xworm | ab8c5188ad40614d30e6306e31a79224ff62c8b110ebce9f8d438e7476948977

General

Target

XWorm-V3.1-main/XWorm V3.1.exe
Size

13.5MB
MD5

32dcf4cd512da44a9d2a66f167da02e7
SHA1

4224b58657428bb6edb85c73be85a9bcffb46c09
SHA256

0d51c076489c1f892c81460633b8780dbf257ae2f3798d727a138d741ac132f2
SHA512

6e0b843930ac48adad31f95e45fc2252bb0194b202be5d995b98b6ef926427e33e8b7be5ecf7615440ec314a4971a007ccf1c08b083ebae1217dbbc135320069
SSDEEP

393216:myjEZpRN3b67r3f4/fxU8IWUIURsLBHiEZhQfbx7P5kvxT:zEZp+3Q/JU8b5YIBHNCfF7P5kv1

Score

10^/10

xworm persistence rat trojan upx

Malware Config

Extracted

Family

xworm

Version

3.0

C2

18.ip.gl.ply.gg:35094

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2840-50-0x0000000000CF0000-0x0000000000D04000-memory.dmp	family_xworm
behavioral1/files/0x000500000001c82e-33.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X.lnk	X.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X.lnk	X.exe

Executes dropped EXE 6 IoCs

pid	Process
2832	XWorm V3.1.exe
2452	XWorm V3.1.exe
2820	XWorm.exe
2840	X.exe
3004	XWorm.exe
1180	Process not Found

Loads dropped DLL 4 IoCs

pid	Process
2972	XWorm V3.1.exe
2832	XWorm V3.1.exe
3004	XWorm.exe
1180	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001c87b-58.dat	upx
behavioral1/memory/3004-60-0x000007FEEF3E0000-0x000007FEEF9D0000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWorm = "C:\\Windows\\System32\\XWorm.exe"	XWorm V3.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\X = "C:\\Windows\\System32\\X.exe"	XWorm V3.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\X = "C:\\Users\\Admin\\AppData\\Roaming\\X.exe"	X.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com
7	ip-api.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\XWorm.exe	XWorm V3.1.exe
File opened for modification	C:\Windows\System32\XWorm.exe	XWorm V3.1.exe
File created	C:\Windows\System32\X.exe	XWorm V3.1.exe
File opened for modification	C:\Windows\System32\X.exe	XWorm V3.1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3004	XWorm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	XWorm V3.1.exe
Token: SeDebugPrivilege	2452	XWorm V3.1.exe
Token: SeDebugPrivilege	2840	X.exe
Token: SeDebugPrivilege	2840	X.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2832	2972	XWorm V3.1.exe	30
PID 2972 wrote to memory of 2832	2972	XWorm V3.1.exe	30
PID 2972 wrote to memory of 2832	2972	XWorm V3.1.exe	30
PID 2832 wrote to memory of 2452	2832	XWorm V3.1.exe	33
PID 2832 wrote to memory of 2452	2832	XWorm V3.1.exe	33
PID 2832 wrote to memory of 2452	2832	XWorm V3.1.exe	33
PID 2832 wrote to memory of 2820	2832	XWorm V3.1.exe	34
PID 2832 wrote to memory of 2820	2832	XWorm V3.1.exe	34
PID 2832 wrote to memory of 2820	2832	XWorm V3.1.exe	34
PID 2832 wrote to memory of 2840	2832	XWorm V3.1.exe	35
PID 2832 wrote to memory of 2840	2832	XWorm V3.1.exe	35
PID 2832 wrote to memory of 2840	2832	XWorm V3.1.exe	35
PID 2820 wrote to memory of 3004	2820	XWorm.exe	36
PID 2820 wrote to memory of 3004	2820	XWorm.exe	36
PID 2820 wrote to memory of 3004	2820	XWorm.exe	36

C:\Users\Admin\AppData\Local\Temp\XWorm-V3.1-main\XWorm V3.1.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-V3.1-main\XWorm V3.1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe
  "C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2452
- - C:\Windows\System32\XWorm.exe
    "C:\Windows\System32\XWorm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\System32\XWorm.exe
      "C:\Windows\System32\XWorm.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: GetForegroundWindowSpam
      PID:3004
- - C:\Windows\System32\X.exe
    "C:\Windows\System32\X.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe

Filesize
6.9MB

MD5
37a9fdc56e605d2342da88a6e6182b4b

SHA1
20bc3df33bbbb676d2a3c572cff4c1d58c79055d

SHA256
422ba689937e3748a4b6bd3c5af2dce0211e8a48eb25767e6d1d2192d27f1f58

SHA512
f556805142b77b549845c0fa2206a4cb29d54752dc5650d9db58c1bbe1f7d0fc15ce04551853fb6454873877dbb88bebd15d81b875b405cdcc2fd21a515820d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28202\python311.dll

Filesize
1.6MB

MD5
b167b98fc5c89d65cb1fa8df31c5de13

SHA1
3a6597007f572ea09ed233d813462e80e14c5444

SHA256
28eda3ba32f5247c1a7bd2777ead982c24175765c4e2c1c28a0ef708079f2c76

SHA512
40a1f5cd2af7e7c28d4c8e327310ea1982478a9f6d300950c7372634df0d9ad840f3c64fe35cc01db4c798bd153b210c0a8472ae0898bebf8cf9c25dd3638de8

Download Submit
C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe

Filesize
13.5MB

MD5
7142f9628fb6b6e8bfe5d30aefb67ecf

SHA1
1a88d637f5bb51eee730d78fde48cdc379312219

SHA256
3041b149159619b9fba32bcd02ce4f5f5d31a00f00ba79961e4f9d47061a7463

SHA512
4c039b7e77716c614fd624005ffc277811ca4884b02b62536aa4a24bc49ca8a79c6d1ff6917930094cb040cd71fbccf7d6a66dd886ad2b1890e2f8c0dd59642a

Download Submit
C:\Windows\System32\X.exe

Filesize
57KB

MD5
f68a46dea88b19797b9e6d4bb123f148

SHA1
aa73ac84591111c3bd22d2febd327a91a2805cbd

SHA256
15d5fc6215b24c63ec24e76b7a90920217e6062028d8353d67f42004d9bdb76f

SHA512
8a047e0d0d22fb3c7cba6e027ffcf13ca561c7a7b538e2319aea8d204325d35ad5f5950f27bf1a3c1365c3cfb5d2b99f07b0b84c6413cedc60a9f50762e44aad

Download Submit
\Windows\System32\XWorm.exe

Filesize
7.4MB

MD5
cb1efd69e6a33326333711ad1f58c6f9

SHA1
71dd86900df72c13cb44a79c48985211587006b0

SHA256
4035d8b3fc58f6df02fa34a4c5909e0ab081408140cbccd3600ad197f7683045

SHA512
e4d3faf74ae9086cc2bc535708b18adde83a820f3b7ed7b0da209d23a4e4914ab00d55f4002ea7575d623f06dcdfeefa6bc762ad62cc3fdecb60e44ad7529aea

Download Submit
memory/2452-61-0x000000001E9B0000-0x000000001F51A000-memory.dmp

Filesize
11.4MB

Download
memory/2452-31-0x0000000000930000-0x0000000001026000-memory.dmp

Filesize
7.0MB

Download
memory/2832-9-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2832-12-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2832-10-0x000000013FAA0000-0x0000000140824000-memory.dmp

Filesize
13.5MB

Download
memory/2832-34-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2840-50-0x0000000000CF0000-0x0000000000D04000-memory.dmp

Filesize
80KB

Download
memory/2972-11-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2972-0-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

Filesize
4KB

Download
memory/2972-2-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2972-1-0x0000000000A20000-0x00000000017AA000-memory.dmp

Filesize
13.5MB

Download
memory/3004-60-0x000007FEEF3E0000-0x000007FEEF9D0000-memory.dmp

Filesize
5.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads