xworm | d75b041e9c687214d97c0110be211d91d0242115475171620a8791f6e79bfc58

General

Target

vamicheatloader.exe
Size

77KB
MD5

b074da06d9857ac5261d62b2446774a4
SHA1

7137511fab7f416097aafba40cb0b6becf6c9d6e
SHA256

d75b041e9c687214d97c0110be211d91d0242115475171620a8791f6e79bfc58
SHA512

04faf087159d02915d9981f4666b2dcc1441f6212f9fe8ef8750e1b69436159ac1063c9a2191f59c77864b7688955e3f5e9db7fe0c5f50791bcbb52c49fa3367
SSDEEP

1536:+dWwWpRvrlUSvelsuFXvnd4hbAbYUU0XXS06YTUgOrEKvN:I2TSSmnZvGAbD5iST/Or9N

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

rooms-belkin.gl.at.ply.gg:48066

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2200-1-0x0000000000210000-0x000000000022A000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\svchost.exe	family_xworm
behavioral1/memory/2420-36-0x0000000000B60000-0x0000000000B7A000-memory.dmp	family_xworm
behavioral1/memory/300-39-0x0000000000BF0000-0x0000000000C0A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2548 powershell.exe
2616 powershell.exe
2484 powershell.exe
1984 powershell.exe

pid	process
2548	powershell.exe
2616	powershell.exe
2484	powershell.exe
1984	powershell.exe

Drops startup file 2 IoCs

Processes:

vamicheatloader.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	vamicheatloader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	vamicheatloader.exe

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2420 svchost.exe
300 svchost.exe

pid	process
2420	svchost.exe
300	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vamicheatloader.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	vamicheatloader.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2908 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exevamicheatloader.exe

pid process

2548 powershell.exe
2616 powershell.exe
2484 powershell.exe
1984 powershell.exe
2200 vamicheatloader.exe

flow	ioc
4	ip-api.com

pid	process
2908	schtasks.exe

pid	process
2548	powershell.exe
2616	powershell.exe
2484	powershell.exe
1984	powershell.exe
2200	vamicheatloader.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

vamicheatloader.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2200	vamicheatloader.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	2200	vamicheatloader.exe
Token: SeDebugPrivilege	2420	svchost.exe
Token: SeDebugPrivilege	300	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vamicheatloader.exe

pid process

2200 vamicheatloader.exe

pid	process
2200	vamicheatloader.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

vamicheatloader.exetaskeng.exe

description	pid	process	target process
PID 2200 wrote to memory of 2548	2200	vamicheatloader.exe	powershell.exe
PID 2200 wrote to memory of 2548	2200	vamicheatloader.exe	powershell.exe
PID 2200 wrote to memory of 2548	2200	vamicheatloader.exe	powershell.exe
PID 2200 wrote to memory of 2616	2200	vamicheatloader.exe	powershell.exe
PID 2200 wrote to memory of 2616	2200	vamicheatloader.exe	powershell.exe
PID 2200 wrote to memory of 2616	2200	vamicheatloader.exe	powershell.exe
PID 2200 wrote to memory of 2484	2200	vamicheatloader.exe	powershell.exe
PID 2200 wrote to memory of 2484	2200	vamicheatloader.exe	powershell.exe
PID 2200 wrote to memory of 2484	2200	vamicheatloader.exe	powershell.exe
PID 2200 wrote to memory of 1984	2200	vamicheatloader.exe	powershell.exe
PID 2200 wrote to memory of 1984	2200	vamicheatloader.exe	powershell.exe
PID 2200 wrote to memory of 1984	2200	vamicheatloader.exe	powershell.exe
PID 2200 wrote to memory of 2908	2200	vamicheatloader.exe	schtasks.exe
PID 2200 wrote to memory of 2908	2200	vamicheatloader.exe	schtasks.exe
PID 2200 wrote to memory of 2908	2200	vamicheatloader.exe	schtasks.exe
PID 2536 wrote to memory of 2420	2536	taskeng.exe	svchost.exe
PID 2536 wrote to memory of 2420	2536	taskeng.exe	svchost.exe
PID 2536 wrote to memory of 2420	2536	taskeng.exe	svchost.exe
PID 2536 wrote to memory of 300	2536	taskeng.exe	svchost.exe
PID 2536 wrote to memory of 300	2536	taskeng.exe	svchost.exe
PID 2536 wrote to memory of 300	2536	taskeng.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\vamicheatloader.exe
"C:\Users\Admin\AppData\Local\Temp\vamicheatloader.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\vamicheatloader.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'vamicheatloader.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\taskeng.exe
taskeng.exe {60F66EC7-4F35-49AE-8F88-791DE6A0BAF6} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2536

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:300

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
6c742ce41787ef332297e9ed19c8c7c8

SHA1
638384a777cf7f8b72384c94becfd1aacc087f76

SHA256
54aa1f5167c7aacabf10a0ca78d6428280bd7208091a48a804619a1407970fdf

SHA512
b13b2ae5ff74b2bca750a6dde2c0c54242b21b4aa2f085a3610ce2045adec89baadc9685c8b9d7a512ce425d1bc34190e83ebe784947f157912eaea167e0b623

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
77KB

MD5
b074da06d9857ac5261d62b2446774a4

SHA1
7137511fab7f416097aafba40cb0b6becf6c9d6e

SHA256
d75b041e9c687214d97c0110be211d91d0242115475171620a8791f6e79bfc58

SHA512
04faf087159d02915d9981f4666b2dcc1441f6212f9fe8ef8750e1b69436159ac1063c9a2191f59c77864b7688955e3f5e9db7fe0c5f50791bcbb52c49fa3367

Download Submit
memory/300-39-0x0000000000BF0000-0x0000000000C0A000-memory.dmp

Filesize
104KB

Download
memory/2200-31-0x000007FEF5D73000-0x000007FEF5D74000-memory.dmp

Filesize
4KB

Download
memory/2200-0-0x000007FEF5D73000-0x000007FEF5D74000-memory.dmp

Filesize
4KB

Download
memory/2200-32-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp

Filesize
9.9MB

Download
memory/2200-2-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp

Filesize
9.9MB

Download
memory/2200-1-0x0000000000210000-0x000000000022A000-memory.dmp

Filesize
104KB

Download
memory/2420-36-0x0000000000B60000-0x0000000000B7A000-memory.dmp

Filesize
104KB

Download
memory/2548-8-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2548-9-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2548-7-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2616-15-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2616-16-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads