xworm | f5397c537fc606330bde4041b772c48e32170215def2a147a2c9f514c594aeab

General

Target

Terraria.exe
Size

60KB
MD5

26431ec9a1a79dabe8a67b64c005942e
SHA1

4f97b1ab1cec347bb27e6d49c791ca064c915c1f
SHA256

f5397c537fc606330bde4041b772c48e32170215def2a147a2c9f514c594aeab
SHA512

c95e03b07499b7cdd15e323d67b7a81bc1eb11cd6c6670a0d9a627cf119e4cc173f8ba2e00e65bb50cdf7d34316a54ab8d4ebb880eb7f9a71197dfe13678697a
SSDEEP

1536:Ke92V1xhC29ycp5+GvlYqibRmfF6uCOSJXfO38v:Ke92VM2cWwGvNibRvOSJfOsv

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

add-enlarge.gl.at.ply.gg:14520

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/memory/2476-1-0x0000000001050000-0x0000000001066000-memory.dmp	family_xworm
behavioral1/files/0x000d000000015bb9-32.dat	family_xworm
behavioral1/memory/1776-34-0x0000000000B70000-0x0000000000B86000-memory.dmp	family_xworm
behavioral1/memory/2956-40-0x0000000001300000-0x0000000001316000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2512	powershell.exe
2432	powershell.exe
2464	powershell.exe
1884	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Terraria.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Terraria.exe

Executes dropped EXE 3 IoCs

pid	Process
1776	svchost.exe
2088	svchost.exe
2956	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	Terraria.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2512	powershell.exe
2432	powershell.exe
2464	powershell.exe
1884	powershell.exe
2476	Terraria.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	Terraria.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	2476	Terraria.exe
Token: SeDebugPrivilege	1776	svchost.exe
Token: SeDebugPrivilege	2088	svchost.exe
Token: SeDebugPrivilege	2956	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2476	Terraria.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2512	2476	Terraria.exe	29
PID 2476 wrote to memory of 2512	2476	Terraria.exe	29
PID 2476 wrote to memory of 2512	2476	Terraria.exe	29
PID 2476 wrote to memory of 2432	2476	Terraria.exe	31
PID 2476 wrote to memory of 2432	2476	Terraria.exe	31
PID 2476 wrote to memory of 2432	2476	Terraria.exe	31
PID 2476 wrote to memory of 2464	2476	Terraria.exe	33
PID 2476 wrote to memory of 2464	2476	Terraria.exe	33
PID 2476 wrote to memory of 2464	2476	Terraria.exe	33
PID 2476 wrote to memory of 1884	2476	Terraria.exe	35
PID 2476 wrote to memory of 1884	2476	Terraria.exe	35
PID 2476 wrote to memory of 1884	2476	Terraria.exe	35
PID 2476 wrote to memory of 2720	2476	Terraria.exe	37
PID 2476 wrote to memory of 2720	2476	Terraria.exe	37
PID 2476 wrote to memory of 2720	2476	Terraria.exe	37
PID 1760 wrote to memory of 1776	1760	taskeng.exe	40
PID 1760 wrote to memory of 1776	1760	taskeng.exe	40
PID 1760 wrote to memory of 1776	1760	taskeng.exe	40
PID 1760 wrote to memory of 2088	1760	taskeng.exe	43
PID 1760 wrote to memory of 2088	1760	taskeng.exe	43
PID 1760 wrote to memory of 2088	1760	taskeng.exe	43
PID 1760 wrote to memory of 2956	1760	taskeng.exe	44
PID 1760 wrote to memory of 2956	1760	taskeng.exe	44
PID 1760 wrote to memory of 2956	1760	taskeng.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Terraria.exe
"C:\Users\Admin\AppData\Local\Temp\Terraria.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Terraria.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Terraria.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2720

C:\Windows\system32\taskeng.exe
taskeng.exe {D4BB9CFB-A608-4754-A982-9FADFCDC4048} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bf409dac27decefb69fe88ad1440abaa

SHA1
d28b67af21f15c86141a2e54a27be653ead6331a

SHA256
639429a7475114ae78803dbf3971c1811f8e99ee8beb6f4d2bc6d8d80d1987dc

SHA512
efd41fe52083ec57490cac9942653cea562671333d7eaf0a9018ae387d92527d3312a4bde664ab5e5ee9227c04c70d6204f752a58dc7b45592c1854bd2e00a58

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
60KB

MD5
26431ec9a1a79dabe8a67b64c005942e

SHA1
4f97b1ab1cec347bb27e6d49c791ca064c915c1f

SHA256
f5397c537fc606330bde4041b772c48e32170215def2a147a2c9f514c594aeab

SHA512
c95e03b07499b7cdd15e323d67b7a81bc1eb11cd6c6670a0d9a627cf119e4cc173f8ba2e00e65bb50cdf7d34316a54ab8d4ebb880eb7f9a71197dfe13678697a

Download Submit
memory/1776-34-0x0000000000B70000-0x0000000000B86000-memory.dmp

Filesize
88KB

Download
memory/2432-15-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2432-16-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2476-2-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2476-1-0x0000000001050000-0x0000000001066000-memory.dmp

Filesize
88KB

Download
memory/2476-0-0x000007FEF5E63000-0x000007FEF5E64000-memory.dmp

Filesize
4KB

Download
memory/2476-35-0x000007FEF5E63000-0x000007FEF5E64000-memory.dmp

Filesize
4KB

Download
memory/2476-36-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2512-7-0x0000000002C50000-0x0000000002CD0000-memory.dmp

Filesize
512KB

Download
memory/2512-8-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2512-9-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/2956-40-0x0000000001300000-0x0000000001316000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads