xworm | ec67ac05b583618699ce3813ded3f4e6b2e321c6e6714565b1810ffeb0caa361

General

Target

C11Executor23.exe
Size

527KB
MD5

0ffa58adb9ae31cb401b933d52034066
SHA1

310a52338ae3aa6c13ae03243bf4d47941b26731
SHA256

ec67ac05b583618699ce3813ded3f4e6b2e321c6e6714565b1810ffeb0caa361
SHA512

2d8ea7646ca58710110585776a16b558e13568a42f71c56ced6110901e9fdf127f8ca2d2a598675005d6176caf827da6f90791c3b5a11235819f5f5d08e9ef10
SSDEEP

12288:G2TdgrOb9yGtn4yOH05wCU36pw5Htbh9D:GYiro430wH64N19

Score

10^/10

Malware Config

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2680-1-0x00000000000B0000-0x000000000018C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1152	powershell.exe
2704	powershell.exe
2860	powershell.exe
2652	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	C11Executor23.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	C11Executor23.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe"	C11Executor23.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2704	powershell.exe
2860	powershell.exe
2652	powershell.exe
1152	powershell.exe
2680	C11Executor23.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	C11Executor23.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	2680	C11Executor23.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2680	C11Executor23.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2704	2680	C11Executor23.exe	32
PID 2680 wrote to memory of 2704	2680	C11Executor23.exe	32
PID 2680 wrote to memory of 2704	2680	C11Executor23.exe	32
PID 2680 wrote to memory of 2860	2680	C11Executor23.exe	34
PID 2680 wrote to memory of 2860	2680	C11Executor23.exe	34
PID 2680 wrote to memory of 2860	2680	C11Executor23.exe	34
PID 2680 wrote to memory of 2652	2680	C11Executor23.exe	36
PID 2680 wrote to memory of 2652	2680	C11Executor23.exe	36
PID 2680 wrote to memory of 2652	2680	C11Executor23.exe	36
PID 2680 wrote to memory of 1152	2680	C11Executor23.exe	38
PID 2680 wrote to memory of 1152	2680	C11Executor23.exe	38
PID 2680 wrote to memory of 1152	2680	C11Executor23.exe	38
PID 2680 wrote to memory of 560	2680	C11Executor23.exe	40
PID 2680 wrote to memory of 560	2680	C11Executor23.exe	40
PID 2680 wrote to memory of 560	2680	C11Executor23.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\C11Executor23.exe
"C:\Users\Admin\AppData\Local\Temp\C11Executor23.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\C11Executor23.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'C11Executor23.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b7e29979f430f95f660f7d1fb2875691

SHA1
34081d9968501559bbd3dfe1bb275e92d0b271d1

SHA256
73636d73f9ebceaaae636eac84f16733add9ce6de721f5d59aecdea1c57bdbf4

SHA512
bec10efb725cd3b2fa6df1521864548d6986f3b2df798493229742cfdf75c9de3551158c22633b61e1f7c807a4b3327f04262adc33c1225c94124467ff393f30

Download Submit
memory/2680-10-0x000007FEF5943000-0x000007FEF5944000-memory.dmp

Filesize
4KB

Download
memory/2680-1-0x00000000000B0000-0x000000000018C000-memory.dmp

Filesize
880KB

Download
memory/2680-4-0x000007FEF5940000-0x000007FEF632C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-5-0x000007FEF5940000-0x000007FEF632C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-38-0x000007FEF5940000-0x000007FEF632C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-11-0x000007FEF5940000-0x000007FEF632C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-0-0x000007FEF5943000-0x000007FEF5944000-memory.dmp

Filesize
4KB

Download
memory/2680-3-0x000007FEF5940000-0x000007FEF632C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-33-0x000007FEF5940000-0x000007FEF632C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2704-13-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2704-14-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2704-12-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2860-21-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2860-20-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads