xworm | 98936b1a7f4528484d339d9fd7d50e00a14f4fbe55008290eb16f1628585da64

General

Target

98936b1a7f4528484d339d9fd7d50e00a14f4fbe55008290eb16f1628585da64.exe
Size

37KB
MD5

d67fbbd03ca764910f6700a26291962c
SHA1

234065b6eae90cc6e4f7e600d60ded9ec0baf21a
SHA256

98936b1a7f4528484d339d9fd7d50e00a14f4fbe55008290eb16f1628585da64
SHA512

029b090f55c13493731ff0aed14f4e54cc005877e2a37a8e7e7a63f4e5a8d5dd2b4260746829b050c6dda3e808220720ed3ee9e8247765bd868fa91152fd50fb
SSDEEP

768:SwX9XtyDkbZ+VMSQkjiBP+aXaFF9W0zLtu6sOrh9I7yz:n99yDlaHJZKFF9jc6sOrvH

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

daddy.linkpc.net:7000

Mutex

7XYtWwylIhsrHJKs

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2536-1-0x00000000002D0000-0x00000000002E0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2800	powershell.exe
2984	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2536	98936b1a7f4528484d339d9fd7d50e00a14f4fbe55008290eb16f1628585da64.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2800	powershell.exe
2984	powershell.exe
2536	98936b1a7f4528484d339d9fd7d50e00a14f4fbe55008290eb16f1628585da64.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	98936b1a7f4528484d339d9fd7d50e00a14f4fbe55008290eb16f1628585da64.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2536	98936b1a7f4528484d339d9fd7d50e00a14f4fbe55008290eb16f1628585da64.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2800	2536	98936b1a7f4528484d339d9fd7d50e00a14f4fbe55008290eb16f1628585da64.exe	29
PID 2536 wrote to memory of 2800	2536	98936b1a7f4528484d339d9fd7d50e00a14f4fbe55008290eb16f1628585da64.exe	29
PID 2536 wrote to memory of 2800	2536	98936b1a7f4528484d339d9fd7d50e00a14f4fbe55008290eb16f1628585da64.exe	29
PID 2536 wrote to memory of 2984	2536	98936b1a7f4528484d339d9fd7d50e00a14f4fbe55008290eb16f1628585da64.exe	31
PID 2536 wrote to memory of 2984	2536	98936b1a7f4528484d339d9fd7d50e00a14f4fbe55008290eb16f1628585da64.exe	31
PID 2536 wrote to memory of 2984	2536	98936b1a7f4528484d339d9fd7d50e00a14f4fbe55008290eb16f1628585da64.exe	31

C:\Users\Admin\AppData\Local\Temp\98936b1a7f4528484d339d9fd7d50e00a14f4fbe55008290eb16f1628585da64.exe
"C:\Users\Admin\AppData\Local\Temp\98936b1a7f4528484d339d9fd7d50e00a14f4fbe55008290eb16f1628585da64.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\98936b1a7f4528484d339d9fd7d50e00a14f4fbe55008290eb16f1628585da64.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '98936b1a7f4528484d339d9fd7d50e00a14f4fbe55008290eb16f1628585da64.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f5d623f07ee7f5e55b17dd8adf64a0d4

SHA1
4de3a5785f82290ccf66c7b40cac4f77f03cae1f

SHA256
db58b7367d4a727f42afb84c1fe27be072f85f59485d389bb5895d80ff7b62c4

SHA512
64fe9a0a73f5c41399060b605d13ff8f9b02f3b434037f369e6ff53e37d6429c30bfea558c6fba57eda20fbeca90a31d2b6a600a9d757e70312c04c27e7877f8

Download Submit
memory/2536-0-0x000007FEF6663000-0x000007FEF6664000-memory.dmp

Filesize
4KB

Download
memory/2536-1-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/2536-16-0x00000000001E0000-0x0000000000260000-memory.dmp

Filesize
512KB

Download
memory/2536-17-0x000007FEF6663000-0x000007FEF6664000-memory.dmp

Filesize
4KB

Download
memory/2536-18-0x00000000001E0000-0x0000000000260000-memory.dmp

Filesize
512KB

Download
memory/2800-6-0x0000000002E40000-0x0000000002EC0000-memory.dmp

Filesize
512KB

Download
memory/2800-7-0x000000001B800000-0x000000001BAE2000-memory.dmp

Filesize
2.9MB

Download
memory/2800-8-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2984-14-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download
memory/2984-15-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing