4576 wrote to memory of 1460	4576	b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe	powershell.exe
PID 4576 wrote to memory of 1460	4576	b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe	powershell.exe
PID 4576 wrote to memory of 2420	4576	b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe	schtasks.exe
PID 4576 wrote to memory of 2420	4576	b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe
"C:\Users\Admin\AppData\Local\Temp\b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2420

C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5912

C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa6b748cd8f3e3c0e41549529b919e21

SHA1
5a4b9721f9fb5042f6ef7afd698d5ac5216a88bb

SHA256
d7d665a42f940443efb28eb231dfe1c4062394e71fba145d6eea9ec075b0f0e8

SHA512
361c523f49428a7e430279099e669a1a8af8764653f42e83105c0da3f8e8dd3be6c1719ea8c158d8f2e8425d74457147a4683190eb4a67019b9d02be44c13534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4914eb0b2ff51bfa48484b5cc8454218

SHA1
6a7c3e36ce53b42497884d4c4a3bda438dd4374b

SHA256
7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

SHA512
83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dhked3uq.trl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
49KB

MD5
f8c0512008daff966ef349e7178d1239

SHA1
2a74048cf5009ab0f850e3992ffe7a453e3e18a5

SHA256
b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6

SHA512
f8c208da88e213f96531b09ea4cdffd82368373aeb9868f11e35135052cf80ffceb89c64da83969aa2df3505579fefc673a0e6346b3b6c361a7d29089f56a3fa

Download Submit
memory/1152-36-0x00007FF8B3040000-0x00007FF8B3B02000-memory.dmp

Filesize
10.8MB

Download
memory/1152-33-0x000001BCBC4A0000-0x000001BCBC4B0000-memory.dmp

Filesize
64KB

Download
memory/1152-32-0x000001BCBC4A0000-0x000001BCBC4B0000-memory.dmp

Filesize
64KB

Download
memory/1152-31-0x000001BCBC4A0000-0x000001BCBC4B0000-memory.dmp

Filesize
64KB

Download
memory/1152-34-0x000001BCBC4A0000-0x000001BCBC4B0000-memory.dmp

Filesize
64KB

Download
memory/1152-30-0x00007FF8B3040000-0x00007FF8B3B02000-memory.dmp

Filesize
10.8MB

Download
memory/1460-63-0x00000200F00D0000-0x00000200F00E0000-memory.dmp

Filesize
64KB

Download
memory/1460-62-0x00007FF8B3040000-0x00007FF8B3B02000-memory.dmp

Filesize
10.8MB

Download
memory/1460-66-0x00007FF8B3040000-0x00007FF8B3B02000-memory.dmp

Filesize
10.8MB

Download
memory/1460-64-0x00000200F00D0000-0x00000200F00E0000-memory.dmp

Filesize
64KB

Download
memory/2424-80-0x00007FF8B3040000-0x00007FF8B3B02000-memory.dmp

Filesize
10.8MB

Download
memory/2424-79-0x00007FF8B3040000-0x00007FF8B3B02000-memory.dmp

Filesize
10.8MB

Download
memory/2532-51-0x00007FF8B3040000-0x00007FF8B3B02000-memory.dmp

Filesize
10.8MB

Download
memory/2532-47-0x00000291F65C0000-0x00000291F65D0000-memory.dmp

Filesize
64KB

Download
memory/2532-48-0x00000291F65C0000-0x00000291F65D0000-memory.dmp

Filesize
64KB

Download
memory/2532-46-0x00007FF8B3040000-0x00007FF8B3B02000-memory.dmp

Filesize
10.8MB

Download
memory/4576-49-0x00007FF8B3040000-0x00007FF8B3B02000-memory.dmp

Filesize
10.8MB

Download
memory/4576-1-0x00007FF8B3040000-0x00007FF8B3B02000-memory.dmp

Filesize
10.8MB

Download
memory/4576-52-0x000000001AEE0000-0x000000001AEF0000-memory.dmp

Filesize
64KB

Download
memory/4576-2-0x000000001AEE0000-0x000000001AEF0000-memory.dmp

Filesize
64KB

Download
memory/4576-0-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/5784-12-0x00007FF8B3040000-0x00007FF8B3B02000-memory.dmp

Filesize
10.8MB

Download
memory/5784-13-0x000001B399BA0000-0x000001B399BB0000-memory.dmp

Filesize
64KB

Download
memory/5784-14-0x000001B399BA0000-0x000001B399BB0000-memory.dmp

Filesize
64KB

Download
memory/5784-8-0x000001B3FF7D0000-0x000001B3FF7F2000-memory.dmp

Filesize
136KB

Download
memory/5784-19-0x00007FF8B3040000-0x00007FF8B3B02000-memory.dmp

Filesize
10.8MB

Download
memory/5784-15-0x000001B399BA0000-0x000001B399BB0000-memory.dmp

Filesize
64KB

Download
memory/5784-16-0x000001B399BA0000-0x000001B399BB0000-memory.dmp

Filesize
64KB

Download
memory/5912-73-0x00007FF8B3040000-0x00007FF8B3B02000-memory.dmp

Filesize
10.8MB

Download
memory/5912-75-0x00007FF8B3040000-0x00007FF8B3B02000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads