xworm | 668e1915843fce533abb874f9933deb6136103f5f31d09847a1e086fbaa18e9b

Reason

Machine shutdown

General

Target

укцу.exe
Size

72KB
MD5

029acdc2e958ec708b40a237f681ae75
SHA1

3c1ea5e5639bc18153410208429a87a64075a23c
SHA256

668e1915843fce533abb874f9933deb6136103f5f31d09847a1e086fbaa18e9b
SHA512

96cbe9b27f619831c7d38eb4f8922e53fd3c710af067bb64748aa89de07442b081b7c522dd1da5e659c501e72461b10de1c3883aa19815d9b030843d02c0ceca
SSDEEP

1536:Y0oRipEs7aFqa6XfhIQiMjA/DbO/MoBGM1rujK6gYSOsFbJY:Y0iU7aFqaSRDjKDbO/9N1USOsDY

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

european-ba.gl.at.ply.gg:14522

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2908-45-0x000000001A8F0000-0x000000001A8FE000-memory.dmp	disable_win_def

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2908-1-0x00000000010C0000-0x00000000010D8000-memory.dmp	family_xworm
behavioral1/files/0x000e000000012707-35.dat	family_xworm
behavioral1/memory/1604-37-0x0000000000040000-0x0000000000058000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1948	powershell.exe
2652	powershell.exe
2472	powershell.exe
1064	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	укцу.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	укцу.exe

Executes dropped EXE 1 IoCs

pid	Process
1604	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2908	укцу.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	укцу.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1948	powershell.exe
2652	powershell.exe
2472	powershell.exe
1064	powershell.exe
2908	укцу.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	укцу.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	2908	укцу.exe
Token: SeDebugPrivilege	1604	svchost.exe
Token: SeShutdownPrivilege	2920	shutdown.exe
Token: SeRemoteShutdownPrivilege	2920	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2908	укцу.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 1948	2908	укцу.exe	29
PID 2908 wrote to memory of 1948	2908	укцу.exe	29
PID 2908 wrote to memory of 1948	2908	укцу.exe	29
PID 2908 wrote to memory of 2652	2908	укцу.exe	31
PID 2908 wrote to memory of 2652	2908	укцу.exe	31
PID 2908 wrote to memory of 2652	2908	укцу.exe	31
PID 2908 wrote to memory of 2472	2908	укцу.exe	33
PID 2908 wrote to memory of 2472	2908	укцу.exe	33
PID 2908 wrote to memory of 2472	2908	укцу.exe	33
PID 2908 wrote to memory of 1064	2908	укцу.exe	35
PID 2908 wrote to memory of 1064	2908	укцу.exe	35
PID 2908 wrote to memory of 1064	2908	укцу.exe	35
PID 2908 wrote to memory of 2772	2908	укцу.exe	37
PID 2908 wrote to memory of 2772	2908	укцу.exe	37
PID 2908 wrote to memory of 2772	2908	укцу.exe	37
PID 1008 wrote to memory of 1604	1008	taskeng.exe	42
PID 1008 wrote to memory of 1604	1008	taskeng.exe	42
PID 1008 wrote to memory of 1604	1008	taskeng.exe	42
PID 2908 wrote to memory of 2920	2908	укцу.exe	43
PID 2908 wrote to memory of 2920	2908	укцу.exe	43
PID 2908 wrote to memory of 2920	2908	укцу.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\укцу.exe
"C:\Users\Admin\AppData\Local\Temp\укцу.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\укцу.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'укцу.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2772
- C:\Windows\system32\shutdown.exe
  shutdown.exe /f /s /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2920

C:\Windows\system32\taskeng.exe
taskeng.exe {A90F4D6A-70B1-413F-A95B-55ADCBA19C36} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1604

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1436

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
96f5e166c35b4e06c188bd79164a067c

SHA1
fa683e03fed7ac4c71954f59b5748eae178f64fc

SHA256
94ac3c8521850316a5abf8b8e9f48ac568e3441ab2b71b8241444668a15ad9d3

SHA512
e7338dab05b13260df4bf083aef218aa7e3f745cdeeeab9a2e23fbac36c91ec43fcd8928cd4a0d9877a5285f5d36a8889b022acb72defc97ce4d726f0e3de695

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
72KB

MD5
029acdc2e958ec708b40a237f681ae75

SHA1
3c1ea5e5639bc18153410208429a87a64075a23c

SHA256
668e1915843fce533abb874f9933deb6136103f5f31d09847a1e086fbaa18e9b

SHA512
96cbe9b27f619831c7d38eb4f8922e53fd3c710af067bb64748aa89de07442b081b7c522dd1da5e659c501e72461b10de1c3883aa19815d9b030843d02c0ceca

Download Submit
\Users\Admin\AppData\Local\Temp\tmpD29B.tmp

Filesize
100KB

MD5
1b942faa8e8b1008a8c3c1004ba57349

SHA1
cd99977f6c1819b12b33240b784ca816dfe2cb91

SHA256
555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

SHA512
5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

Download Submit
memory/1604-37-0x0000000000040000-0x0000000000058000-memory.dmp

Filesize
96KB

Download
memory/1948-9-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/1948-7-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/1948-8-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/2652-15-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2652-16-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2908-33-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

Filesize
48KB

Download
memory/2908-32-0x000007FEF5910000-0x000007FEF62FC000-memory.dmp

Filesize
9.9MB

Download
memory/2908-0-0x000007FEF5913000-0x000007FEF5914000-memory.dmp

Filesize
4KB

Download
memory/2908-31-0x000007FEF5913000-0x000007FEF5914000-memory.dmp

Filesize
4KB

Download
memory/2908-2-0x000007FEF5910000-0x000007FEF62FC000-memory.dmp

Filesize
9.9MB

Download
memory/2908-38-0x0000000000CF0000-0x0000000000D2A000-memory.dmp

Filesize
232KB

Download
memory/2908-1-0x00000000010C0000-0x00000000010D8000-memory.dmp

Filesize
96KB

Download
memory/2908-43-0x000000001A860000-0x000000001A8EE000-memory.dmp

Filesize
568KB

Download
memory/2908-45-0x000000001A8F0000-0x000000001A8FE000-memory.dmp

Filesize
56KB

Download
memory/2908-46-0x000000001E620000-0x000000001E970000-memory.dmp

Filesize
3.3MB

Download
memory/2908-47-0x000007FEF5910000-0x000007FEF62FC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads