xworm | 4e8aad0b31678291ca4b4dae74385c6a0d424b7c49a439f045573f93908a764c

General

Target

EzCrack.exe
Size

78KB
MD5

9efc872f4f99869fd6befd84076b1f02
SHA1

6bb6931b260936082028812f079f5b4543e599e0
SHA256

4e8aad0b31678291ca4b4dae74385c6a0d424b7c49a439f045573f93908a764c
SHA512

cfc949b9db32db43a9f0ab9dd5c59624999c8df84aaeb953251198958a10dd744e273f560f4b16cd150c5bff1d66e6014f198ca0ea3f85e5afe189fe78e8c381
SSDEEP

1536:dRNd9tEnU5G+eiIhLK7AiVqbDoxTBH/d1Pq63FBN77OCXnG73E:drdARhLIVqbDSH/dVPN3OCXGDE

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%Temp%
install_file
ApplicationFrameHost.exe
pastebin_url
https://pastebin.com/raw/gf3CpGLZ
telegram
https://api.telegram.org/bot7330774245:AAFjajgEdSRi37pBSVsgsnILKxiBDZzP_f4/sendMessage?chat_id=5561074001

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4724-1-0x00000000006F0000-0x000000000070A000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3428 powershell.exe
2596 powershell.exe
3236 powershell.exe
2496 powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EzCrack.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EzCrack.exe

Drops startup file 2 IoCs

Processes:

EzCrack.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ApplicationFrameHost.lnk	EzCrack.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ApplicationFrameHost.lnk	EzCrack.exe

Executes dropped EXE 2 IoCs

Processes:

ApplicationFrameHost.exeApplicationFrameHost.exe

pid process

908 ApplicationFrameHost.exe
2300 ApplicationFrameHost.exe

pid	process
908	ApplicationFrameHost.exe
2300	ApplicationFrameHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

EzCrack.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ApplicationFrameHost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ApplicationFrameHost.exe"	EzCrack.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

25 pastebin.com
26 pastebin.com
38 5.tcp.eu.ngrok.io
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4616 schtasks.exe

flow	ioc
25	pastebin.com
26	pastebin.com
38	5.tcp.eu.ngrok.io

flow	ioc
22	ip-api.com

pid	process
4616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeEzCrack.exe

pid	process
3428	powershell.exe
3428	powershell.exe
2596	powershell.exe
2596	powershell.exe
3236	powershell.exe
3236	powershell.exe
2496	powershell.exe
2496	powershell.exe
4724	EzCrack.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

EzCrack.exepowershell.exepowershell.exepowershell.exepowershell.exeApplicationFrameHost.exeApplicationFrameHost.exe

description	pid	process
Token: SeDebugPrivilege	4724	EzCrack.exe
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	4724	EzCrack.exe
Token: SeDebugPrivilege	908	ApplicationFrameHost.exe
Token: SeDebugPrivilege	2300	ApplicationFrameHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EzCrack.exe

pid process

4724 EzCrack.exe

pid	process
4724	EzCrack.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

EzCrack.exe

description	pid	process	target process
PID 4724 wrote to memory of 3428	4724	EzCrack.exe	powershell.exe
PID 4724 wrote to memory of 3428	4724	EzCrack.exe	powershell.exe
PID 4724 wrote to memory of 2596	4724	EzCrack.exe	powershell.exe
PID 4724 wrote to memory of 2596	4724	EzCrack.exe	powershell.exe
PID 4724 wrote to memory of 3236	4724	EzCrack.exe	powershell.exe
PID 4724 wrote to memory of 3236	4724	EzCrack.exe	powershell.exe
PID 4724 wrote to memory of 2496	4724	EzCrack.exe	powershell.exe
PID 4724 wrote to memory of 2496	4724	EzCrack.exe	powershell.exe
PID 4724 wrote to memory of 4616	4724	EzCrack.exe	schtasks.exe
PID 4724 wrote to memory of 4616	4724	EzCrack.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\EzCrack.exe
"C:\Users\Admin\AppData\Local\Temp\EzCrack.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\EzCrack.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'EzCrack.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ApplicationFrameHost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ApplicationFrameHost" /tr "C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe"
2⤵
- Creates scheduled task(s)
PID:4616

C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe
C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe
C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2300

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ApplicationFrameHost.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
35967cf5ed9a95ec4fe527dd96567a02

SHA1
6a7439c241a30ec540d5d204e02a4cbb2a464737

SHA256
4394552922777081d43fb523126cf176d5a676602a5435713320942034f6b3cf

SHA512
419b3c336a67ef964bc166d1267cea146ed5878f98304d6e39fb9a3c0394d75693810a9ddc101cdda5e3196ad7d603df01a3260705cf9ef7cf8d4b252df01f45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
7a451cd1316d70a65910773fee8c3a43

SHA1
d2db32d5037153dd1d94565b51b5b385817a3c3d

SHA256
862d25ed22075f3d1f5e8d29a3c6e050dc91e53a4dc653c3f0f7c627a12ee26c

SHA512
60887f795036fbd6d25234c17dab4463a8a02f576ae8c07dd7b4c4ff1dba35f99b7301139ea051a7a80fdfc9e003a2f0c2dd0d444a82ecf87a3df21507332aa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3e242d3c4b39d344f66c494424020c61

SHA1
194e596f33d54482e7880e91dc05e0d247a46399

SHA256
f688037cb0c9f9c97b3b906a6c0636c91ad1864564feb17bba4973cde361172e

SHA512
27c1cd6d72554fdce3b960458a1a6bd3f740aa7c22a313a80b043db283a224bf390648b9e59e6bdbf48020d082d728fbde569bee4ee2a610f21d659a7b3dfa02

Download Submit
C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe
Filesize
78KB

MD5
9efc872f4f99869fd6befd84076b1f02

SHA1
6bb6931b260936082028812f079f5b4543e599e0

SHA256
4e8aad0b31678291ca4b4dae74385c6a0d424b7c49a439f045573f93908a764c

SHA512
cfc949b9db32db43a9f0ab9dd5c59624999c8df84aaeb953251198958a10dd744e273f560f4b16cd150c5bff1d66e6014f198ca0ea3f85e5afe189fe78e8c381

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a5u10viu.5dw.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3428-9-0x000001F3554F0000-0x000001F355512000-memory.dmp

Filesize
136KB

Download
memory/3428-18-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmp

Filesize
10.8MB

Download
memory/3428-15-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmp

Filesize
10.8MB

Download
memory/3428-14-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmp

Filesize
10.8MB

Download
memory/3428-3-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmp

Filesize
10.8MB

Download
memory/4724-0-0x00007FFFF3A33000-0x00007FFFF3A35000-memory.dmp

Filesize
8KB

Download
memory/4724-57-0x00007FFFF3A33000-0x00007FFFF3A35000-memory.dmp

Filesize
8KB

Download
memory/4724-58-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmp

Filesize
10.8MB

Download
memory/4724-2-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmp

Filesize
10.8MB

Download
memory/4724-1-0x00000000006F0000-0x000000000070A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads