xworm | c55ffa5c9712ee1a90fe57480b627a384f91a7206af676dfaf6975f2f99aafdb

General

Target

client.exe
Size

77KB
MD5

fb02a2794259bc16503067e6aaaaf99d
SHA1

516b366355bc59e2c8d4a2cf691ada44191d22f0
SHA256

c55ffa5c9712ee1a90fe57480b627a384f91a7206af676dfaf6975f2f99aafdb
SHA512

53ebf87b9cfe62c00110ee1531cda5277542f5ea111d296c289f851160fa7dcc4e87fb2af3f2add87bbfa231638fa64c1ceef89e387d5c0e4f3c0c83a28098c1
SSDEEP

1536:YDGUV3RQZlK4ZQSjXHE7b51wTuy+S68QUP2Oovx0:Yt9tb5SOUeOoJ0

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

exchange-daughters.gl.at.ply.gg:55386

Attributes

Install_directory
%AppData%
install_file
discord.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2952-1-0x0000000001200000-0x000000000121A000-memory.dmp	family_xworm
behavioral1/memory/1912-37-0x0000000001240000-0x000000000125A000-memory.dmp	family_xworm
behavioral1/files/0x0030000000016c2a-36.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1944	powershell.exe
2600	powershell.exe
2632	powershell.exe
2424	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk	client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk	client.exe

Executes dropped EXE 2 IoCs

pid	Process
1912	discord.exe
1436	discord.exe

Loads dropped DLL 1 IoCs

pid	Process
2952	client.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\AppData\\Roaming\\discord.exe"	client.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	client.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	client.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	client.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
600	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2952	client.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2600	powershell.exe
2632	powershell.exe
2424	powershell.exe
1944	powershell.exe
2952	client.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	client.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	2952	client.exe
Token: SeDebugPrivilege	1912	discord.exe
Token: SeDebugPrivilege	1436	discord.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2952	client.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2600	2952	client.exe	29
PID 2952 wrote to memory of 2600	2952	client.exe	29
PID 2952 wrote to memory of 2600	2952	client.exe	29
PID 2952 wrote to memory of 2632	2952	client.exe	31
PID 2952 wrote to memory of 2632	2952	client.exe	31
PID 2952 wrote to memory of 2632	2952	client.exe	31
PID 2952 wrote to memory of 2424	2952	client.exe	33
PID 2952 wrote to memory of 2424	2952	client.exe	33
PID 2952 wrote to memory of 2424	2952	client.exe	33
PID 2952 wrote to memory of 1944	2952	client.exe	35
PID 2952 wrote to memory of 1944	2952	client.exe	35
PID 2952 wrote to memory of 1944	2952	client.exe	35
PID 2952 wrote to memory of 600	2952	client.exe	37
PID 2952 wrote to memory of 600	2952	client.exe	37
PID 2952 wrote to memory of 600	2952	client.exe	37
PID 836 wrote to memory of 1912	836	taskeng.exe	42
PID 836 wrote to memory of 1912	836	taskeng.exe	42
PID 836 wrote to memory of 1912	836	taskeng.exe	42
PID 836 wrote to memory of 1436	836	taskeng.exe	43
PID 836 wrote to memory of 1436	836	taskeng.exe	43
PID 836 wrote to memory of 1436	836	taskeng.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\client.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'client.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\discord.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord" /tr "C:\Users\Admin\AppData\Roaming\discord.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:600

C:\Windows\system32\taskeng.exe
taskeng.exe {1E2F6AC5-4914-4D16-B891-F65A808DC643} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Roaming\discord.exe
  C:\Users\Admin\AppData\Roaming\discord.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Users\Admin\AppData\Roaming\discord.exe
  C:\Users\Admin\AppData\Roaming\discord.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
93473047e8ea2ff8b1f116f6f42630c4

SHA1
d1a1be295c87efd9cc22795c25e144f58f092e1c

SHA256
7f3a107ea0fd0967cd44a01c4b4a87b05e0db3f71d56e6753114b4a7b6788647

SHA512
4a43108e722c5c9fab6ed2f5bc64e6f1f07f8ae33f0793eeaf6d811cba068a28ab6d1cb6b14e1599aeecebd6eb922bc161e7f0f25559d349326d5c7dd8346194

Download Submit
C:\Users\Admin\AppData\Roaming\discord.exe

Filesize
77KB

MD5
fb02a2794259bc16503067e6aaaaf99d

SHA1
516b366355bc59e2c8d4a2cf691ada44191d22f0

SHA256
c55ffa5c9712ee1a90fe57480b627a384f91a7206af676dfaf6975f2f99aafdb

SHA512
53ebf87b9cfe62c00110ee1531cda5277542f5ea111d296c289f851160fa7dcc4e87fb2af3f2add87bbfa231638fa64c1ceef89e387d5c0e4f3c0c83a28098c1

Download Submit
\Users\Admin\AppData\Local\Temp\tmpCA22.tmp

Filesize
100KB

MD5
1b942faa8e8b1008a8c3c1004ba57349

SHA1
cd99977f6c1819b12b33240b784ca816dfe2cb91

SHA256
555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

SHA512
5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

Download Submit
memory/1912-37-0x0000000001240000-0x000000000125A000-memory.dmp

Filesize
104KB

Download
memory/2600-8-0x0000000002400000-0x0000000002408000-memory.dmp

Filesize
32KB

Download
memory/2600-7-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/2632-14-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/2632-15-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2952-30-0x000007FEF5143000-0x000007FEF5144000-memory.dmp

Filesize
4KB

Download
memory/2952-31-0x000000001AB30000-0x000000001AB3C000-memory.dmp

Filesize
48KB

Download
memory/2952-32-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2952-0-0x000007FEF5143000-0x000007FEF5144000-memory.dmp

Filesize
4KB

Download
memory/2952-2-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2952-38-0x000000001AB60000-0x000000001AB6C000-memory.dmp

Filesize
48KB

Download
memory/2952-39-0x000000001B5B0000-0x000000001B63E000-memory.dmp

Filesize
568KB

Download
memory/2952-40-0x000000001AC70000-0x000000001AC7A000-memory.dmp

Filesize
40KB

Download
memory/2952-41-0x000000001AD40000-0x000000001AD7A000-memory.dmp

Filesize
232KB

Download
memory/2952-1-0x0000000001200000-0x000000000121A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads