xworm | 9a41404dca669ab7ae093eae45c01d0b8c6e31df93feed36bd39950f8d23b301

General

Target

FifFaf3.exe
Size

75KB
MD5

3ec64788de487a611bc255a1c2d4e532
SHA1

955c425b7367a4f844e22092e97a64bb6ac092a8
SHA256

9a41404dca669ab7ae093eae45c01d0b8c6e31df93feed36bd39950f8d23b301
SHA512

6c9a14f7c0fee940c0e3d42f5f43ec0937b358d1b5e67e8124c45196626e0c1ea1026506ed6a1d67b0bd63b9d9dfa4937eaff8e32291fa4685a992f386316b68
SSDEEP

1536:Y0XP2FWP19ugE7B2yWCUy8TpbRA+ac5G63SuUEhiOsy34Cqg:m7TWO8dbRAo5RpEOsy34Cr

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

george-continental.gl.at.ply.gg:25128:1000

Attributes

Install_directory
%AppData%
install_file
SolaraBETA.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3012-1-0x00000000009A0000-0x00000000009BA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2848	powershell.exe
2624	powershell.exe
2588	powershell.exe
2880	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\SolaraBETA = "C:\\Users\\Admin\\AppData\\Roaming\\SolaraBETA.exe"	FifFaf3.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2880	powershell.exe
2848	powershell.exe
2624	powershell.exe
2588	powershell.exe
3012	FifFaf3.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	FifFaf3.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	3012	FifFaf3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3012	FifFaf3.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2880	3012	FifFaf3.exe	31
PID 3012 wrote to memory of 2880	3012	FifFaf3.exe	31
PID 3012 wrote to memory of 2880	3012	FifFaf3.exe	31
PID 3012 wrote to memory of 2848	3012	FifFaf3.exe	33
PID 3012 wrote to memory of 2848	3012	FifFaf3.exe	33
PID 3012 wrote to memory of 2848	3012	FifFaf3.exe	33
PID 3012 wrote to memory of 2624	3012	FifFaf3.exe	35
PID 3012 wrote to memory of 2624	3012	FifFaf3.exe	35
PID 3012 wrote to memory of 2624	3012	FifFaf3.exe	35
PID 3012 wrote to memory of 2588	3012	FifFaf3.exe	37
PID 3012 wrote to memory of 2588	3012	FifFaf3.exe	37
PID 3012 wrote to memory of 2588	3012	FifFaf3.exe	37

C:\Users\Admin\AppData\Local\Temp\FifFaf3.exe
"C:\Users\Admin\AppData\Local\Temp\FifFaf3.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FifFaf3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FifFaf3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SolaraBETA.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SolaraBETA.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588

Network

DNS

ip-api.com

FifFaf3.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/line/?fields=hosting

FifFaf3.exe

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 02 Sep 2024 09:47:30 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44

208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

FifFaf3.exe

264 B
307 B
4
3

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200

8.8.8.8:53

ip-api.com

dns

FifFaf3.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VIAENLX3WMGKUCWDTIYC.temp

Filesize
7KB

MD5
a53a4de1aa243f16705e0e6255d8c19d

SHA1
a84e04dfc6e08d9001abc2e0572eaf59d7947189

SHA256
d590dbe58306ff752b87252521b4a91ab36615be1136c99473ca67e641eeb2cd

SHA512
c55d0b28c02471ff439c57da7097bddba974c3315d055f64679536d96d637dfeda0b1a24d3f332f64010a9ff7aaf80c19b9a660adf153117e8a34b850e39242d

Download Submit
memory/2848-15-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2848-16-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2880-7-0x0000000002C20000-0x0000000002CA0000-memory.dmp

Filesize
512KB

Download
memory/2880-8-0x000000001B810000-0x000000001BAF2000-memory.dmp

Filesize
2.9MB

Download
memory/2880-9-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/3012-0-0x000007FEF5B93000-0x000007FEF5B94000-memory.dmp

Filesize
4KB

Download
memory/3012-1-0x00000000009A0000-0x00000000009BA000-memory.dmp

Filesize
104KB

Download
memory/3012-2-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/3012-28-0x000007FEF5B93000-0x000007FEF5B94000-memory.dmp

Filesize
4KB

Download
memory/3012-30-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.