xworm | 2711cee27d7159cc7a2e3c23458a7e3ea051a5feb1edf0d553f1eab8b3e19d81

General

Target

Optimizer-1.8.exe
Size

599KB
MD5

eb8f4df15f55d8e5d62e8e38d2872543
SHA1

63c69997aa5d4fab1bdc1b58da1c58dc715a9869
SHA256

2711cee27d7159cc7a2e3c23458a7e3ea051a5feb1edf0d553f1eab8b3e19d81
SHA512

a69a8c97caaa659501010513941f0bd483e7c575d42c3357b042a5f8d6f89708a49fad48339ffa3dd65b5772f3ab9f27311176803aa508dc9c42531642e3a4a1
SSDEEP

3072:yfy3WK38xN0IOcu75LTTnotxbOGwR/IT8oC7G:yfs38WHi8j

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

rat234678235481254.ddns.net:4782

127.0.0.1:4782

<Xwormmm>:1234

Attributes

Install_directory
%AppData%
install_file
Runtime Broker.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000900000001aad8-8.dat	family_xworm
behavioral1/memory/4264-10-0x0000000000320000-0x0000000000378000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk	Optimizer-1.1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk	Optimizer-1.1.exe

Executes dropped EXE 4 IoCs

pid	Process
4264	Optimizer-1.1.exe
4800	Runtime Broker.exe
2000	Runtime Broker.exe
4284	Runtime Broker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\AppData\\Roaming\\Runtime Broker.exe"	Optimizer-1.1.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3864	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	Optimizer-1.8.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2760	notepad.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4264	Optimizer-1.1.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4264	Optimizer-1.1.exe
Token: SeDebugPrivilege	4264	Optimizer-1.1.exe
Token: SeDebugPrivilege	4800	Runtime Broker.exe
Token: SeDebugPrivilege	2000	Runtime Broker.exe
Token: SeDebugPrivilege	4284	Runtime Broker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4264	Optimizer-1.1.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 4264	208	Optimizer-1.8.exe	71
PID 208 wrote to memory of 4264	208	Optimizer-1.8.exe	71
PID 208 wrote to memory of 2760	208	Optimizer-1.8.exe	72
PID 208 wrote to memory of 2760	208	Optimizer-1.8.exe	72
PID 4264 wrote to memory of 3864	4264	Optimizer-1.1.exe	74
PID 4264 wrote to memory of 3864	4264	Optimizer-1.1.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Optimizer-1.8.exe
"C:\Users\Admin\AppData\Local\Temp\Optimizer-1.8.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:208
- C:\ProgramData\Optimizer-1.1.exe
  "C:\ProgramData\Optimizer-1.1.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3864
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" "C:\ProgramData\Command.ps1"
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2760

C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Command.ps1

Filesize
346B

MD5
5d339bb421ae87d53c4e83550939129d

SHA1
9a0c98b41e04599a424e89a0666c8cc4d9dbba81

SHA256
795e84a06dc46f2d5581f4ac3c1b0546c0c144ca1add65a0f24855ba2ad3ca25

SHA512
8d5e12961a1d1d4e848597dc5b6cba97e034d507027cf8d07e90a78da1bd417a1893267cb97f79c1ad3236b4ec5e3f10f005edce93a327e5239af840b0bb223b

Download Submit
C:\ProgramData\Optimizer-1.1.exe

Filesize
332KB

MD5
fc5e253400d78120df1f62db85ac226e

SHA1
c5f06ae1b94d75577f2d6f43247f173dd189e9b2

SHA256
e897dd7e9108343574d449430b5c0663fc77aff8afbdc6e98e65bb29f0b9b260

SHA512
3a7d29e20b80ef0eb392457d10f90b6a6b874b719c70d540f357cdf35b85e23564d14002f436def18c848a201606e79a919dac0eef597a170a818b0ba822c4e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log

Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
memory/208-0-0x00007FFF352F3000-0x00007FFF352F4000-memory.dmp

Filesize
4KB

Download
memory/208-1-0x0000000000440000-0x00000000004DA000-memory.dmp

Filesize
616KB

Download
memory/4264-10-0x0000000000320000-0x0000000000378000-memory.dmp

Filesize
352KB

Download
memory/4264-12-0x00007FFF352F0000-0x00007FFF35CDC000-memory.dmp

Filesize
9.9MB

Download
memory/4264-19-0x00007FFF352F0000-0x00007FFF35CDC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads