xworm | 8d4e23ba1ce9eab2340bad5e14111dc565bbe8de53653375ac3806f448dcc0ac

General

Target

OverwolfXclient.exe
Size

1.2MB
MD5

c08106fd9c5999388d5e541743d45d5b
SHA1

571f4333cd757db2870e2459724b545e43ffcc11
SHA256

8d4e23ba1ce9eab2340bad5e14111dc565bbe8de53653375ac3806f448dcc0ac
SHA512

65c2e544e88b63e8d1216731be75f0407784d620af1b2dfa649eb87e9e6408ffa43a3697a94c8d4cf6cc9f8dfc83a0a824397ac75bbdde9fe3440802117e8261
SSDEEP

24576:908rin0gKu22AcpyGCcCBSrikukOqk344WIGu31rg:908rin0gKu22AcpyGC9kTOK4WIGWg

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7777

45.145.41.147:7777

Mutex

5N4ZirqATbPp1e8c

Attributes

Install_directory
%ProgramData%
install_file
WinBackup.exe

aes.plain

Signatures

Detect Xworm Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2972-9-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm
behavioral1/memory/2972-7-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm
behavioral1/memory/2972-6-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm
behavioral1/memory/2972-13-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm
behavioral1/memory/2972-11-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2700 powershell.exe
2948 powershell.exe
2464 powershell.exe
2860 powershell.exe

pid	process
2700	powershell.exe
2948	powershell.exe
2464	powershell.exe
2860	powershell.exe

Drops startup file 3 IoCs

Processes:

MSBuild.exeOverwolfXclient.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinBackup.lnk	MSBuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	OverwolfXclient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinBackup.lnk	MSBuild.exe

Executes dropped EXE 2 IoCs

Processes:

WinBackup.exeWinBackup.exe

pid process

2208 WinBackup.exe
1280 WinBackup.exe
Loads dropped DLL 1 IoCs

Processes:

MSBuild.exe

pid process

2972 MSBuild.exe

pid	process
2208	WinBackup.exe
1280	WinBackup.exe

pid	process
2972	MSBuild.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MSBuild.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinBackup = "C:\\ProgramData\\WinBackup.exe"	MSBuild.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

OverwolfXclient.exe

description pid process target process

PID 1728 set thread context of 2972 1728 OverwolfXclient.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2272 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeMSBuild.exe

pid process

2700 powershell.exe
2948 powershell.exe
2464 powershell.exe
2860 powershell.exe
2972 MSBuild.exe

flow	ioc
4	ip-api.com

description	pid	process	target process
PID 1728 set thread context of 2972	1728	OverwolfXclient.exe	MSBuild.exe

pid	process
2272	schtasks.exe

pid	process
2700	powershell.exe
2948	powershell.exe
2464	powershell.exe
2860	powershell.exe
2972	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

MSBuild.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2972	MSBuild.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2972	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

2972 MSBuild.exe

pid	process
2972	MSBuild.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

OverwolfXclient.exeMSBuild.exetaskeng.exe

description	pid	process	target process
PID 1728 wrote to memory of 2972	1728	OverwolfXclient.exe	MSBuild.exe
PID 1728 wrote to memory of 2972	1728	OverwolfXclient.exe	MSBuild.exe
PID 1728 wrote to memory of 2972	1728	OverwolfXclient.exe	MSBuild.exe
PID 1728 wrote to memory of 2972	1728	OverwolfXclient.exe	MSBuild.exe
PID 1728 wrote to memory of 2972	1728	OverwolfXclient.exe	MSBuild.exe
PID 1728 wrote to memory of 2972	1728	OverwolfXclient.exe	MSBuild.exe
PID 1728 wrote to memory of 2972	1728	OverwolfXclient.exe	MSBuild.exe
PID 1728 wrote to memory of 2972	1728	OverwolfXclient.exe	MSBuild.exe
PID 1728 wrote to memory of 2972	1728	OverwolfXclient.exe	MSBuild.exe
PID 2972 wrote to memory of 2700	2972	MSBuild.exe	powershell.exe
PID 2972 wrote to memory of 2700	2972	MSBuild.exe	powershell.exe
PID 2972 wrote to memory of 2700	2972	MSBuild.exe	powershell.exe
PID 2972 wrote to memory of 2700	2972	MSBuild.exe	powershell.exe
PID 2972 wrote to memory of 2948	2972	MSBuild.exe	powershell.exe
PID 2972 wrote to memory of 2948	2972	MSBuild.exe	powershell.exe
PID 2972 wrote to memory of 2948	2972	MSBuild.exe	powershell.exe
PID 2972 wrote to memory of 2948	2972	MSBuild.exe	powershell.exe
PID 2972 wrote to memory of 2464	2972	MSBuild.exe	powershell.exe
PID 2972 wrote to memory of 2464	2972	MSBuild.exe	powershell.exe
PID 2972 wrote to memory of 2464	2972	MSBuild.exe	powershell.exe
PID 2972 wrote to memory of 2464	2972	MSBuild.exe	powershell.exe
PID 2972 wrote to memory of 2860	2972	MSBuild.exe	powershell.exe
PID 2972 wrote to memory of 2860	2972	MSBuild.exe	powershell.exe
PID 2972 wrote to memory of 2860	2972	MSBuild.exe	powershell.exe
PID 2972 wrote to memory of 2860	2972	MSBuild.exe	powershell.exe
PID 2972 wrote to memory of 2272	2972	MSBuild.exe	schtasks.exe
PID 2972 wrote to memory of 2272	2972	MSBuild.exe	schtasks.exe
PID 2972 wrote to memory of 2272	2972	MSBuild.exe	schtasks.exe
PID 2972 wrote to memory of 2272	2972	MSBuild.exe	schtasks.exe
PID 1236 wrote to memory of 2208	1236	taskeng.exe	WinBackup.exe
PID 1236 wrote to memory of 2208	1236	taskeng.exe	WinBackup.exe
PID 1236 wrote to memory of 2208	1236	taskeng.exe	WinBackup.exe
PID 1236 wrote to memory of 2208	1236	taskeng.exe	WinBackup.exe
PID 1236 wrote to memory of 1280	1236	taskeng.exe	WinBackup.exe
PID 1236 wrote to memory of 1280	1236	taskeng.exe	WinBackup.exe
PID 1236 wrote to memory of 1280	1236	taskeng.exe	WinBackup.exe
PID 1236 wrote to memory of 1280	1236	taskeng.exe	WinBackup.exe

C:\Users\Admin\AppData\Local\Temp\OverwolfXclient.exe
"C:\Users\Admin\AppData\Local\Temp\OverwolfXclient.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MSBuild.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WinBackup.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinBackup.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinBackup" /tr "C:\ProgramData\WinBackup.exe"
3⤵
- Creates scheduled task(s)
PID:2272

C:\Windows\system32\taskeng.exe
taskeng.exe {FA9D67B9-79C1-4583-B659-182EB674FF5C} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1236

C:\ProgramData\WinBackup.exe
C:\ProgramData\WinBackup.exe
2⤵
- Executes dropped EXE
PID:2208

C:\ProgramData\WinBackup.exe
C:\ProgramData\WinBackup.exe
2⤵
- Executes dropped EXE
PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
760d628fc33b0a00eb974d997aa3140a

SHA1
d674de77e743b08946fbd69c98a24a8f2b2b5219

SHA256
8f43184ed5e132d460d58c5021489b27ced490d5c975fb047315ad6cee96fb08

SHA512
bb901272c6bac95c9eb027fbcc9dfa9627636ee2f51cae23e8bf5e8c04fc85a8dcb2284af6e96c29bf7e869c360df4fec6a98e15c91ad556ba35a590063e1cb3

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\WinBackup.exe
Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
memory/1280-47-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/1728-1-0x0000000000D40000-0x0000000000E7A000-memory.dmp

Filesize
1.2MB

Download
memory/1728-3-0x00000000052F0000-0x00000000053A6000-memory.dmp

Filesize
728KB

Download
memory/1728-0-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/2208-44-0x00000000010D0000-0x0000000001110000-memory.dmp

Filesize
256KB

Download
memory/2972-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2972-13-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2972-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2972-14-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2972-15-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2972-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2972-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2972-7-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2972-40-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2972-41-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2972-8-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2972-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads