xworm | 463a9090dcc4bcdc5703990ab296e8c758251e1cd43cb9ebf219ba7b2aafd8fb

General

Target

c240354ebdc9fa972e6f0b6e5ecc4213.exe
Size

579KB
MD5

c240354ebdc9fa972e6f0b6e5ecc4213
SHA1

3254ba2a3b0695c08a2d6b32812b3b920a544a47
SHA256

463a9090dcc4bcdc5703990ab296e8c758251e1cd43cb9ebf219ba7b2aafd8fb
SHA512

0664257f23c142a0e3250d2d2101eb683a3a2e2fc3909bc029ff799d73b9fb62ab5355b90a4db4c7cda577f21a1930ded0705cf06052049efd789f8eb663cf64
SSDEEP

12288:vlGi6JNf+wz38tu/MhjV2DZuvvRDelQgyv0pzvUslxEMLo2ZUnqCNIPvG+VAxv76:khJR8tuAjaZuVSyv0SslabO

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

appostle2020.ddns.net:7000

Mutex

0xAP5d8OnVTgqm7r

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/2672-30-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2672-29-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2672-28-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2672-25-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2672-23-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2732	powershell.exe
2828	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c240354ebdc9fa972e6f0b6e5ecc4213.lnk	c240354ebdc9fa972e6f0b6e5ecc4213.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c240354ebdc9fa972e6f0b6e5ecc4213.lnk	c240354ebdc9fa972e6f0b6e5ecc4213.exe

Loads dropped DLL 1 IoCs

pid	Process
2672	c240354ebdc9fa972e6f0b6e5ecc4213.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2064 set thread context of 2672	2064	c240354ebdc9fa972e6f0b6e5ecc4213.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2732	powershell.exe
2828	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	c240354ebdc9fa972e6f0b6e5ecc4213.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2732	2064	c240354ebdc9fa972e6f0b6e5ecc4213.exe	31
PID 2064 wrote to memory of 2732	2064	c240354ebdc9fa972e6f0b6e5ecc4213.exe	31
PID 2064 wrote to memory of 2732	2064	c240354ebdc9fa972e6f0b6e5ecc4213.exe	31
PID 2064 wrote to memory of 2732	2064	c240354ebdc9fa972e6f0b6e5ecc4213.exe	31
PID 2064 wrote to memory of 2828	2064	c240354ebdc9fa972e6f0b6e5ecc4213.exe	33
PID 2064 wrote to memory of 2828	2064	c240354ebdc9fa972e6f0b6e5ecc4213.exe	33
PID 2064 wrote to memory of 2828	2064	c240354ebdc9fa972e6f0b6e5ecc4213.exe	33
PID 2064 wrote to memory of 2828	2064	c240354ebdc9fa972e6f0b6e5ecc4213.exe	33
PID 2064 wrote to memory of 2988	2064	c240354ebdc9fa972e6f0b6e5ecc4213.exe	35
PID 2064 wrote to memory of 2988	2064	c240354ebdc9fa972e6f0b6e5ecc4213.exe	35
PID 2064 wrote to memory of 2988	2064	c240354ebdc9fa972e6f0b6e5ecc4213.exe	35
PID 2064 wrote to memory of 2988	2064	c240354ebdc9fa972e6f0b6e5ecc4213.exe	35
PID 2064 wrote to memory of 2672	2064	c240354ebdc9fa972e6f0b6e5ecc4213.exe	37
PID 2064 wrote to memory of 2672	2064	c240354ebdc9fa972e6f0b6e5ecc4213.exe	37
PID 2064 wrote to memory of 2672	2064	c240354ebdc9fa972e6f0b6e5ecc4213.exe	37
PID 2064 wrote to memory of 2672	2064	c240354ebdc9fa972e6f0b6e5ecc4213.exe	37
PID 2064 wrote to memory of 2672	2064	c240354ebdc9fa972e6f0b6e5ecc4213.exe	37
PID 2064 wrote to memory of 2672	2064	c240354ebdc9fa972e6f0b6e5ecc4213.exe	37
PID 2064 wrote to memory of 2672	2064	c240354ebdc9fa972e6f0b6e5ecc4213.exe	37
PID 2064 wrote to memory of 2672	2064	c240354ebdc9fa972e6f0b6e5ecc4213.exe	37
PID 2064 wrote to memory of 2672	2064	c240354ebdc9fa972e6f0b6e5ecc4213.exe	37

C:\Users\Admin\AppData\Local\Temp\c240354ebdc9fa972e6f0b6e5ecc4213.exe
"C:\Users\Admin\AppData\Local\Temp\c240354ebdc9fa972e6f0b6e5ecc4213.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c240354ebdc9fa972e6f0b6e5ecc4213.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PLBXtza.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PLBXtza" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF595.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2988
- C:\Users\Admin\AppData\Local\Temp\c240354ebdc9fa972e6f0b6e5ecc4213.exe
  "C:\Users\Admin\AppData\Local\Temp\c240354ebdc9fa972e6f0b6e5ecc4213.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF595.tmp

Filesize
1KB

MD5
a14daecf5f7a9fe77fbe5844cdb8909d

SHA1
b3e04eb6bf0cf700437fdd06654465235132b418

SHA256
6b1e3099cc6e51aa0fba1b797674399d4ce9605f4dea2622d313c46a39d17e4d

SHA512
e97031dbb25467e088cb1e7c0796b5130a41a65550821e457d860bcb6c9f914d07846d4caaf256ae83e671a2c14be9b0aad0c2e863e38fd694983242b2a5cc87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
335449af8ee52226d5345a7a0b30391e

SHA1
6590d01eb86b43a20fe8b4a39b07cafc58e1b0c9

SHA256
5d848bf387d75ecb9132d162061a58f2152ad9de22f6351beb29431f13a0c229

SHA512
8e22ba54cb7e35abdfa2290e5b12856077a7274fb81a42a6234f46819f35e80581a95b7c5189b770b9b0d116bebc9f1ed2cfdf2983be0d8a20a6507b3c99f6dc

Download Submit
\Users\Admin\AppData\Roaming\c240354ebdc9fa972e6f0b6e5ecc4213.exe

Filesize
579KB

MD5
c240354ebdc9fa972e6f0b6e5ecc4213

SHA1
3254ba2a3b0695c08a2d6b32812b3b920a544a47

SHA256
463a9090dcc4bcdc5703990ab296e8c758251e1cd43cb9ebf219ba7b2aafd8fb

SHA512
0664257f23c142a0e3250d2d2101eb683a3a2e2fc3909bc029ff799d73b9fb62ab5355b90a4db4c7cda577f21a1930ded0705cf06052049efd789f8eb663cf64

Download Submit
memory/2064-4-0x0000000001FB0000-0x0000000001FB8000-memory.dmp

Filesize
32KB

Download
memory/2064-31-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/2064-5-0x0000000002000000-0x000000000200C000-memory.dmp

Filesize
48KB

Download
memory/2064-6-0x0000000004770000-0x00000000047C0000-memory.dmp

Filesize
320KB

Download
memory/2064-3-0x0000000001F40000-0x0000000001F5A000-memory.dmp

Filesize
104KB

Download
memory/2064-2-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/2064-1-0x0000000000350000-0x00000000003E6000-memory.dmp

Filesize
600KB

Download
memory/2064-0-0x000000007477E000-0x000000007477F000-memory.dmp

Filesize
4KB

Download
memory/2672-21-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2672-29-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2672-28-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2672-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2672-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2672-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2672-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2672-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads