xworm | 4a643c8ac145763b7e4a9b410a5dcc3562faf0f2204ec0d2613833923628f419

General

Target

Krampus/Krampus/B1OdUv8CBH.exe
Size

18.8MB
MD5

c5df5afb4679cbea28de24ff9ed306a2
SHA1

fe968a913c1377f0e85cc4c95afa3129a2f9ae22
SHA256

a12756e652171e06da8133a7abe625316b3d352fc82ed8cf199f349b7de0c478
SHA512

a4ddb32c744da55829823feb140c2c48612d442459ec76daf7ec0459327e8422222a380c53802c15b298cf122f1f86fe2891b2bf04732ef764d62fb182cd7e70
SSDEEP

196608:EXi2sOT7HnJ+7CBgHcyCkaIH2kkoyhr5QXNDe6JaCPU8rblcRHrdcKZ5CRO2HACB:ci07we4+TB6zxJcRBdCrHxwwR

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%ProgramData%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/a1kmrNub

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000b000000015d31-5.dat	family_xworm
behavioral1/memory/2264-7-0x0000000001160000-0x0000000001178000-memory.dmp	family_xworm
behavioral1/memory/2328-61-0x0000000000AA0000-0x0000000000AB8000-memory.dmp	family_xworm
behavioral1/memory/1696-66-0x0000000001280000-0x0000000001298000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2820	powershell.exe
2964	powershell.exe
1900	powershell.exe
2524	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2264	clientlol.exe
2140	KrampUI.exe

Loads dropped DLL 2 IoCs

pid	Process
2040	B1OdUv8CBH.exe
2040	B1OdUv8CBH.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
7	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1268	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	clientlol.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2264	2040	B1OdUv8CBH.exe	28
PID 2040 wrote to memory of 2264	2040	B1OdUv8CBH.exe	28
PID 2040 wrote to memory of 2264	2040	B1OdUv8CBH.exe	28
PID 2040 wrote to memory of 2140	2040	B1OdUv8CBH.exe	29
PID 2040 wrote to memory of 2140	2040	B1OdUv8CBH.exe	29
PID 2040 wrote to memory of 2140	2040	B1OdUv8CBH.exe	29

C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\B1OdUv8CBH.exe
"C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\B1OdUv8CBH.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040
- C:\ProgramData\clientlol.exe
  "C:\ProgramData\clientlol.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\clientlol.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'clientlol.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1900
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost"
    3⤵
    - Creates scheduled task(s)
    PID:1268
- C:\ProgramData\KrampUI.exe
  "C:\ProgramData\KrampUI.exe"
  2⤵
  - Executes dropped EXE
  PID:2140

C:\Windows\system32\taskeng.exe
taskeng.exe {82F292C6-8E51-4CD0-AB22-B53BFA2FFEF3} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
PID:2856
- C:\ProgramData\svchost
  C:\ProgramData\svchost
  2⤵
  PID:2328
- C:\ProgramData\svchost
  C:\ProgramData\svchost
  2⤵
  PID:1696
- C:\ProgramData\svchost
  C:\ProgramData\svchost
  2⤵
  PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KrampUI.exe

Filesize
2.1MB

MD5
1b2d5010407397170f82f60a555ac6ca

SHA1
9825fba934d4b057b65e031e0167d0bb03966e19

SHA256
3b2a4fd0d5dbc6fba907abceb940fc34e18a0e452ec209a18eb0f6a3b0d39463

SHA512
38f0d1e1c437af92b0b9a42f56848b329ab3ffec0b206e725512848486589872efb59a20c9580810339f7dfca942168742cabf792d0bbb3e5a734cfadd62642c

Download Submit
C:\ProgramData\clientlol.exe

Filesize
1.5MB

MD5
da4f713eda91ee257714127d761852a3

SHA1
5901870facef99c9c850b141e8f8339721e932e4

SHA256
9d27a2b70745480a42b83777ea3aa0399c63a55c6d9b699d67f1e95f7605ebe1

SHA512
9964eca29700aefa97febdbca4e829a64ec6fd050d49c720f04963fab831b528319c9b3b054f36093ef9dc7236a681fba02f1f988ec19194f124d7a75abcddf7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5ACR1OY6Z0W9JTJKGIG5.temp

Filesize
7KB

MD5
404283061758b1ee5dbeeb9ce6e2c357

SHA1
dfb937d933a8414917a8922973f9f5d62db39209

SHA256
46c66f4a55107e8b7e884a5a84d5e9abfe57f1558cbe97f36cc638b4a1e0a98f

SHA512
c9c7d8246c40338f6ef8a6a0c46521a8ce2e73ecf6bdf9ccfec1889149d47314e399185e0c42c5526e55e85218500cf1e2666c421ef43bd12c697812f3157f1c

Download Submit
\ProgramData\KrampUI.exe

Filesize
5.4MB

MD5
be0c461f60e8298c87075dfce55ee7e8

SHA1
027ccd463a66530b209c690b2dc8ba697809fcf8

SHA256
a293bbf009bd7caa2b22153fc10bedc89d1bb2f7c61bed62ac07dc4ce14c7579

SHA512
d11516bbf0cc9e281f30de8298a1a9b219d9b2f62aa9f522546ecb0b409002bddc01ade9b403831f576f9935f6c8c63a54c8e31ffe3a0d095de4dba993b6bf83

Download Submit
memory/1696-66-0x0000000001280000-0x0000000001298000-memory.dmp

Filesize
96KB

Download
memory/2040-1-0x00000000001E0000-0x00000000014AE000-memory.dmp

Filesize
18.8MB

Download
memory/2040-0-0x000007FEF5163000-0x000007FEF5164000-memory.dmp

Filesize
4KB

Download
memory/2264-7-0x0000000001160000-0x0000000001178000-memory.dmp

Filesize
96KB

Download
memory/2264-17-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2264-63-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2264-8-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2264-62-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-61-0x0000000000AA0000-0x0000000000AB8000-memory.dmp

Filesize
96KB

Download
memory/2524-29-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2524-30-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2820-22-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2820-23-0x00000000029A0000-0x00000000029A8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads