xworm | 2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1

General

Target

6e1e63e97c09758e3db18ea31bd95284.exe
Size

724KB
MD5

6e1e63e97c09758e3db18ea31bd95284
SHA1

6f4a188d43122d22a14459123764a094ed56b37c
SHA256

2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1
SHA512

0708ebbc263c5f16fddb0e1e76abf30b3ff5842207f450e0892e0879f828ecf165a203f156f460ed3cb97dd85691c0f3dc2233160b98e7daf34057872c70ba23
SSDEEP

12288:7DeaBr2968/mPSxX7UydfxMApCPuiRMfOzzH3t2zrNkjovC7Qe1RwUdaZkgsZyL:3Pp8/2Sx/xMA8miRSO3H3t8aDaXs8

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

45.141.27.41:7000

Mutex

9ZF9ZsOZGh1T1r1n

Attributes

Install_directory
%Public%
install_file
csrss.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\XClient.exe	family_xworm
behavioral1/memory/1820-12-0x0000000000F30000-0x0000000000F40000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1164 powershell.exe
2404 powershell.exe
2456 powershell.exe
2532 powershell.exe

pid	process
1164	powershell.exe
2404	powershell.exe
2456	powershell.exe
2532	powershell.exe

Drops startup file 2 IoCs

Processes:

XClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk	XClient.exe

Executes dropped EXE 2 IoCs

Processes:

example.exeXClient.exe

pid process

2236 example.exe
1820 XClient.exe
Loads dropped DLL 1 IoCs

Processes:

6e1e63e97c09758e3db18ea31bd95284.exe

pid process

1664 6e1e63e97c09758e3db18ea31bd95284.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1664	6e1e63e97c09758e3db18ea31bd95284.exe

flow	ioc
16	ip-api.com

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

example.exepowershell.exepowershell.exepowershell.exepowershell.exeXClient.exe

pid	process
2236	example.exe
2236	example.exe
2236	example.exe
2236	example.exe
2236	example.exe
1164	powershell.exe
2404	powershell.exe
2456	powershell.exe
2532	powershell.exe
1820	XClient.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

XClient.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1820	XClient.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	1820	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

XClient.exe

pid process

1820 XClient.exe

pid	process
1820	XClient.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

6e1e63e97c09758e3db18ea31bd95284.exeexample.execmd.exeXClient.exe

description	pid	process	target process
PID 1664 wrote to memory of 2236	1664	6e1e63e97c09758e3db18ea31bd95284.exe	example.exe
PID 1664 wrote to memory of 2236	1664	6e1e63e97c09758e3db18ea31bd95284.exe	example.exe
PID 1664 wrote to memory of 2236	1664	6e1e63e97c09758e3db18ea31bd95284.exe	example.exe
PID 1664 wrote to memory of 1820	1664	6e1e63e97c09758e3db18ea31bd95284.exe	XClient.exe
PID 1664 wrote to memory of 1820	1664	6e1e63e97c09758e3db18ea31bd95284.exe	XClient.exe
PID 1664 wrote to memory of 1820	1664	6e1e63e97c09758e3db18ea31bd95284.exe	XClient.exe
PID 2236 wrote to memory of 1204	2236	example.exe	cmd.exe
PID 2236 wrote to memory of 1204	2236	example.exe	cmd.exe
PID 2236 wrote to memory of 1204	2236	example.exe	cmd.exe
PID 1204 wrote to memory of 1532	1204	cmd.exe	certutil.exe
PID 1204 wrote to memory of 1532	1204	cmd.exe	certutil.exe
PID 1204 wrote to memory of 1532	1204	cmd.exe	certutil.exe
PID 1204 wrote to memory of 1636	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 1636	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 1636	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 1124	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 1124	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 1124	1204	cmd.exe	find.exe
PID 1820 wrote to memory of 1164	1820	XClient.exe	powershell.exe
PID 1820 wrote to memory of 1164	1820	XClient.exe	powershell.exe
PID 1820 wrote to memory of 1164	1820	XClient.exe	powershell.exe
PID 1820 wrote to memory of 2404	1820	XClient.exe	powershell.exe
PID 1820 wrote to memory of 2404	1820	XClient.exe	powershell.exe
PID 1820 wrote to memory of 2404	1820	XClient.exe	powershell.exe
PID 1820 wrote to memory of 2456	1820	XClient.exe	powershell.exe
PID 1820 wrote to memory of 2456	1820	XClient.exe	powershell.exe
PID 1820 wrote to memory of 2456	1820	XClient.exe	powershell.exe
PID 1820 wrote to memory of 2532	1820	XClient.exe	powershell.exe
PID 1820 wrote to memory of 2532	1820	XClient.exe	powershell.exe
PID 1820 wrote to memory of 2532	1820	XClient.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\6e1e63e97c09758e3db18ea31bd95284.exe
"C:\Users\Admin\AppData\Local\Temp\6e1e63e97c09758e3db18ea31bd95284.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\example.exe
"C:\Users\Admin\example.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\example.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
3⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\example.exe" MD5
4⤵
PID:1532

C:\Windows\system32\find.exe
find /i /v "md5"
4⤵
PID:1636

C:\Windows\system32\find.exe
find /i /v "certutil"
4⤵
PID:1124

C:\Users\Admin\XClient.exe
"C:\Users\Admin\XClient.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\XClient.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\csrss.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
e8ca28d2728d612e971839a3532d9be5

SHA1
c7b547c63f954d0e5b6f6b6374170538c3bc6364

SHA256
f2261ee53514b15491fd112bd1e9df96df3fdcc75e42dad3292704bfce671ce6

SHA512
618f62067ed08c9530e5679cfcb6cf6dc1746fa183474ebed48e388925e54712eba528effb5f2db69fa162acdf16e3bf4d61c093b044df02b277b339c8a55551

Download Submit
C:\Users\Admin\XClient.exe
Filesize
40KB

MD5
7ea387ab126b2ecf3365d448a318a433

SHA1
71b6e05898b68ed72ca95266d6293b225c40b612

SHA256
573f3d316ed68ea2d4762a657dcc62416b763a8fcd1f99017f02d3ef5c215015

SHA512
68830f84bf9f0a9e75a999907f7e7d816f89aa745e92078f56f303edadb236e14957e0594290f297fd4c0175ae72be02542cabe974a404fe961b7ab4bf945825

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\example.exe
Filesize
673KB

MD5
56a9b5d3e447355a8d29a2d02a00b70c

SHA1
af802aab037d6ae208b040e4e0b629665f208394

SHA256
8d33c98d8aa62cbcc5d9096aa93fe073f0ee012af6cea9f19daad0d8e08d0ff1

SHA512
c9d4de01e7c472d48ecee70777cac1f3ab3959fdb863c27096898b339e5f53e319489080ca08d3b18659ab396a16a18638fbebe06e58546ddeb2b5b5ca593081

Download Submit
memory/1164-21-0x0000000002060000-0x0000000002068000-memory.dmp

Filesize
32KB

Download
memory/1164-20-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download
memory/1664-0-0x000007FEF64E3000-0x000007FEF64E4000-memory.dmp

Filesize
4KB

Download
memory/1664-1-0x0000000001360000-0x000000000141C000-memory.dmp

Filesize
752KB

Download
memory/1820-14-0x000007FEF64E0000-0x000007FEF6ECC000-memory.dmp

Filesize
9.9MB

Download
memory/1820-15-0x000007FEF64E0000-0x000007FEF6ECC000-memory.dmp

Filesize
9.9MB

Download
memory/1820-12-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/1820-44-0x000007FEF64E0000-0x000007FEF6ECC000-memory.dmp

Filesize
9.9MB

Download
memory/1820-45-0x000007FEF64E0000-0x000007FEF6ECC000-memory.dmp

Filesize
9.9MB

Download
memory/2404-27-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/2404-28-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads