xworm | d1e4f63805d566fc0ec48d49f78bca96b59a8605ae634cc28470052137f98ff8

General

Target

Xworm-V5.6/Xworm-V5.6/Xworm V5.6 Starter.exe
Size

7.7MB
MD5

bbf43a166ade7e2a0d2b930c41fb20a3
SHA1

d956dd742690aa25a59a84104cd3adbc40fcba78
SHA256

e948b08eb91c2dca67517126d71e5175e222598e6f1928d3ee78560b08e40b2b
SHA512

fcad5fc89da1d823a929cfebcdd19869605d646696f2399b2a84caa78e5a9854622e9d6b4184aba4ae080650513e1db01eb2412d995f87f18c4da90293fe523b
SSDEEP

196608:zKLCFU/jHq/puROyhxeyOC7+oiRkbtejBe5x:zmq/pkOYxehohbtB

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

manufacturer-rank.gl.at.ply.gg:60383

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Xworm.exe	family_xworm
behavioral1/memory/264-8-0x00000000010A0000-0x00000000010B8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2560 powershell.exe
2608 powershell.exe
2324 powershell.exe
2328 powershell.exe

pid	process
2560	powershell.exe
2608	powershell.exe
2324	powershell.exe
2328	powershell.exe

Drops startup file 2 IoCs

Processes:

Xworm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	Xworm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	Xworm.exe

Executes dropped EXE 2 IoCs

Processes:

Xworm.exeXworm V5.6.exe

pid process

264 Xworm.exe
1072 Xworm V5.6.exe

pid	process
264	Xworm.exe
1072	Xworm V5.6.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Xworm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\System User = "C:\\Users\\Admin\\AppData\\Roaming\\System User"	Xworm.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1704 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeXworm.exe

pid process

2560 powershell.exe
2608 powershell.exe
2324 powershell.exe
2328 powershell.exe
264 Xworm.exe

flow	ioc
4	ip-api.com

pid	process
1704	schtasks.exe

pid	process
2560	powershell.exe
2608	powershell.exe
2324	powershell.exe
2328	powershell.exe
264	Xworm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Xworm.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	264	Xworm.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	264	Xworm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Xworm.exe

pid process

264 Xworm.exe

pid	process
264	Xworm.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Xworm V5.6 Starter.exeXworm.exeXworm V5.6.exe

description	pid	process	target process
PID 2488 wrote to memory of 264	2488	Xworm V5.6 Starter.exe	Xworm.exe
PID 2488 wrote to memory of 264	2488	Xworm V5.6 Starter.exe	Xworm.exe
PID 2488 wrote to memory of 264	2488	Xworm V5.6 Starter.exe	Xworm.exe
PID 2488 wrote to memory of 1072	2488	Xworm V5.6 Starter.exe	Xworm V5.6.exe
PID 2488 wrote to memory of 1072	2488	Xworm V5.6 Starter.exe	Xworm V5.6.exe
PID 2488 wrote to memory of 1072	2488	Xworm V5.6 Starter.exe	Xworm V5.6.exe
PID 264 wrote to memory of 2560	264	Xworm.exe	powershell.exe
PID 264 wrote to memory of 2560	264	Xworm.exe	powershell.exe
PID 264 wrote to memory of 2560	264	Xworm.exe	powershell.exe
PID 1072 wrote to memory of 2552	1072	Xworm V5.6.exe	WerFault.exe
PID 1072 wrote to memory of 2552	1072	Xworm V5.6.exe	WerFault.exe
PID 1072 wrote to memory of 2552	1072	Xworm V5.6.exe	WerFault.exe
PID 264 wrote to memory of 2608	264	Xworm.exe	powershell.exe
PID 264 wrote to memory of 2608	264	Xworm.exe	powershell.exe
PID 264 wrote to memory of 2608	264	Xworm.exe	powershell.exe
PID 264 wrote to memory of 2324	264	Xworm.exe	powershell.exe
PID 264 wrote to memory of 2324	264	Xworm.exe	powershell.exe
PID 264 wrote to memory of 2324	264	Xworm.exe	powershell.exe
PID 264 wrote to memory of 2328	264	Xworm.exe	powershell.exe
PID 264 wrote to memory of 2328	264	Xworm.exe	powershell.exe
PID 264 wrote to memory of 2328	264	Xworm.exe	powershell.exe
PID 264 wrote to memory of 1704	264	Xworm.exe	schtasks.exe
PID 264 wrote to memory of 1704	264	Xworm.exe	schtasks.exe
PID 264 wrote to memory of 1704	264	Xworm.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\Xworm-V5.6\Xworm V5.6 Starter.exe
"C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\Xworm-V5.6\Xworm V5.6 Starter.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\Xworm.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xworm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xworm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System User'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2328
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\Admin\AppData\Roaming\System User"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1704
- C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1072 -s 728
    3⤵
    PID:2552

C:\Windows\system32\taskeng.exe
taskeng.exe {E0E4A844-5802-4843-A353-BBF90EAEFE2C} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xworm.exe

Filesize
76KB

MD5
2440671e67fb9e5087758e8c496d2c3a

SHA1
eac0d14a9866208ac6920a7a906eef761b3e0c2a

SHA256
e6c4447bc9d07a89b142f89e5011b2fa37eb77a243c9537ef992a1786a6044a3

SHA512
6bc35fd57775a3794b49c1e8576ba2e3b05f47a893b604bffeaf38cc01429dcccd5011c29dc80c88cf1fdaa9dd15c6cf168b885d532821939c68a603d7b64d82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9dfddf49cda1db1f1cdfe622ac7df36a

SHA1
17f22ee04dea3c00a3bbb847f63930e26b97058e

SHA256
472e29706bcc0f0052390fe8cfb8da008245309f0396b61643d67c1f255f096a

SHA512
58af80867e35bfac08803dabf08f7448b8dc8415e3934e7805bb8f24c8520a53d64ab8bbc2823f5f075aea4ccc1bb06fbccf562b963f9fe2db6482ae1343c899

Download Submit
memory/264-9-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/264-42-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/264-8-0x00000000010A0000-0x00000000010B8000-memory.dmp

Filesize
96KB

Download
memory/264-17-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/264-45-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/1072-16-0x00000000010F0000-0x0000000001FD8000-memory.dmp

Filesize
14.9MB

Download
memory/2488-4-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/2488-15-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/2488-0-0x000007FEF5B63000-0x000007FEF5B64000-memory.dmp

Filesize
4KB

Download
memory/2488-1-0x0000000001350000-0x0000000001B02000-memory.dmp

Filesize
7.7MB

Download
memory/2560-22-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2560-23-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2608-30-0x0000000001D00000-0x0000000001D08000-memory.dmp

Filesize
32KB

Download
memory/2608-29-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads