xworm | 66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767

General

Target

66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe
Size

535KB
MD5

11484da8db8f1bbeaff9b8b4b7387e7d
SHA1

8604e6082a89f9731beba669de3520788dd70d6a
SHA256

66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767
SHA512

54fabcf2e5e10c73eff2552b1390e849d385b174995eb0dee5c71c8d8395cd58bc89c8eaa78f73dad8e0f95048f951fb24e0e06877ec5be6738af28b730d7f53
SSDEEP

6144:MoEjg84W5xNSuIdNqqS+lsrKAe3Y8l/v:QgE5xwuIKp+N

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

your-purchasing.gl.at.ply.gg:35731

logo-active.gl.at.ply.gg:25835

Attributes

Install_directory
%AppData%
install_file
System.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023b15-7.dat	family_xworm
behavioral2/memory/972-29-0x0000000000AC0000-0x0000000000AD6000-memory.dmp	family_xworm
behavioral2/memory/4372-32-0x0000000000BF0000-0x0000000000C06000-memory.dmp	family_xworm
behavioral2/files/0x000a000000023b88-31.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3604	powershell.exe
4440	powershell.exe
3812	powershell.exe
876	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
972	System.exe
2620	abobus.exe
4372	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
3364	PING.EXE
4432	PING.EXE
3868	PING.EXE
216	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4440	powershell.exe
3604	powershell.exe
4440	powershell.exe
3604	powershell.exe
3604	powershell.exe
4440	powershell.exe
3812	powershell.exe
3812	powershell.exe
876	powershell.exe
876	powershell.exe
3812	powershell.exe
876	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	972	System.exe
Token: SeDebugPrivilege	4372	svchost.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 972	1848	66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe	83
PID 1848 wrote to memory of 972	1848	66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe	83
PID 1848 wrote to memory of 2620	1848	66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe	84
PID 1848 wrote to memory of 2620	1848	66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe	84
PID 1848 wrote to memory of 4372	1848	66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe	85
PID 1848 wrote to memory of 4372	1848	66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe	85
PID 2620 wrote to memory of 4968	2620	abobus.exe	87
PID 2620 wrote to memory of 4968	2620	abobus.exe	87
PID 4968 wrote to memory of 4816	4968	cmd.exe	88
PID 4968 wrote to memory of 4816	4968	cmd.exe	88
PID 4968 wrote to memory of 3364	4968	cmd.exe	89
PID 4968 wrote to memory of 3364	4968	cmd.exe	89
PID 4968 wrote to memory of 4432	4968	cmd.exe	93
PID 4968 wrote to memory of 4432	4968	cmd.exe	93
PID 4968 wrote to memory of 3868	4968	cmd.exe	97
PID 4968 wrote to memory of 3868	4968	cmd.exe	97
PID 4372 wrote to memory of 3604	4372	svchost.exe	98
PID 4372 wrote to memory of 3604	4372	svchost.exe	98
PID 972 wrote to memory of 4440	972	System.exe	99
PID 972 wrote to memory of 4440	972	System.exe	99
PID 972 wrote to memory of 3812	972	System.exe	102
PID 972 wrote to memory of 3812	972	System.exe	102
PID 4372 wrote to memory of 876	4372	svchost.exe	104
PID 4372 wrote to memory of 876	4372	svchost.exe	104
PID 4968 wrote to memory of 216	4968	cmd.exe	106
PID 4968 wrote to memory of 216	4968	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe
"C:\Users\Admin\AppData\Local\Temp\66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\System.exe
  "C:\Users\Admin\AppData\Local\Temp\System.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3812
- C:\Users\Admin\AppData\Local\Temp\abobus.exe
  "C:\Users\Admin\AppData\Local\Temp\abobus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\38E2.tmp\38E3.tmp\38E4.bat C:\Users\Admin\AppData\Local\Temp\abobus.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4816
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:3364
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4432
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:3868
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:216
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e9b83f48f6d18a70a0204fc6927471ba

SHA1
b2122ea0ba394a320b53605bdc9991c14c87ec8e

SHA256
cfc12de174fffd850f98ddc488818e207c6c0f7e80685a6055665062b9f057a5

SHA512
32ca1b677be6c80696e2a053862ba21f361d4e58ec96dd77950e88a3be4ed18b5ce3dc7ed4702ce61b261e62cc3fcf42a1f45ef7dc25297cb53bdc6a30ada38c

Download Submit
C:\Users\Admin\AppData\Local\Temp\38E2.tmp\38E3.tmp\38E4.bat

Filesize
712B

MD5
1c6d570cacfeda450549313478b0c5e0

SHA1
c914ab0dadf9b782ffd47cf42305ec0b5228ffb5

SHA256
f60f30bb535beec466c0ccaee0fefa3d14efe9f5a52031206e1bbe3f64b26390

SHA512
f0203662b33ce4efdb2458fac762b3ab24e799d676ed2b79d75c32486861a3206e0558212ddd14a1bf60cf28ea84409868d79cd5f14333d391b68af16c4280a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.exe

Filesize
65KB

MD5
d4195c5da221fd57c3fa82c51c73fc4d

SHA1
f253e51c33874bf1f7bd55f21122bdd77e4c4ea4

SHA256
a28a54a0a3b3d502c2f7aecf1f9109f61cfa822e0ccc1f3ef67250baa12d49db

SHA512
0af7e1cd86cd249d1ab8d170b47de0ee2669ea55537f56a6958560be74769b299a3f71ab717693689d9014e2187c70a6ca490e0f94d0c6f452a91924c96a766e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hsfeenkz.k4c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\abobus.exe

Filesize
122KB

MD5
588625ea18fb70571c443a739fa75bad

SHA1
9ce88840d71ea3f011595e22f13651df5cdaf971

SHA256
672e9ece4c044fe3c385d49bbc35b52c4348f170bb7de7963a9f1e709f8a089b

SHA512
917d9a54170cbce7238227207b386342f03be71fc5339b66713b63ed4584d1d972e491fffbe9cea5b2ed3c3b417409bf8da1672bb1711b5d2c93bacdb3c2cb33

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
66KB

MD5
a788becf083156d7fac2be10c6d08d4e

SHA1
4ff004a365b01bd590667baf797d906a927ca218

SHA256
6b129d4a5aa3cc91abc19dae5922f857282d4c37e7f23df626d9b9ca8f845061

SHA512
ac868aa2b3091a5eb1672fbb44aff879666d73753ef6e39ca8781759905064c594c265a2411b6dfde122b821fab2225c577d0de1a28606dd39b8318c5f0055d4

Download Submit
memory/972-34-0x00007FFBFE3A0000-0x00007FFBFEE61000-memory.dmp

Filesize
10.8MB

Download
memory/972-29-0x0000000000AC0000-0x0000000000AD6000-memory.dmp

Filesize
88KB

Download
memory/1848-0-0x0000000000B40000-0x0000000000BCC000-memory.dmp

Filesize
560KB

Download
memory/1848-1-0x00007FFBFE3A3000-0x00007FFBFE3A5000-memory.dmp

Filesize
8KB

Download
memory/3604-48-0x000001E667DB0000-0x000001E667DD2000-memory.dmp

Filesize
136KB

Download
memory/4372-37-0x00007FFBFE3A0000-0x00007FFBFEE61000-memory.dmp

Filesize
10.8MB

Download
memory/4372-32-0x0000000000BF0000-0x0000000000C06000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing