xworm | 5036fecd00ecb6ef5042ee327150d4ca19c696e6318474bdd912431338870d6f

General

Target

Xworm-V5.6/Xworm V5.6 Starter.exe
Size

7.7MB
MD5

bbf43a166ade7e2a0d2b930c41fb20a3
SHA1

d956dd742690aa25a59a84104cd3adbc40fcba78
SHA256

e948b08eb91c2dca67517126d71e5175e222598e6f1928d3ee78560b08e40b2b
SHA512

fcad5fc89da1d823a929cfebcdd19869605d646696f2399b2a84caa78e5a9854622e9d6b4184aba4ae080650513e1db01eb2412d995f87f18c4da90293fe523b
SSDEEP

196608:zKLCFU/jHq/puROyhxeyOC7+oiRkbtejBe5x:zmq/pkOYxehohbtB

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

manufacturer-rank.gl.at.ply.gg:60383

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001202c-5.dat	family_xworm
behavioral1/memory/2840-7-0x0000000000C00000-0x0000000000C18000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2444	powershell.exe
2008	powershell.exe
1208	powershell.exe
2896	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	Xworm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	Xworm.exe

Executes dropped EXE 2 IoCs

pid	Process
2840	Xworm.exe
2560	Xworm V5.6.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\System User = "C:\\Users\\Admin\\AppData\\Roaming\\System User"	Xworm.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2444	powershell.exe
2008	powershell.exe
1208	powershell.exe
2896	powershell.exe
2840	Xworm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	Xworm.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2840	Xworm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2840	Xworm.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2840	2288	Xworm V5.6 Starter.exe	30
PID 2288 wrote to memory of 2840	2288	Xworm V5.6 Starter.exe	30
PID 2288 wrote to memory of 2840	2288	Xworm V5.6 Starter.exe	30
PID 2288 wrote to memory of 2560	2288	Xworm V5.6 Starter.exe	31
PID 2288 wrote to memory of 2560	2288	Xworm V5.6 Starter.exe	31
PID 2288 wrote to memory of 2560	2288	Xworm V5.6 Starter.exe	31
PID 2560 wrote to memory of 1488	2560	Xworm V5.6.exe	33
PID 2560 wrote to memory of 1488	2560	Xworm V5.6.exe	33
PID 2560 wrote to memory of 1488	2560	Xworm V5.6.exe	33
PID 2840 wrote to memory of 2444	2840	Xworm.exe	34
PID 2840 wrote to memory of 2444	2840	Xworm.exe	34
PID 2840 wrote to memory of 2444	2840	Xworm.exe	34
PID 2840 wrote to memory of 2008	2840	Xworm.exe	36
PID 2840 wrote to memory of 2008	2840	Xworm.exe	36
PID 2840 wrote to memory of 2008	2840	Xworm.exe	36
PID 2840 wrote to memory of 1208	2840	Xworm.exe	38
PID 2840 wrote to memory of 1208	2840	Xworm.exe	38
PID 2840 wrote to memory of 1208	2840	Xworm.exe	38
PID 2840 wrote to memory of 2896	2840	Xworm.exe	40
PID 2840 wrote to memory of 2896	2840	Xworm.exe	40
PID 2840 wrote to memory of 2896	2840	Xworm.exe	40
PID 2840 wrote to memory of 768	2840	Xworm.exe	42
PID 2840 wrote to memory of 768	2840	Xworm.exe	42
PID 2840 wrote to memory of 768	2840	Xworm.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\Xworm V5.6 Starter.exe
"C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\Xworm V5.6 Starter.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Temp\Xworm.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xworm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xworm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System User'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\Admin\AppData\Roaming\System User"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:768
- C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2560 -s 728
    3⤵
    PID:1488

C:\Windows\system32\taskeng.exe
taskeng.exe {EE6C6172-E9A0-4E56-A33A-F800D2BB366F} S-1-5-21-2958949473-3205530200-1453100116-1000:WHMFPZKA\Admin:Interactive:[1]
1⤵
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xworm.exe

Filesize
76KB

MD5
2440671e67fb9e5087758e8c496d2c3a

SHA1
eac0d14a9866208ac6920a7a906eef761b3e0c2a

SHA256
e6c4447bc9d07a89b142f89e5011b2fa37eb77a243c9537ef992a1786a6044a3

SHA512
6bc35fd57775a3794b49c1e8576ba2e3b05f47a893b604bffeaf38cc01429dcccd5011c29dc80c88cf1fdaa9dd15c6cf168b885d532821939c68a603d7b64d82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ff2437ad2c22b96d8fa11da8ff41daaf

SHA1
9687d8d4db8617593748d544117085120e24f82b

SHA256
8133d72b3f6b85aef38002b52da71f2655df4845a8a9070e9f887ce2d73f0ed0

SHA512
19fa628b910f2426fabbfac24ca4f96a2299bb6ac9fd37cd4359b661547cd91b149d9513bb30918f1391c76e203ec274d1b12d55e3b1c8bb09697c06e865a945

Download Submit
memory/2008-28-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2008-29-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/2288-14-0x000007FEF60F0000-0x000007FEF6ADC000-memory.dmp

Filesize
9.9MB

Download
memory/2288-1-0x0000000000EC0000-0x0000000001672000-memory.dmp

Filesize
7.7MB

Download
memory/2288-0-0x000007FEF60F3000-0x000007FEF60F4000-memory.dmp

Filesize
4KB

Download
memory/2444-21-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2444-22-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2560-13-0x0000000000990000-0x0000000001878000-memory.dmp

Filesize
14.9MB

Download
memory/2840-7-0x0000000000C00000-0x0000000000C18000-memory.dmp

Filesize
96KB

Download
memory/2840-15-0x000007FEF60F0000-0x000007FEF6ADC000-memory.dmp

Filesize
9.9MB

Download
memory/2840-16-0x000007FEF60F0000-0x000007FEF6ADC000-memory.dmp

Filesize
9.9MB

Download
memory/2840-43-0x000007FEF60F0000-0x000007FEF6ADC000-memory.dmp

Filesize
9.9MB

Download
memory/2840-44-0x000007FEF60F0000-0x000007FEF6ADC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads