xworm | 355b67101ba439f05337234d028ecba6641db094c6251aee15369f767c12dc3b

General

Target

shexwormonmymemztilliminoxide.exe
Size

41KB
MD5

14f963e28858c6c3f653048a83621c89
SHA1

8c3a1d7d823e19558d80f35b0ee7d88f868ab5c6
SHA256

355b67101ba439f05337234d028ecba6641db094c6251aee15369f767c12dc3b
SHA512

2b6cc20e3b24752120ed007d8f07ba44c38bb964ab76b9dcb9d4f745db82450653dd6b5608812ba1bc325dc9e649ae1fb3600e6ad61565e7046ea4ed199a4bb2
SSDEEP

768:xTFHrDMcksBqaEAOrHA7tF5PM96maOwh23EihHJ:XwcGvAwAxFS96maOwwlx

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:38630

147.185.221.19:38630

bay-currencies.gl.at.ply.gg:38630

and-organized.gl.at.ply.gg:38630

community-excess.gl.at.ply.gg:38630

Mutex

TelZ6nrHgxVFZl6W

Attributes

Install_directory
%AppData%
install_file
runbroker.exe

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2868-0-0x0000000000E70000-0x0000000000E80000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\runbroker.exe	family_xworm
behavioral1/memory/580-12-0x00000000012B0000-0x00000000012C0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2060 cmd.exe

pid	process
2060	cmd.exe

Drops startup file 2 IoCs

Processes:

shexwormonmymemztilliminoxide.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runbroker.lnk	shexwormonmymemztilliminoxide.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runbroker.lnk	shexwormonmymemztilliminoxide.exe

Executes dropped EXE 1 IoCs

Processes:

runbroker.exe

pid process

580 runbroker.exe

pid	process
580	runbroker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

shexwormonmymemztilliminoxide.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\runbroker = "C:\\Users\\Admin\\AppData\\Roaming\\runbroker.exe"	shexwormonmymemztilliminoxide.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2588 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2092 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

shexwormonmymemztilliminoxide.exe

pid process

2868 shexwormonmymemztilliminoxide.exe

flow	ioc
4	ip-api.com

pid	process
2588	schtasks.exe

pid	process
2092	timeout.exe

pid	process
2868	shexwormonmymemztilliminoxide.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

shexwormonmymemztilliminoxide.exerunbroker.exe

description	pid	process
Token: SeDebugPrivilege	2868	shexwormonmymemztilliminoxide.exe
Token: SeDebugPrivilege	2868	shexwormonmymemztilliminoxide.exe
Token: SeDebugPrivilege	580	runbroker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

shexwormonmymemztilliminoxide.exe

pid process

2868 shexwormonmymemztilliminoxide.exe

pid	process
2868	shexwormonmymemztilliminoxide.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

shexwormonmymemztilliminoxide.exetaskeng.execmd.exe

description	pid	process	target process
PID 2868 wrote to memory of 2588	2868	shexwormonmymemztilliminoxide.exe	schtasks.exe
PID 2868 wrote to memory of 2588	2868	shexwormonmymemztilliminoxide.exe	schtasks.exe
PID 2868 wrote to memory of 2588	2868	shexwormonmymemztilliminoxide.exe	schtasks.exe
PID 1360 wrote to memory of 580	1360	taskeng.exe	runbroker.exe
PID 1360 wrote to memory of 580	1360	taskeng.exe	runbroker.exe
PID 1360 wrote to memory of 580	1360	taskeng.exe	runbroker.exe
PID 2868 wrote to memory of 3000	2868	shexwormonmymemztilliminoxide.exe	schtasks.exe
PID 2868 wrote to memory of 3000	2868	shexwormonmymemztilliminoxide.exe	schtasks.exe
PID 2868 wrote to memory of 3000	2868	shexwormonmymemztilliminoxide.exe	schtasks.exe
PID 2868 wrote to memory of 2060	2868	shexwormonmymemztilliminoxide.exe	cmd.exe
PID 2868 wrote to memory of 2060	2868	shexwormonmymemztilliminoxide.exe	cmd.exe
PID 2868 wrote to memory of 2060	2868	shexwormonmymemztilliminoxide.exe	cmd.exe
PID 2060 wrote to memory of 2092	2060	cmd.exe	timeout.exe
PID 2060 wrote to memory of 2092	2060	cmd.exe	timeout.exe
PID 2060 wrote to memory of 2092	2060	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\shexwormonmymemztilliminoxide.exe
"C:\Users\Admin\AppData\Local\Temp\shexwormonmymemztilliminoxide.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "runbroker" /tr "C:\Users\Admin\AppData\Roaming\runbroker.exe"
2⤵
- Creates scheduled task(s)
PID:2588

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "runbroker"
2⤵
PID:3000

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4C2.tmp.bat""
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2092

C:\Windows\system32\taskeng.exe
taskeng.exe {CB2D2D7B-49E0-4E45-903A-CB0825FE555F} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Roaming\runbroker.exe
C:\Users\Admin\AppData\Roaming\runbroker.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:580

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4C2.tmp.bat
Filesize
180B

MD5
385193735e70954cd7c0dd3b42ae0d72

SHA1
70e49541268943f0c61eb029b86ccb4178704715

SHA256
9b5c18fe5fa476e45ce84b1cdccddc5ec4128cb47aeea410da9dd6dbd73ddbdc

SHA512
4f178982128e83484a8c75e39a24578705b43ae8bf1a275419c0d4ff1dfe30c11581c7b989f0d9293d645a512062d7a254607473fc9fcdb5a238ceba045d1170

Download Submit
C:\Users\Admin\AppData\Roaming\runbroker.exe
Filesize
41KB

MD5
14f963e28858c6c3f653048a83621c89

SHA1
8c3a1d7d823e19558d80f35b0ee7d88f868ab5c6

SHA256
355b67101ba439f05337234d028ecba6641db094c6251aee15369f767c12dc3b

SHA512
2b6cc20e3b24752120ed007d8f07ba44c38bb964ab76b9dcb9d4f745db82450653dd6b5608812ba1bc325dc9e649ae1fb3600e6ad61565e7046ea4ed199a4bb2

Download Submit
memory/580-12-0x00000000012B0000-0x00000000012C0000-memory.dmp

Filesize
64KB

Download
memory/2868-0-0x0000000000E70000-0x0000000000E80000-memory.dmp

Filesize
64KB

Download
memory/2868-1-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2868-2-0x000000001B5C0000-0x000000001B640000-memory.dmp

Filesize
512KB

Download
memory/2868-7-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2868-8-0x000000001B5C0000-0x000000001B640000-memory.dmp

Filesize
512KB

Download
memory/2868-14-0x00000000023B0000-0x00000000023BC000-memory.dmp

Filesize
48KB

Download
memory/2868-24-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads