xworm | feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f

General

Target

feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f.exe
Size

40KB
MD5

3ab61ee8a81099edddf87af587420a10
SHA1

d6c0f6f60d13cc786cf7ac0df2c45b5dc47b945c
SHA256

feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f
SHA512

f43326c79ea8bd118fd90efc8c2c8306e02901727ffd7c6666b2a35820eb8799976007f4886a68a7f411509ad61dcf7ddf5a3630fa5342014ad5aa978818ff3f
SSDEEP

768:pNfPMSk3K/EzTb/008WuFZ4ZJF5PC9O9Fy68OMhi3/aV:nf05a/CTjp89IFc9Uc68OMsi

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

154.197.69.165:7000

Mutex

jcTVbnlMjCEJAYCp

Attributes

Install_directory
%AppData%
install_file
crss.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3720-1-0x0000000000C50000-0x0000000000C60000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1064	powershell.exe
4840	powershell.exe
1956	powershell.exe
3392	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crss.lnk	feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crss.lnk	feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1064	powershell.exe
1064	powershell.exe
4840	powershell.exe
4840	powershell.exe
1956	powershell.exe
1956	powershell.exe
3392	powershell.exe
3392	powershell.exe
3720	feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3720	feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	3392	powershell.exe
Token: SeDebugPrivilege	3720	feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3720	feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 1064	3720	feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f.exe	84
PID 3720 wrote to memory of 1064	3720	feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f.exe	84
PID 3720 wrote to memory of 4840	3720	feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f.exe	86
PID 3720 wrote to memory of 4840	3720	feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f.exe	86
PID 3720 wrote to memory of 1956	3720	feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f.exe	88
PID 3720 wrote to memory of 1956	3720	feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f.exe	88
PID 3720 wrote to memory of 3392	3720	feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f.exe	90
PID 3720 wrote to memory of 3392	3720	feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f.exe	90

C:\Users\Admin\AppData\Local\Temp\feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f.exe
"C:\Users\Admin\AppData\Local\Temp\feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\crss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'crss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8cb7f4b4ab204cacd1af6b29c2a2042c

SHA1
244540c38e33eac05826d54282a0bfa60340d6a1

SHA256
4994013dabe4f131d401879278eee147add6349124ea6452358dca7e2344c7a6

SHA512
7651cb6863a425840db610253151e271d3e8da26a8c633ce484247266fa226792ecb84b9578df3ab17fef84a5dfcad417b63a7df59c9650a907e08d59b91dd6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dszjasec.yg4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1064-4-0x0000013A0EB10000-0x0000013A0EB32000-memory.dmp

Filesize
136KB

Download
memory/1064-5-0x00007FFCF0A10000-0x00007FFCF14D2000-memory.dmp

Filesize
10.8MB

Download
memory/1064-14-0x00007FFCF0A10000-0x00007FFCF14D2000-memory.dmp

Filesize
10.8MB

Download
memory/1064-15-0x00007FFCF0A10000-0x00007FFCF14D2000-memory.dmp

Filesize
10.8MB

Download
memory/1064-16-0x00007FFCF0A10000-0x00007FFCF14D2000-memory.dmp

Filesize
10.8MB

Download
memory/1064-19-0x00007FFCF0A10000-0x00007FFCF14D2000-memory.dmp

Filesize
10.8MB

Download
memory/1064-3-0x00007FFCF0A10000-0x00007FFCF14D2000-memory.dmp

Filesize
10.8MB

Download
memory/3720-0-0x00007FFCF0A13000-0x00007FFCF0A15000-memory.dmp

Filesize
8KB

Download
memory/3720-2-0x00007FFCF0A10000-0x00007FFCF14D2000-memory.dmp

Filesize
10.8MB

Download
memory/3720-1-0x0000000000C50000-0x0000000000C60000-memory.dmp

Filesize
64KB

Download
memory/3720-51-0x00007FFCF0A13000-0x00007FFCF0A15000-memory.dmp

Filesize
8KB

Download
memory/3720-56-0x00007FFCF0A10000-0x00007FFCF14D2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing