xworm | a53ea993bd31a24b3620978a84164bba38f592eb01f4d4cfe9bc4ae1af99c4a4

General

Target

Funny.exe
Size

38KB
MD5

90fc7afe1b516a9fa685089ae0f5f322
SHA1

94ee6cb901f16a3136607c0e194c1e76b5ac76d8
SHA256

a53ea993bd31a24b3620978a84164bba38f592eb01f4d4cfe9bc4ae1af99c4a4
SHA512

e3f5d77e6da170460d9bfa3273608397f3fb0bc98eb34ed1729c357681d449a443e54abf75259efceca98c1527e0ed6201154556a1e889b11901a1b53fb5f2c9
SSDEEP

768:lPDWCCqClY9UiX/anrEvr0GXFyc9BjQ6OO/hdDQnl+:lPDWPleUganrezF39xQ6OO/Wl+

Score

10^/10

xworm execution persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

by-mit.gl.at.ply.gg:3500

Mutex

MsPnnj1aWUGMygHH

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3932-1-0x0000000000220000-0x0000000000230000-memory.dmp	family_xworm
C:\ProgramData\program	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1160 powershell.exe
960 powershell.exe
2164 powershell.exe
2964 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Funny.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Funny.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Funny.exe

Drops startup file 2 IoCs

Processes:

Funny.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk	Funny.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk	Funny.exe

Executes dropped EXE 1 IoCs

Processes:

program

pid process

3024 program

pid	process
3024	program

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Funny.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\program = "C:\\ProgramData\\program"	Funny.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com

flow	ioc
7	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Funny.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	Funny.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1860 schtasks.exe

pid	process
1860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1160	powershell.exe
1160	powershell.exe
960	powershell.exe
960	powershell.exe
2164	powershell.exe
2164	powershell.exe
2964	powershell.exe
2964	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

Funny.exepowershell.exepowershell.exepowershell.exepowershell.exeprogram

description	pid	process
Token: SeDebugPrivilege	3932	Funny.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	3932	Funny.exe
Token: SeDebugPrivilege	3024	program

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Funny.exe

description	pid	process	target process
PID 3932 wrote to memory of 1160	3932	Funny.exe	powershell.exe
PID 3932 wrote to memory of 1160	3932	Funny.exe	powershell.exe
PID 3932 wrote to memory of 960	3932	Funny.exe	powershell.exe
PID 3932 wrote to memory of 960	3932	Funny.exe	powershell.exe
PID 3932 wrote to memory of 2164	3932	Funny.exe	powershell.exe
PID 3932 wrote to memory of 2164	3932	Funny.exe	powershell.exe
PID 3932 wrote to memory of 2964	3932	Funny.exe	powershell.exe
PID 3932 wrote to memory of 2964	3932	Funny.exe	powershell.exe
PID 3932 wrote to memory of 1860	3932	Funny.exe	schtasks.exe
PID 3932 wrote to memory of 1860	3932	Funny.exe	schtasks.exe
PID 3932 wrote to memory of 1080	3932	Funny.exe	msedge.exe
PID 3932 wrote to memory of 1080	3932	Funny.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Funny.exe
"C:\Users\Admin\AppData\Local\Temp\Funny.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Funny.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Funny.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\program'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'program'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "program" /tr "C:\ProgramData\program"
2⤵
- Creates scheduled task(s)
PID:1860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
2⤵
PID:1080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5044 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:1
1⤵
PID:2224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5760 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:1
1⤵
PID:3436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5544 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:1
1⤵
PID:4164

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\ea37472b7ea04d4b88b57381d4173427 /t 2824 /p 4236
1⤵
PID:4900

C:\ProgramData\program
C:\ProgramData\program
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3024

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\program
Filesize
38KB

MD5
90fc7afe1b516a9fa685089ae0f5f322

SHA1
94ee6cb901f16a3136607c0e194c1e76b5ac76d8

SHA256
a53ea993bd31a24b3620978a84164bba38f592eb01f4d4cfe9bc4ae1af99c4a4

SHA512
e3f5d77e6da170460d9bfa3273608397f3fb0bc98eb34ed1729c357681d449a443e54abf75259efceca98c1527e0ed6201154556a1e889b11901a1b53fb5f2c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
be67063c62a242565760a02a642a9f02

SHA1
d1043a892b44d6676f71b568f578fff947266a19

SHA256
56f158298dc5f781d6636a0b15d040f9cffb1d46cd11079aa40a26b662217f48

SHA512
90d2cbd882ff8043412ad25e74df0cf6b71d6f3fbdfa6f1efa0efc8eed86a925606c7d2e967f112a34d3f0e04f01a396898508571400dcf7e6fd69e78f406638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
50d3033f2bc3a3774c469d03e71a79a9

SHA1
22027b1d52085de99b3bffa276530fea5d961471

SHA256
2987e99ec7fa17bd4ab7de3cb4dc62645e1052012a5a357904d6fc6db9054147

SHA512
ecf7ab1a9e4192454a3e24c60453fd702a8c648e00078fc933b9182f4a3d3c10c6f5da622a5729b35727e6ddc8837029caddcaf76f56e805b9744253b56da5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3bxcw3il.swf.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC
Filesize
16B

MD5
d012e5555ae6936cbe76b0edf9b0da69

SHA1
0a80fe68cdd19432d8f4ccae4b505613064f1966

SHA256
7a35c4144ba71bf57b0fe01b116314ff31f3765cd6667c3d48def6fe1c4af861

SHA512
920b93ad09eddab8b03be79bc8813abce6beaa0cbb37ff0a8d85c92c8940ce003bb03d967eaa84d22b01e00aabfab26e16c2d41fb2c56bd60bf08171cb130de6

Download Submit
memory/960-34-0x0000021DE5F80000-0x0000021DE60CE000-memory.dmp

Filesize
1.3MB

Download
memory/1160-20-0x000001BA42190000-0x000001BA422DE000-memory.dmp

Filesize
1.3MB

Download
memory/1160-3-0x00007FFC8CBB0000-0x00007FFC8D671000-memory.dmp

Filesize
10.8MB

Download
memory/1160-15-0x00007FFC8CBB0000-0x00007FFC8D671000-memory.dmp

Filesize
10.8MB

Download
memory/1160-21-0x00007FFC8CBB0000-0x00007FFC8D671000-memory.dmp

Filesize
10.8MB

Download
memory/1160-12-0x000001BA41FF0000-0x000001BA42012000-memory.dmp

Filesize
136KB

Download
memory/1160-4-0x00007FFC8CBB0000-0x00007FFC8D671000-memory.dmp

Filesize
10.8MB

Download
memory/1160-16-0x00007FFC8CBB0000-0x00007FFC8D671000-memory.dmp

Filesize
10.8MB

Download
memory/1160-17-0x00007FFC8CBB0000-0x00007FFC8D671000-memory.dmp

Filesize
10.8MB

Download
memory/2164-46-0x00000177FDDB0000-0x00000177FDEFE000-memory.dmp

Filesize
1.3MB

Download
memory/2964-58-0x000002A3F9EC0000-0x000002A3FA00E000-memory.dmp

Filesize
1.3MB

Download
memory/3932-2-0x00007FFC8CBB0000-0x00007FFC8D671000-memory.dmp

Filesize
10.8MB

Download
memory/3932-62-0x00007FFC8CBB3000-0x00007FFC8CBB5000-memory.dmp

Filesize
8KB

Download
memory/3932-63-0x00007FFC8CBB0000-0x00007FFC8D671000-memory.dmp

Filesize
10.8MB

Download
memory/3932-64-0x000000001BF50000-0x000000001BF5C000-memory.dmp

Filesize
48KB

Download
memory/3932-0-0x00007FFC8CBB3000-0x00007FFC8CBB5000-memory.dmp

Filesize
8KB

Download
memory/3932-1-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads