xworm | 725c0bcdb953e39e96a0192d2712b261541647259e494c583d19697a10d2ffbe

General

Target

WindowsSecurity.exe
Size

75KB
MD5

cf219a189dae4a022f26dd58cd5367e6
SHA1

76c2e7b756e894afc4e5fd7267fce398d58c518f
SHA256

725c0bcdb953e39e96a0192d2712b261541647259e494c583d19697a10d2ffbe
SHA512

21dc7cdd5ea07be708a5c696708207a1760851d2fbb608969254a8f3e806bbb87b6b27a4d5f4cecf1b5d90f6fc81759fd9f6222ddafdb955d41b0333ea085f1f
SSDEEP

1536:jH5rQdEBziKJ86VKzwmd+bp6FabOYzTNddV6XItOyjyHTy3TWL4xdvGC:jH3F86VwwwAxbO2hdPtOyjUUTWsvGC

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

lijaligibidu-35558.portmap.host:35558

Attributes

Install_directory
%AppData%
install_file
Windows Security.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2548-1-0x0000000001060000-0x0000000001078000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2488	powershell.exe
3024	powershell.exe
2740	powershell.exe
2188	powershell.exe

Deletes itself 1 IoCs

pid	Process
2928	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security.lnk	WindowsSecurity.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security.lnk	WindowsSecurity.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1312	timeout.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2488	powershell.exe
3024	powershell.exe
2740	powershell.exe
2188	powershell.exe
2548	WindowsSecurity.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	WindowsSecurity.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2548	WindowsSecurity.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2548	WindowsSecurity.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2488	2548	WindowsSecurity.exe	31
PID 2548 wrote to memory of 2488	2548	WindowsSecurity.exe	31
PID 2548 wrote to memory of 2488	2548	WindowsSecurity.exe	31
PID 2548 wrote to memory of 3024	2548	WindowsSecurity.exe	33
PID 2548 wrote to memory of 3024	2548	WindowsSecurity.exe	33
PID 2548 wrote to memory of 3024	2548	WindowsSecurity.exe	33
PID 2548 wrote to memory of 2740	2548	WindowsSecurity.exe	35
PID 2548 wrote to memory of 2740	2548	WindowsSecurity.exe	35
PID 2548 wrote to memory of 2740	2548	WindowsSecurity.exe	35
PID 2548 wrote to memory of 2188	2548	WindowsSecurity.exe	38
PID 2548 wrote to memory of 2188	2548	WindowsSecurity.exe	38
PID 2548 wrote to memory of 2188	2548	WindowsSecurity.exe	38
PID 2548 wrote to memory of 2928	2548	WindowsSecurity.exe	40
PID 2548 wrote to memory of 2928	2548	WindowsSecurity.exe	40
PID 2548 wrote to memory of 2928	2548	WindowsSecurity.exe	40
PID 2928 wrote to memory of 1312	2928	cmd.exe	42
PID 2928 wrote to memory of 1312	2928	cmd.exe	42
PID 2928 wrote to memory of 1312	2928	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\WindowsSecurity.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsSecurity.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WindowsSecurity.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Security.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3524.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3524.tmp.bat

Filesize
167B

MD5
a87de12742afa0567ecd85fa84b1be9e

SHA1
9b87950b13fd1ff414f97680bc635f50ca2e32c3

SHA256
a0a71dd98278cbe34ab8ffbebc15157fbe351615230d93628dac26770dec2fc6

SHA512
2e290c5bac9f09ec3d21a6e99f897e1b90c1b107333e519960318d2b8df768847b5c18de5d96daa64adfaceb71447fe0da769a1e07168edb9a3ad9f1136457ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8c3eccc8c369880f5ccef4e5c4b58756

SHA1
d90c3950817abb8ba33c164cf5f910c52e219265

SHA256
319311f2ae55df1207cbae8879e03cfbee9cef1caddcda270a675dffb1bc9e86

SHA512
6d0ba0c6a77b624589badf838cfc7462325d555fbb713ab5d199ab5c68133e4aed9ba566c12ba03f1b91764927a1f882571cbb4e40a161478b1fa94d3bd84386

Download Submit
memory/2488-10-0x0000000002880000-0x0000000002888000-memory.dmp

Filesize
32KB

Download
memory/2488-8-0x0000000002C50000-0x0000000002CD0000-memory.dmp

Filesize
512KB

Download
memory/2488-9-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/2548-7-0x000007FEF5D43000-0x000007FEF5D44000-memory.dmp

Filesize
4KB

Download
memory/2548-0-0x000007FEF5D43000-0x000007FEF5D44000-memory.dmp

Filesize
4KB

Download
memory/2548-2-0x000007FEF5D40000-0x000007FEF672C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-34-0x000007FEF5D40000-0x000007FEF672C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-1-0x0000000001060000-0x0000000001078000-memory.dmp

Filesize
96KB

Download
memory/2548-46-0x000007FEF5D40000-0x000007FEF672C000-memory.dmp

Filesize
9.9MB

Download
memory/3024-16-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/3024-17-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download

Resubmissions

Analysis

Sharing