xworm | aeab4b66da21ca4ff328d202cb2db093849448b968fa12099ff10f23e19dc60e

General

Target

main/main.v1.exe
Size

1.2MB
MD5

dc34a8f3b65df10c070951e4badc0dc4
SHA1

cf3f53df78152e416ae517dd09a2d8e874c3cb05
SHA256

6666c3ef1bb36779fd6725d4ec308dd4a5a7677931844691d1d3fdba46c3278f
SHA512

a52afa789dc5ac42c50a2364c2d9e8138aaee833ac4e266f99473a01412e46fcbfa3351adf538ec023df13234203b90c0b8d3e429155b4515da1210657f9e008
SSDEEP

24576:vGjmmvk+tKHCeYhDM/gRZGJ1FkRlqY3Jna5ptgJBXc1mz7MljDBdUaUk/0nF:+6mvoieODMo/GJQoYpantgbv81ck0n

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

gift-scientists.gl.at.ply.gg:20443

Attributes

Install_directory
%AppData%
install_file
scvhost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000800000002a8e7-6.dat	family_xworm
behavioral2/memory/32-18-0x00000000007C0000-0x00000000007D6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2144	powershell.exe
652	powershell.exe
1920	powershell.exe
220	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
32	vape.exe
4360	feds.lol.exe
4956	scvhost.exe
4296	scvhost.exe
2088	scvhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1624	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
32	vape.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
652	powershell.exe
652	powershell.exe
1920	powershell.exe
1920	powershell.exe
220	powershell.exe
220	powershell.exe
2144	powershell.exe
2144	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	32	vape.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	32	vape.exe
Token: SeDebugPrivilege	4956	scvhost.exe
Token: SeDebugPrivilege	4296	scvhost.exe
Token: SeDebugPrivilege	2088	scvhost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 32	4556	main.v1.exe	79
PID 4556 wrote to memory of 32	4556	main.v1.exe	79
PID 4556 wrote to memory of 4360	4556	main.v1.exe	80
PID 4556 wrote to memory of 4360	4556	main.v1.exe	80
PID 32 wrote to memory of 652	32	vape.exe	84
PID 32 wrote to memory of 652	32	vape.exe	84
PID 32 wrote to memory of 1920	32	vape.exe	86
PID 32 wrote to memory of 1920	32	vape.exe	86
PID 32 wrote to memory of 220	32	vape.exe	88
PID 32 wrote to memory of 220	32	vape.exe	88
PID 32 wrote to memory of 2144	32	vape.exe	90
PID 32 wrote to memory of 2144	32	vape.exe	90
PID 32 wrote to memory of 1624	32	vape.exe	92
PID 32 wrote to memory of 1624	32	vape.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\main\main.v1.exe
"C:\Users\Admin\AppData\Local\Temp\main\main.v1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Users\Admin\AppData\Roaming\vape.exe
  "C:\Users\Admin\AppData\Roaming\vape.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\vape.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'vape.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\scvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'scvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "scvhost" /tr "C:\Users\Admin\AppData\Roaming\scvhost.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1624
- C:\Users\Admin\AppData\Roaming\feds.lol.exe
  "C:\Users\Admin\AppData\Roaming\feds.lol.exe"
  2⤵
  - Executes dropped EXE
  PID:4360

C:\Users\Admin\AppData\Roaming\scvhost.exe
C:\Users\Admin\AppData\Roaming\scvhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Users\Admin\AppData\Roaming\scvhost.exe
C:\Users\Admin\AppData\Roaming\scvhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Users\Admin\AppData\Roaming\scvhost.exe
C:\Users\Admin\AppData\Roaming\scvhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\scvhost.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
856900844f6f1c326c89d0bcfb2f0c28

SHA1
1caad440d46fa8c0cbed4822b4be2bbdddba97c2

SHA256
ae24414ec53b3ae43ddbf1ff7b6643f8bf45281406f6415742f4305360d70a32

SHA512
ed8f421e151d797b33440dd0ddb6d6a5ec93fe7806ad82c60af3f77d545cf5dc319bce67804bd0613bb551a3f01648ec0d1918805dc7342145c8bb23ad12cab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a7673410b995b49b300375100bbcb516

SHA1
7656933c6014d481f09df4d7026dc7f3b8a8e265

SHA256
c76be733d0b42861798d9f325123a19d56d99866cd17f791ae396a773471aaef

SHA512
6b51d7d143e069fd182407a4dc2e791eebfe72f84ae7ae57163b627b0e62e8acf0c86f9102a7697d1c8a31e6ee91020c9eb3c6de5f83eb71b2717dee158d629b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1phtgnid.gu4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\feds.lol.exe

Filesize
1.2MB

MD5
9a5bbfcfd9311824e175ab98a346770c

SHA1
8c1473c9513364779b35a7a65ed71ef4f321a180

SHA256
08a07606f1cace7f9c7c2578ffa15d1aeb0406841ad3e520a0cf02ddab1d9edf

SHA512
2845bd3c99ae36a15054c2dcf2bd93d069781cde18f96bd844c8814916f195de407ec1cbddf8c4d4f0c23003bf4dbc182dca1ac7a672235c1024895f2dd74148

Download Submit
C:\Users\Admin\AppData\Roaming\vape.exe

Filesize
61KB

MD5
409c4205d1119c67e3ed65c16f9b71c7

SHA1
2dd6c500f1bc16e59764cd1ac13642463efa52e7

SHA256
924d8102157fd6dbcda4cac2b035be62d8aeeb3e3d8d5bea167989a33d0141fd

SHA512
1de55f5dd34b546078130cb5619295113200d7fc254ef32573db256ece2ebc89181ff0cb92900617728f04a11d688d9b4bbd32b3152d1a66c9d93a206d1d135d

Download Submit
memory/32-23-0x00007FFBE9C70000-0x00007FFBEA732000-memory.dmp

Filesize
10.8MB

Download
memory/32-18-0x00000000007C0000-0x00000000007D6000-memory.dmp

Filesize
88KB

Download
memory/32-67-0x00007FFBE9C70000-0x00007FFBEA732000-memory.dmp

Filesize
10.8MB

Download
memory/32-68-0x00007FFBE9C70000-0x00007FFBEA732000-memory.dmp

Filesize
10.8MB

Download
memory/652-32-0x0000020339890000-0x00000203398B2000-memory.dmp

Filesize
136KB

Download
memory/4556-0-0x00007FFBE9C73000-0x00007FFBE9C75000-memory.dmp

Filesize
8KB

Download
memory/4556-1-0x0000000000FB0000-0x00000000010F6000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads