xworm | 3c786fd8f95d6787bf27728c6aa5d58054c6e923445147229f95de18ac4bbacd

General

Target

Steam.exe
Size

438KB
MD5

4b784bf857356251bccf184911e0e8d8
SHA1

5ef9015b62a62f4b2bff9a34fb5f3d1639a29937
SHA256

3c786fd8f95d6787bf27728c6aa5d58054c6e923445147229f95de18ac4bbacd
SHA512

73d2b89b3f9b83c18cc3fd270ef26a288625fc339acc29b0e806b57c185313bb7bfc084cddd8cb95449034bef8ac60481c6b150469eaf4ae2c09a1e9efa5f2da
SSDEEP

6144:YfjoMm6fbwY/D8TWrbTP/8+GIIIIIIIhIIIIIIIIIIIIIIIU:sfLheWzPX

Score

10^/10

Malware Config

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral3/memory/4608-1-0x0000000000480000-0x00000000004F4000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3788	powershell.exe
2504	powershell.exe
1876	powershell.exe
4192	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\ProgramData\\Steam.exe"	Steam.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3788	powershell.exe
3788	powershell.exe
2504	powershell.exe
2504	powershell.exe
1876	powershell.exe
1876	powershell.exe
4192	powershell.exe
4192	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4608	Steam.exe
Token: SeDebugPrivilege	3788	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	4608	Steam.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 3788	4608	Steam.exe	78
PID 4608 wrote to memory of 3788	4608	Steam.exe	78
PID 4608 wrote to memory of 2504	4608	Steam.exe	80
PID 4608 wrote to memory of 2504	4608	Steam.exe	80
PID 4608 wrote to memory of 1876	4608	Steam.exe	82
PID 4608 wrote to memory of 1876	4608	Steam.exe	82
PID 4608 wrote to memory of 4192	4608	Steam.exe	84
PID 4608 wrote to memory of 4192	4608	Steam.exe	84
PID 4608 wrote to memory of 2224	4608	Steam.exe	86
PID 4608 wrote to memory of 2224	4608	Steam.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Steam.exe
"C:\Users\Admin\AppData\Local\Temp\Steam.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Steam.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Steam.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Steam.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Steam.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4192
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Steam" /tr "C:\ProgramData\Steam.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5ba388a6597d5e09191c2c88d2fdf598

SHA1
13516f8ec5a99298f6952438055c39330feae5d8

SHA256
e6b6223094e8fc598ad12b3849e49f03a141ccd21e0eaa336f81791ad8443eca

SHA512
ead2a2b5a1c2fad70c1cf570b2c9bfcb7364dd9f257a834eb819e55b8fee78e3f191f93044f07d51c259ca77a90ee8530f9204cbae080fba1d5705e1209f5b19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
979db644c2cade95abc261f491bf3b6c

SHA1
251e5cde0a34f14694f95c681dc7cfe63bd60844

SHA256
3781dd13cdbb9b2639aafb7e49da7e37ef6e3bb03151240764819a46b7a13cb9

SHA512
7114c56e51c5212d951093d72c98ef7a31055693b1de7b1709347c4af27ed5eadf758e1b0d0faafdbf54252da2ddba571118d9f11dd9bf480bd7fe17e71c5464

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a444c5ef1707a0d5eb7a35c362ef108b

SHA1
32feb550fbaf87284ab64f0d0de3ceb149e38e73

SHA256
d740fc7dd506ff7662f70c50f911542cd5706d340c7c48713fc435066a96c0b1

SHA512
099ca139ae73c1b6cadc9b05d5dc48d39a6380eabf0a9521cd32e20ab637cc58995e47f60c20c7542ac38a43a3dbf6d75579ecb1eabfcad64cdb1d0efa79020f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4093e5ab3812960039eba1a814c2ffb0

SHA1
b5e4a98a80be72fccd3cc910e93113d2febef298

SHA256
c0794e2b7036ce5612446a8b15e0c8387773bbc921f63cf8849f8a1f4ef3878c

SHA512
f3555b45aa1a1dd5214716dc81a05905c4ecd5a3e1276d35e08c65623ab1d14d469b3b576a5d9638264c1222d73889d2cc1ee43fb579d9ca3fcddd9f557cac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zuptiy4x.ivl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3788-11-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

Filesize
10.8MB

Download
memory/3788-13-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

Filesize
10.8MB

Download
memory/3788-14-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

Filesize
10.8MB

Download
memory/3788-15-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

Filesize
10.8MB

Download
memory/3788-18-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

Filesize
10.8MB

Download
memory/3788-12-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

Filesize
10.8MB

Download
memory/3788-10-0x0000027B082F0000-0x0000027B08312000-memory.dmp

Filesize
136KB

Download
memory/4608-0-0x00007FFF0D8F3000-0x00007FFF0D8F5000-memory.dmp

Filesize
8KB

Download
memory/4608-1-0x0000000000480000-0x00000000004F4000-memory.dmp

Filesize
464KB

Download
memory/4608-51-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

Filesize
10.8MB

Download
memory/4608-52-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads