xworm | 28c951715ea1f1e20db6e2694c8b9676837190d4ff1c49c6c9f7cb41b899a91b

General

Target

lunarium.exe
Size

150KB
MD5

d5c26e12be6264033efd9e5e0662a953
SHA1

e4570cecc53e5e916c06e38c62221f27af7a1225
SHA256

28c951715ea1f1e20db6e2694c8b9676837190d4ff1c49c6c9f7cb41b899a91b
SHA512

adbb48ebda59c9b804ddaf4561a0679436987d6deef883d632f0eeb30adbc9c812f09eeefbbaef013f3139a5b6e3665af276a283c5ef73031861b49d01136b55
SSDEEP

3072:Ahd295oBFr9DnO/nk4NpVq8BxFRzaqF+o2GQJ7/JzqVfGvM:AaLonr9jgVqwlL

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

p-never.gl.at.ply.gg:57388

Mutex

EKx5toUcZoEkFlZt

Attributes

Install_directory
%AppData%
install_file
svchost.exe

aes.plain

Signatures

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2256-1-0x00000000002C0000-0x00000000002EC000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\svchost.exe	family_xworm
behavioral1/memory/2492-37-0x00000000010A0000-0x00000000010CC000-memory.dmp	family_xworm
behavioral1/memory/3048-46-0x0000000001120000-0x000000000114C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2744 powershell.exe
2580 powershell.exe
2392 powershell.exe
2096 powershell.exe

pid	process
2744	powershell.exe
2580	powershell.exe
2392	powershell.exe
2096	powershell.exe

Drops startup file 2 IoCs

Processes:

lunarium.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	lunarium.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	lunarium.exe

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2492 svchost.exe
3048 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

lunarium.exe

pid process

2256 lunarium.exe

pid	process
2492	svchost.exe
3048	svchost.exe

pid	process
2256	lunarium.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

lunarium.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	lunarium.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2820 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2096 powershell.exe
2744 powershell.exe
2580 powershell.exe
2392 powershell.exe

pid	process
2820	schtasks.exe

pid	process
2096	powershell.exe
2744	powershell.exe
2580	powershell.exe
2392	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

lunarium.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exeAUDIODG.EXEsvchost.exe

description	pid	process
Token: SeDebugPrivilege	2256	lunarium.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2256	lunarium.exe
Token: SeDebugPrivilege	2492	svchost.exe
Token: 33	240	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	240	AUDIODG.EXE
Token: 33	240	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	240	AUDIODG.EXE
Token: SeDebugPrivilege	3048	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

lunarium.exetaskeng.exe

description	pid	process	target process
PID 2256 wrote to memory of 2096	2256	lunarium.exe	powershell.exe
PID 2256 wrote to memory of 2096	2256	lunarium.exe	powershell.exe
PID 2256 wrote to memory of 2096	2256	lunarium.exe	powershell.exe
PID 2256 wrote to memory of 2744	2256	lunarium.exe	powershell.exe
PID 2256 wrote to memory of 2744	2256	lunarium.exe	powershell.exe
PID 2256 wrote to memory of 2744	2256	lunarium.exe	powershell.exe
PID 2256 wrote to memory of 2580	2256	lunarium.exe	powershell.exe
PID 2256 wrote to memory of 2580	2256	lunarium.exe	powershell.exe
PID 2256 wrote to memory of 2580	2256	lunarium.exe	powershell.exe
PID 2256 wrote to memory of 2392	2256	lunarium.exe	powershell.exe
PID 2256 wrote to memory of 2392	2256	lunarium.exe	powershell.exe
PID 2256 wrote to memory of 2392	2256	lunarium.exe	powershell.exe
PID 2256 wrote to memory of 2820	2256	lunarium.exe	schtasks.exe
PID 2256 wrote to memory of 2820	2256	lunarium.exe	schtasks.exe
PID 2256 wrote to memory of 2820	2256	lunarium.exe	schtasks.exe
PID 3020 wrote to memory of 2492	3020	taskeng.exe	svchost.exe
PID 3020 wrote to memory of 2492	3020	taskeng.exe	svchost.exe
PID 3020 wrote to memory of 2492	3020	taskeng.exe	svchost.exe
PID 3020 wrote to memory of 3048	3020	taskeng.exe	svchost.exe
PID 3020 wrote to memory of 3048	3020	taskeng.exe	svchost.exe
PID 3020 wrote to memory of 3048	3020	taskeng.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\lunarium.exe
"C:\Users\Admin\AppData\Local\Temp\lunarium.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\lunarium.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'lunarium.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Creates scheduled task(s)
PID:2820

C:\Windows\system32\taskeng.exe
taskeng.exe {641AA99F-2CE0-4AF3-B2BC-925207929ACB} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xd4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:240

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9072df269caf634fdcc1c8dba9a82d78

SHA1
b71aafe4c9ba41e2f401842badb11b8ff6637afa

SHA256
9912a4fca64e4ca3a10926b17ce8df51d1df499ef476958ba87e3368b4a14be1

SHA512
cc90d7abbd087fcd64c046b8f3e7f3860270fc60029b98f3c1e5df3ed2a8aecc86e4a96792cd38d82134cea7d75fed6739b8429a8f9058b07abf577ab5acfd0f

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
150KB

MD5
d5c26e12be6264033efd9e5e0662a953

SHA1
e4570cecc53e5e916c06e38c62221f27af7a1225

SHA256
28c951715ea1f1e20db6e2694c8b9676837190d4ff1c49c6c9f7cb41b899a91b

SHA512
adbb48ebda59c9b804ddaf4561a0679436987d6deef883d632f0eeb30adbc9c812f09eeefbbaef013f3139a5b6e3665af276a283c5ef73031861b49d01136b55

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\tmp3958.tmp
Filesize
100KB

MD5
1b942faa8e8b1008a8c3c1004ba57349

SHA1
cd99977f6c1819b12b33240b784ca816dfe2cb91

SHA256
555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

SHA512
5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

Download Submit
memory/2096-8-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2096-7-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/2096-6-0x0000000002860000-0x00000000028E0000-memory.dmp

Filesize
512KB

Download
memory/2256-0-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

Filesize
4KB

Download
memory/2256-32-0x000000001B240000-0x000000001B2C0000-memory.dmp

Filesize
512KB

Download
memory/2256-38-0x0000000002200000-0x000000000220C000-memory.dmp

Filesize
48KB

Download
memory/2256-39-0x000000001AD90000-0x000000001ADCA000-memory.dmp

Filesize
232KB

Download
memory/2256-1-0x00000000002C0000-0x00000000002EC000-memory.dmp

Filesize
176KB

Download
memory/2256-44-0x000000001BFB0000-0x000000001C03E000-memory.dmp

Filesize
568KB

Download
memory/2492-37-0x00000000010A0000-0x00000000010CC000-memory.dmp

Filesize
176KB

Download
memory/2744-14-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download
memory/2744-15-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/3048-46-0x0000000001120000-0x000000000114C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads