xworm | 2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1

General

Target

Bypass3_Pure_Mode.exe
Size

724KB
MD5

6e1e63e97c09758e3db18ea31bd95284
SHA1

6f4a188d43122d22a14459123764a094ed56b37c
SHA256

2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1
SHA512

0708ebbc263c5f16fddb0e1e76abf30b3ff5842207f450e0892e0879f828ecf165a203f156f460ed3cb97dd85691c0f3dc2233160b98e7daf34057872c70ba23
SSDEEP

12288:7DeaBr2968/mPSxX7UydfxMApCPuiRMfOzzH3t2zrNkjovC7Qe1RwUdaZkgsZyL:3Pp8/2Sx/xMA8miRSO3H3t8aDaXs8

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

45.141.27.41:7000

Mutex

9ZF9ZsOZGh1T1r1n

Attributes

Install_directory
%Public%
install_file
csrss.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\XClient.exe	family_xworm
behavioral2/memory/2728-48-0x0000000000F40000-0x0000000000F50000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4180 powershell.exe
768 powershell.exe
4440 powershell.exe
2600 powershell.exe

pid	process
4180	powershell.exe
768	powershell.exe
4440	powershell.exe
2600	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Bypass3_Pure_Mode.exeXClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Bypass3_Pure_Mode.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	XClient.exe

Drops startup file 2 IoCs

Processes:

XClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk	XClient.exe

Executes dropped EXE 2 IoCs

Processes:

example.exeXClient.exe

pid process

2524 example.exe
2728 XClient.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
25	ip-api.com

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

example.exepowershell.exepowershell.exepowershell.exepowershell.exeXClient.exe

pid	process
2524	example.exe
2524	example.exe
2524	example.exe
2524	example.exe
2524	example.exe
2524	example.exe
2524	example.exe
2524	example.exe
2524	example.exe
2524	example.exe
2600	powershell.exe
2600	powershell.exe
4180	powershell.exe
4180	powershell.exe
4180	powershell.exe
768	powershell.exe
768	powershell.exe
768	powershell.exe
4440	powershell.exe
4440	powershell.exe
4440	powershell.exe
2728	XClient.exe
2728	XClient.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

XClient.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2728	XClient.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	4180	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	2728	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

XClient.exe

pid process

2728 XClient.exe

pid	process
2728	XClient.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Bypass3_Pure_Mode.exeexample.execmd.exeXClient.exe

description	pid	process	target process
PID 224 wrote to memory of 2524	224	Bypass3_Pure_Mode.exe	example.exe
PID 224 wrote to memory of 2524	224	Bypass3_Pure_Mode.exe	example.exe
PID 224 wrote to memory of 2728	224	Bypass3_Pure_Mode.exe	XClient.exe
PID 224 wrote to memory of 2728	224	Bypass3_Pure_Mode.exe	XClient.exe
PID 2524 wrote to memory of 1468	2524	example.exe	cmd.exe
PID 2524 wrote to memory of 1468	2524	example.exe	cmd.exe
PID 1468 wrote to memory of 752	1468	cmd.exe	certutil.exe
PID 1468 wrote to memory of 752	1468	cmd.exe	certutil.exe
PID 1468 wrote to memory of 860	1468	cmd.exe	find.exe
PID 1468 wrote to memory of 860	1468	cmd.exe	find.exe
PID 1468 wrote to memory of 1312	1468	cmd.exe	find.exe
PID 1468 wrote to memory of 1312	1468	cmd.exe	find.exe
PID 2728 wrote to memory of 2600	2728	XClient.exe	powershell.exe
PID 2728 wrote to memory of 2600	2728	XClient.exe	powershell.exe
PID 2728 wrote to memory of 4180	2728	XClient.exe	powershell.exe
PID 2728 wrote to memory of 4180	2728	XClient.exe	powershell.exe
PID 2728 wrote to memory of 768	2728	XClient.exe	powershell.exe
PID 2728 wrote to memory of 768	2728	XClient.exe	powershell.exe
PID 2728 wrote to memory of 4440	2728	XClient.exe	powershell.exe
PID 2728 wrote to memory of 4440	2728	XClient.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Bypass3_Pure_Mode.exe
"C:\Users\Admin\AppData\Local\Temp\Bypass3_Pure_Mode.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:224

C:\Users\Admin\example.exe
"C:\Users\Admin\example.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\example.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
3⤵
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\example.exe" MD5
4⤵
PID:752

C:\Windows\system32\find.exe
find /i /v "md5"
4⤵
PID:860

C:\Windows\system32\find.exe
find /i /v "certutil"
4⤵
PID:1312

C:\Users\Admin\XClient.exe
"C:\Users\Admin\XClient.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\XClient.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\csrss.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aeceee3981c528bdc5e1c635b65d223d

SHA1
de9939ed37edca6772f5cdd29f6a973b36b7d31b

SHA256
b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32

SHA512
df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3072fa0040b347c3941144486bf30c6f

SHA1
e6dc84a5bd882198583653592f17af1bf8cbfc68

SHA256
da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e

SHA512
62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hp23rcl4.b10.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\XClient.exe
Filesize
40KB

MD5
7ea387ab126b2ecf3365d448a318a433

SHA1
71b6e05898b68ed72ca95266d6293b225c40b612

SHA256
573f3d316ed68ea2d4762a657dcc62416b763a8fcd1f99017f02d3ef5c215015

SHA512
68830f84bf9f0a9e75a999907f7e7d816f89aa745e92078f56f303edadb236e14957e0594290f297fd4c0175ae72be02542cabe974a404fe961b7ab4bf945825

Download Submit
C:\Users\Admin\example.exe
Filesize
673KB

MD5
56a9b5d3e447355a8d29a2d02a00b70c

SHA1
af802aab037d6ae208b040e4e0b629665f208394

SHA256
8d33c98d8aa62cbcc5d9096aa93fe073f0ee012af6cea9f19daad0d8e08d0ff1

SHA512
c9d4de01e7c472d48ecee70777cac1f3ab3959fdb863c27096898b339e5f53e319489080ca08d3b18659ab396a16a18638fbebe06e58546ddeb2b5b5ca593081

Download Submit
memory/224-1-0x0000000000700000-0x00000000007BC000-memory.dmp

Filesize
752KB

Download
memory/224-0-0x00007FF841E03000-0x00007FF841E05000-memory.dmp

Filesize
8KB

Download
memory/2600-61-0x000002215D340000-0x000002215D362000-memory.dmp

Filesize
136KB

Download
memory/2728-51-0x00007FF841E00000-0x00007FF8428C1000-memory.dmp

Filesize
10.8MB

Download
memory/2728-50-0x00007FF841E00000-0x00007FF8428C1000-memory.dmp

Filesize
10.8MB

Download
memory/2728-48-0x0000000000F40000-0x0000000000F50000-memory.dmp

Filesize
64KB

Download
memory/2728-102-0x00007FF841E00000-0x00007FF8428C1000-memory.dmp

Filesize
10.8MB

Download
memory/2728-103-0x00007FF841E00000-0x00007FF8428C1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads