xworm | 8ad9a17fffa07b434efcb5f370e7f25211361bd1628fb85781e3435eeeaa1e65

General

Target

LabyMod4Crt.exe
Size

72KB
MD5

8f7d60c2274007ad4220bfa4e313bf35
SHA1

a0a9733f053f92840dc7077cc38519ed4b112751
SHA256

8ad9a17fffa07b434efcb5f370e7f25211361bd1628fb85781e3435eeeaa1e65
SHA512

6c3d06efde57b9ba96a12d5a187490b2fcceb80df886fd16b4cc9fda49f0d6ad6a34a72341cd944c639bbf093daf2204d358f5823787455f1044aabef5b6d170
SSDEEP

1536:w0kvuKMq3o1RchBWJWVE2AyDIQkSSp63bSqQIfcY+6ic0YfO75B4p5t:wUNpOCJWVEoD1wp63bSVIf1O75K5t

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

cameras-happen.gl.at.ply.gg:23386

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2936-1-0x0000000000280000-0x0000000000298000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3068 powershell.exe
2660 powershell.exe
2704 powershell.exe
2444 powershell.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1752 cmd.exe

pid	process
3068	powershell.exe
2660	powershell.exe
2704	powershell.exe
2444	powershell.exe

pid	process
1752	cmd.exe

Drops startup file 2 IoCs

Processes:

LabyMod4Crt.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	LabyMod4Crt.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	LabyMod4Crt.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1196 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2660 powershell.exe
2704 powershell.exe
2444 powershell.exe
3068 powershell.exe

flow	ioc
4	ip-api.com

pid	process
1196	timeout.exe

pid	process
2660	powershell.exe
2704	powershell.exe
2444	powershell.exe
3068	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

LabyMod4Crt.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2936	LabyMod4Crt.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2936	LabyMod4Crt.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

LabyMod4Crt.execmd.exe

description	pid	process	target process
PID 2936 wrote to memory of 2660	2936	LabyMod4Crt.exe	powershell.exe
PID 2936 wrote to memory of 2660	2936	LabyMod4Crt.exe	powershell.exe
PID 2936 wrote to memory of 2660	2936	LabyMod4Crt.exe	powershell.exe
PID 2936 wrote to memory of 2704	2936	LabyMod4Crt.exe	powershell.exe
PID 2936 wrote to memory of 2704	2936	LabyMod4Crt.exe	powershell.exe
PID 2936 wrote to memory of 2704	2936	LabyMod4Crt.exe	powershell.exe
PID 2936 wrote to memory of 2444	2936	LabyMod4Crt.exe	powershell.exe
PID 2936 wrote to memory of 2444	2936	LabyMod4Crt.exe	powershell.exe
PID 2936 wrote to memory of 2444	2936	LabyMod4Crt.exe	powershell.exe
PID 2936 wrote to memory of 3068	2936	LabyMod4Crt.exe	powershell.exe
PID 2936 wrote to memory of 3068	2936	LabyMod4Crt.exe	powershell.exe
PID 2936 wrote to memory of 3068	2936	LabyMod4Crt.exe	powershell.exe
PID 2936 wrote to memory of 1752	2936	LabyMod4Crt.exe	cmd.exe
PID 2936 wrote to memory of 1752	2936	LabyMod4Crt.exe	cmd.exe
PID 2936 wrote to memory of 1752	2936	LabyMod4Crt.exe	cmd.exe
PID 1752 wrote to memory of 1196	1752	cmd.exe	timeout.exe
PID 1752 wrote to memory of 1196	1752	cmd.exe	timeout.exe
PID 1752 wrote to memory of 1196	1752	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\LabyMod4Crt.exe
"C:\Users\Admin\AppData\Local\Temp\LabyMod4Crt.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LabyMod4Crt.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LabyMod4Crt.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp894C.tmp.bat""
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1196

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp894C.tmp.bat
Filesize
163B

MD5
62b0793017f15d2e72e2b4f679a534bd

SHA1
275486f8f598feb232d2c4cd0ce49f21e295139c

SHA256
246b6aa13c385063f3e3f5be34570e87ddeab32b4f291fe17b2be1dc06c65713

SHA512
90af8269056aeb815d82d3597077d164f4469ac341863840e2745cfdc692b472354425007c1bf5577d122c66b3cf88f27bc66adf4a12fb75b7b2bbe2a5273bda

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
02ed0e9f56ccac1ccc5965cd11cf655d

SHA1
58641c0378e655aa6db19f8c8ba04ceba5b85b83

SHA256
3cf9da6ff14fbe674cf5acdb7018ff0c1f7f4e4a1ec422a808c71a18b60633b0

SHA512
3f3e7dbae171845f0ab52e3e07c387ee8cc829667c6f4dde0ac882d08c2353d904288f009fc1a9cab7b2eb6234652717f5e77a24872801811fbb55502d1d8072

Download Submit
memory/2660-7-0x0000000002B80000-0x0000000002C00000-memory.dmp

Filesize
512KB

Download
memory/2660-8-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2660-9-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/2704-15-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2704-16-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2936-0-0x000007FEF5EE3000-0x000007FEF5EE4000-memory.dmp

Filesize
4KB

Download
memory/2936-1-0x0000000000280000-0x0000000000298000-memory.dmp

Filesize
96KB

Download
memory/2936-2-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2936-31-0x000007FEF5EE3000-0x000007FEF5EE4000-memory.dmp

Filesize
4KB

Download
memory/2936-43-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads