xworm | 0405ea85262008c736e2113f4fbfa1b9eadc1e59fea50737ed5edb4326f686a9

General

Target

проверка.rar
Size

67KB
MD5

e89a677ddfa8a60aeb45e72531e46847
SHA1

ae5f8093367716bf77003276f9886e6869fa9b19
SHA256

0405ea85262008c736e2113f4fbfa1b9eadc1e59fea50737ed5edb4326f686a9
SHA512

86d138e41045c77251d88e9a93649ce5591c3c743a026e8d68923b89c0a7e1b9adb04ffeb64869025c5599544dc03d815b9594392a2869e87753d80a7225796c
SSDEEP

1536:gSQMWjVGooE2vo7Ugl77wYAMHWwHVBhxmnZPVA5H:dQGob2vKl5HHvJy2H

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:65468

speed-wheat.gl.at.ply.gg:65468

XWorm V5.2:123

Attributes

Install_directory
%AppData%
install_file
Delta.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000900000001441e-26.dat	family_xworm
behavioral1/memory/2492-28-0x00000000003B0000-0x00000000003D0000-memory.dmp	family_xworm
behavioral1/memory/2416-60-0x0000000000F10000-0x0000000000F30000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
888	powershell.exe
2404	powershell.exe
2396	powershell.exe
472	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk	проверка.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk	проверка.exe

Executes dropped EXE 3 IoCs

pid	Process
2492	проверка.exe
2416	Delta.exe
2520	Delta.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Delta = "C:\\Users\\Admin\\AppData\\Roaming\\Delta.exe"	проверка.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2404	powershell.exe
2396	powershell.exe
472	powershell.exe
888	powershell.exe
2492	проверка.exe
2492	проверка.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	2956	7zFM.exe
Token: 35	2956	7zFM.exe
Token: SeSecurityPrivilege	2956	7zFM.exe
Token: SeDebugPrivilege	2492	проверка.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	472	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	2492	проверка.exe
Token: SeDebugPrivilege	2416	Delta.exe
Token: SeDebugPrivilege	2520	Delta.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2956	7zFM.exe
2956	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2492	проверка.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2956	2032	cmd.exe	29
PID 2032 wrote to memory of 2956	2032	cmd.exe	29
PID 2032 wrote to memory of 2956	2032	cmd.exe	29
PID 2492 wrote to memory of 2404	2492	проверка.exe	32
PID 2492 wrote to memory of 2404	2492	проверка.exe	32
PID 2492 wrote to memory of 2404	2492	проверка.exe	32
PID 2492 wrote to memory of 2396	2492	проверка.exe	34
PID 2492 wrote to memory of 2396	2492	проверка.exe	34
PID 2492 wrote to memory of 2396	2492	проверка.exe	34
PID 2492 wrote to memory of 472	2492	проверка.exe	36
PID 2492 wrote to memory of 472	2492	проверка.exe	36
PID 2492 wrote to memory of 472	2492	проверка.exe	36
PID 2492 wrote to memory of 888	2492	проверка.exe	38
PID 2492 wrote to memory of 888	2492	проверка.exe	38
PID 2492 wrote to memory of 888	2492	проверка.exe	38
PID 2492 wrote to memory of 2320	2492	проверка.exe	40
PID 2492 wrote to memory of 2320	2492	проверка.exe	40
PID 2492 wrote to memory of 2320	2492	проверка.exe	40
PID 2620 wrote to memory of 2416	2620	taskeng.exe	46
PID 2620 wrote to memory of 2416	2620	taskeng.exe	46
PID 2620 wrote to memory of 2416	2620	taskeng.exe	46
PID 2620 wrote to memory of 2520	2620	taskeng.exe	47
PID 2620 wrote to memory of 2520	2620	taskeng.exe	47
PID 2620 wrote to memory of 2520	2620	taskeng.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\проверка.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\проверка.rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2956

C:\Users\Admin\Desktop\проверка.exe
"C:\Users\Admin\Desktop\проверка.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\проверка.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'проверка.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Delta" /tr "C:\Users\Admin\AppData\Roaming\Delta.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2320

C:\Windows\system32\taskeng.exe
taskeng.exe {57585404-243D-4455-BA87-EADB3568486E} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Roaming\Delta.exe
  C:\Users\Admin\AppData\Roaming\Delta.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Users\Admin\AppData\Roaming\Delta.exe
  C:\Users\Admin\AppData\Roaming\Delta.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
790f9db32a0173294c7f605c6f929f2c

SHA1
4b9033bdba7247dbae89cec4592cbd671f67ca50

SHA256
5615102f3b66d382b953889186f6813295ef28e31082179c9a5cf9e9096901ee

SHA512
028237ccc284139547af8eda177e869f0f900b7a19c29ade7b57e57c19f545b1372b8ba7fb011626dbc064fd2ef80db027a392a5a6bb0e4a60514bb789befb68

Download Submit
C:\Users\Admin\Desktop\проверка.exe

Filesize
98KB

MD5
69c00aa1f2cecc09093eec932c788209

SHA1
2bcdc2f36469087ec60acc0b6d3e47fde03d0f6c

SHA256
c3873500c3bff4e73beacd24ce3005f0f5d5486d51b73cc7e0dc8b3bcbf902e2

SHA512
8bc1e413998b4c6ff77798561097fbec6c5c52aec560a62c73025739157cf3dc4a06d3d645cc582eb88533166a2373f92dc3332084036966491b9934cc3ab214

Download Submit
memory/2396-40-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/2396-41-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/2404-33-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/2404-34-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2416-60-0x0000000000F10000-0x0000000000F30000-memory.dmp

Filesize
128KB

Download
memory/2492-28-0x00000000003B0000-0x00000000003D0000-memory.dmp

Filesize
128KB

Download
memory/2492-62-0x000000001A5B0000-0x000000001A5BC000-memory.dmp

Filesize
48KB

Download
memory/2492-63-0x000000001AC80000-0x000000001AC8A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads