xworm | 0e079477b2c5072f876fabdd5339ce96ed42a55361fb445d1c9bbe1282bf4850

General

Target

0e079477b2c5072f876fabdd5339ce96ed42a55361fb445d1c9bbe1282bf4850.exe
Size

679KB
MD5

98a2d7aee74efe11a83e1514199a1346
SHA1

758365522b6a9eebe7ec5a10f4f260d3ffcd285a
SHA256

0e079477b2c5072f876fabdd5339ce96ed42a55361fb445d1c9bbe1282bf4850
SHA512

3f0c83af88c1f2b067ad56d458719cc1641a6aa672eea68adb0adc6dd25f7306dc9b8e018021828f61d514d74437683671e23e9eb731d865007335ec403722b5
SSDEEP

3072:gti/b34bfUYCZS6jBPbZ8L2SdoYBUBk1pfApjgrD1xJiS+F4Hsi2I/7X88eXrspS:P3ZS6jBPl8LDdSqIw

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:36301

character-acquisitions.gl.at.ply.gg:36301

Attributes

Install_directory
%ProgramData%
install_file
Hoodbyunlock.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00080000000173c8-4026.dat	family_xworm
behavioral1/memory/2552-4028-0x0000000000D60000-0x0000000000D9A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hoodbyunlock.lnk	x.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hoodbyunlock.lnk	x.exe

Executes dropped EXE 1 IoCs

pid	Process
2552	x.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2552	x.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	x.exe
Token: SeDebugPrivilege	2552	x.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2020	1648	0e079477b2c5072f876fabdd5339ce96ed42a55361fb445d1c9bbe1282bf4850.exe	32
PID 1648 wrote to memory of 2020	1648	0e079477b2c5072f876fabdd5339ce96ed42a55361fb445d1c9bbe1282bf4850.exe	32
PID 1648 wrote to memory of 2020	1648	0e079477b2c5072f876fabdd5339ce96ed42a55361fb445d1c9bbe1282bf4850.exe	32
PID 2020 wrote to memory of 1516	2020	cmd.exe	34
PID 2020 wrote to memory of 1516	2020	cmd.exe	34
PID 2020 wrote to memory of 1516	2020	cmd.exe	34
PID 2020 wrote to memory of 2512	2020	cmd.exe	35
PID 2020 wrote to memory of 2512	2020	cmd.exe	35
PID 2020 wrote to memory of 2512	2020	cmd.exe	35
PID 2020 wrote to memory of 2552	2020	cmd.exe	36
PID 2020 wrote to memory of 2552	2020	cmd.exe	36
PID 2020 wrote to memory of 2552	2020	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\0e079477b2c5072f876fabdd5339ce96ed42a55361fb445d1c9bbe1282bf4850.exe
"C:\Users\Admin\AppData\Local\Temp\0e079477b2c5072f876fabdd5339ce96ed42a55361fb445d1c9bbe1282bf4850.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\9tbEtzi0.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\system32\findstr.exe
    findstr /e "'v" "C:\Users\Admin\AppData\Local\Temp\9tbEtzi0.bat"
    3⤵
    PID:1516
- - C:\Windows\system32\cscript.exe
    cscript //nologo C:\Users\Admin\AppData\Local\Temp\x.vbs
    3⤵
    PID:2512
- - C:\Users\Admin\AppData\Local\Temp\x.exe
    C:\Users\Admin\AppData\Local\Temp\x.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9tbEtzi0.bat

Filesize
337KB

MD5
ccaea73653a34af5dd4fe25c5c1832bc

SHA1
bcb90167312bc189aedbad3efe09579b0f5204a1

SHA256
62a64c90fc235fae4bb96ff0ce6e4a890a1f6bafee5edcabbad4e1f1ab587c8e

SHA512
229f43e706926b182d8f7ed2469d30d6d024b749516cef67c79f4f30b54e04bc8dd3ab410389397246f0b031cd3af06f8dd5b667ca77931736cf6da8b4e7d8c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\x

Filesize
281KB

MD5
ed0b1bbbac5f893507ba6fa5b311963d

SHA1
bb799a70e283928fdd899e8a073275d27df2c170

SHA256
779495879b280381bd2e521fa221ec114ff1561cdf177a36984b9cdc3a54c68f

SHA512
13e509e675835b13b944106acdce60e6448ae7b25ff9ff63d9d54bba70e964c13100fd213fcb00b45b7fbf58a2c7a9f40a0157e3833cd6ed2787b5c97eb4e465

Download Submit
C:\Users\Admin\AppData\Local\Temp\x

Filesize
4KB

MD5
4b6034767b74d9c5f418217d048db481

SHA1
cb1f17535ebbb267dae8facc4f84650a1887c7e4

SHA256
1b4b006292111104d7a0c08b8d5758a2a275c997da463a2cb811bd01ffe4497a

SHA512
e1f252c761f274227ecef51368d827f71823e3d009c68af2a0d97b9c01a3217047875cc1cd5a3aa810fba59f6bf9b1becfcd4c27d43c11acfcb4a04d80455aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
205KB

MD5
74d8f5a1e068a454ffaa5c8fd32a3e44

SHA1
46599d94edc83e67e6bde3579f61028e2bee7096

SHA256
59b203fcf387bfde09a17d954c9281f5743b0d0edb9c8d1fc481eb0165416fd0

SHA512
6d5e8aeb8a5139f31b0f8ed55655c0eb52b3e2589cf1e6ee3c13b06394ceba72da0dc5e01972386bd75b01d17c16e00d50fe2c1e3a2c4b2a5a6b70b0a753ec3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.vbs

Filesize
380B

MD5
ec9a2fb69a379d913a4e0a953cd3b97c

SHA1
a0303ed9f787c042071a1286bba43a5bbdd0679e

SHA256
cf8268d158bb819ef158ff6ccbed64d5e379148a0adb1f73a082a01d56d0286b

SHA512
fef8e24a680991046bd7dacd6079c7e48c3031fe46caae722ea93797ee16c052073ba97959e992ea71ac7ab72fbcedaa5cf4a410657aac4c10ad24de6935e9d6

Download Submit
memory/1648-0-0x000007FEF5EF3000-0x000007FEF5EF4000-memory.dmp

Filesize
4KB

Download
memory/1648-1-0x0000000000C60000-0x0000000000D10000-memory.dmp

Filesize
704KB

Download
memory/2552-4028-0x0000000000D60000-0x0000000000D9A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing