xworm | 926ba0df92e1f9b1841c1b04e4d101cbc3ce9c8019f6ac3c717380cd85643f92

General

Target

Steam.exe
Size

80KB
MD5

925c5ac8505847f51b4dbef340716238
SHA1

ecfb0b836deb64fa714f0cfc7f41e0f68e85c762
SHA256

926ba0df92e1f9b1841c1b04e4d101cbc3ce9c8019f6ac3c717380cd85643f92
SHA512

0780eb215f0caee0d63dddbceffb37c498729024957db8347f8df26a2a1df26138275bebfdd595f29549e2c775cd226c9980850daced72809e0b148e1b4c84c6
SSDEEP

1536:+v1oTUiT1jJuO+uSjic+b7LIafbVe66xFtOGZPSUQ:ASXu6Sj1+b7EeAtOG4N

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

help-wt.gl.at.ply.gg:60294

Attributes

Install_directory
%AppData%
install_file
Steam.exe

Signatures

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2208-1-0x00000000012D0000-0x00000000012EA000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\Steam.exe	family_xworm
behavioral1/memory/2816-36-0x0000000000F50000-0x0000000000F6A000-memory.dmp	family_xworm
behavioral1/memory/684-39-0x0000000000340000-0x000000000035A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2164 powershell.exe
2648 powershell.exe
3060 powershell.exe
2720 powershell.exe

pid	process
2164	powershell.exe
2648	powershell.exe
3060	powershell.exe
2720	powershell.exe

Drops startup file 2 IoCs

Processes:

Steam.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.lnk	Steam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.lnk	Steam.exe

Executes dropped EXE 2 IoCs

Processes:

Steam.exeSteam.exe

pid process

2816 Steam.exe
684 Steam.exe
Loads dropped DLL 1 IoCs

Processes:

Steam.exe

pid process

2208 Steam.exe

pid	process
2816	Steam.exe
684	Steam.exe

pid	process
2208	Steam.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Steam.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\Steam.exe"	Steam.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3064 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeSteam.exe

pid process

2164 powershell.exe
2648 powershell.exe
3060 powershell.exe
2720 powershell.exe
2208 Steam.exe

pid	process
3064	schtasks.exe

pid	process
2164	powershell.exe
2648	powershell.exe
3060	powershell.exe
2720	powershell.exe
2208	Steam.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Steam.exepowershell.exepowershell.exepowershell.exepowershell.exeSteam.exeSteam.exe

description	pid	process
Token: SeDebugPrivilege	2208	Steam.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2208	Steam.exe
Token: SeDebugPrivilege	2816	Steam.exe
Token: SeDebugPrivilege	684	Steam.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Steam.exe

pid process

2208 Steam.exe

pid	process
2208	Steam.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Steam.exetaskeng.exe

description	pid	process	target process
PID 2208 wrote to memory of 2164	2208	Steam.exe	powershell.exe
PID 2208 wrote to memory of 2164	2208	Steam.exe	powershell.exe
PID 2208 wrote to memory of 2164	2208	Steam.exe	powershell.exe
PID 2208 wrote to memory of 2648	2208	Steam.exe	powershell.exe
PID 2208 wrote to memory of 2648	2208	Steam.exe	powershell.exe
PID 2208 wrote to memory of 2648	2208	Steam.exe	powershell.exe
PID 2208 wrote to memory of 3060	2208	Steam.exe	powershell.exe
PID 2208 wrote to memory of 3060	2208	Steam.exe	powershell.exe
PID 2208 wrote to memory of 3060	2208	Steam.exe	powershell.exe
PID 2208 wrote to memory of 2720	2208	Steam.exe	powershell.exe
PID 2208 wrote to memory of 2720	2208	Steam.exe	powershell.exe
PID 2208 wrote to memory of 2720	2208	Steam.exe	powershell.exe
PID 2208 wrote to memory of 3064	2208	Steam.exe	schtasks.exe
PID 2208 wrote to memory of 3064	2208	Steam.exe	schtasks.exe
PID 2208 wrote to memory of 3064	2208	Steam.exe	schtasks.exe
PID 1604 wrote to memory of 2816	1604	taskeng.exe	Steam.exe
PID 1604 wrote to memory of 2816	1604	taskeng.exe	Steam.exe
PID 1604 wrote to memory of 2816	1604	taskeng.exe	Steam.exe
PID 1604 wrote to memory of 684	1604	taskeng.exe	Steam.exe
PID 1604 wrote to memory of 684	1604	taskeng.exe	Steam.exe
PID 1604 wrote to memory of 684	1604	taskeng.exe	Steam.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Steam.exe
"C:\Users\Admin\AppData\Local\Temp\Steam.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Steam.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Steam.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Steam.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Steam.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Steam" /tr "C:\Users\Admin\AppData\Roaming\Steam.exe"
2⤵
- Creates scheduled task(s)
PID:3064

C:\Windows\system32\taskeng.exe
taskeng.exe {DEF1A17C-0554-4CEA-8B41-93F8717D5FEB} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Roaming\Steam.exe
C:\Users\Admin\AppData\Roaming\Steam.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Users\Admin\AppData\Roaming\Steam.exe
C:\Users\Admin\AppData\Roaming\Steam.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
81e018dd88ed705b6a91166e5ca9608c

SHA1
d07750a59aa22eb2d0e716c81440b57d3e6db2d8

SHA256
718726959f12bea1755d75054fdfda2f4d87357b6068a2e0446e6c2fd24383f9

SHA512
4297751c57245067b13a52b2d3f7df92f916ac3986183cdae8e79027eff698af3f64d3325190a3dd58f000717418c859a6b363bef51480e3f0d85205c9067979

Download Submit
C:\Users\Admin\AppData\Roaming\Steam.exe
Filesize
80KB

MD5
925c5ac8505847f51b4dbef340716238

SHA1
ecfb0b836deb64fa714f0cfc7f41e0f68e85c762

SHA256
926ba0df92e1f9b1841c1b04e4d101cbc3ce9c8019f6ac3c717380cd85643f92

SHA512
0780eb215f0caee0d63dddbceffb37c498729024957db8347f8df26a2a1df26138275bebfdd595f29549e2c775cd226c9980850daced72809e0b148e1b4c84c6

Download Submit
\Users\Admin\AppData\Local\Temp\tmp318C.tmp
Filesize
100KB

MD5
1b942faa8e8b1008a8c3c1004ba57349

SHA1
cd99977f6c1819b12b33240b784ca816dfe2cb91

SHA256
555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

SHA512
5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

Download Submit
memory/684-39-0x0000000000340000-0x000000000035A000-memory.dmp

Filesize
104KB

Download
memory/2164-6-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2164-7-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/2164-8-0x0000000002800000-0x0000000002808000-memory.dmp

Filesize
32KB

Download
memory/2208-30-0x000000001B110000-0x000000001B190000-memory.dmp

Filesize
512KB

Download
memory/2208-0-0x000007FEF5673000-0x000007FEF5674000-memory.dmp

Filesize
4KB

Download
memory/2208-31-0x000007FEF5673000-0x000007FEF5674000-memory.dmp

Filesize
4KB

Download
memory/2208-32-0x000000001B110000-0x000000001B190000-memory.dmp

Filesize
512KB

Download
memory/2208-40-0x00000000010C0000-0x00000000010FA000-memory.dmp

Filesize
232KB

Download
memory/2208-1-0x00000000012D0000-0x00000000012EA000-memory.dmp

Filesize
104KB

Download
memory/2208-45-0x0000000000E40000-0x0000000000E4C000-memory.dmp

Filesize
48KB

Download
memory/2648-14-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2648-15-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2816-36-0x0000000000F50000-0x0000000000F6A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads