xworm | 774529f26b02e6ac05bafff286f930882b7c8f10b73222b040f7d47430d2a888

General

Target

x.exe
Size

50KB
MD5

20e2bdf68c3b6acfda5735422b64cbea
SHA1

181aa68712a5e2f06f136e065291f083c35f32dc
SHA256

774529f26b02e6ac05bafff286f930882b7c8f10b73222b040f7d47430d2a888
SHA512

188c77234438a34673cc2b2164c180ff0b3d9f35ff2b17c704b36acb655d47a2a034632a59a3ed4945daae692316774c8a6fd53e80ffc53217c8045f7bc88b36
SSDEEP

1536:Tf05a/CTjo89wFc9UR68OMuodS1EAd8IIm:Tf05a/CTD9wFc9U3OMhgEA6IIm

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

103.216.158.119:7000

Mutex

gjV5QKceVphN17zl

Attributes

Install_directory
%ProgramData%
install_file
VLC_media.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2240-1-0x0000000001230000-0x0000000001242000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2428 powershell.exe
2592 powershell.exe
2644 powershell.exe
1064 powershell.exe

pid	process
2428	powershell.exe
2592	powershell.exe
2644	powershell.exe
1064	powershell.exe

Drops startup file 2 IoCs

Processes:

x.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_media.lnk	x.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_media.lnk	x.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exex.exe

pid process

2592 powershell.exe
2644 powershell.exe
1064 powershell.exe
2428 powershell.exe
2240 x.exe

flow	ioc
2	ip-api.com

pid	process
2592	powershell.exe
2644	powershell.exe
1064	powershell.exe
2428	powershell.exe
2240	x.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

x.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2240	x.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2240	x.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

x.exe

pid process

2240 x.exe

pid	process
2240	x.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

x.exe

description	pid	process	target process
PID 2240 wrote to memory of 2592	2240	x.exe	powershell.exe
PID 2240 wrote to memory of 2592	2240	x.exe	powershell.exe
PID 2240 wrote to memory of 2592	2240	x.exe	powershell.exe
PID 2240 wrote to memory of 2644	2240	x.exe	powershell.exe
PID 2240 wrote to memory of 2644	2240	x.exe	powershell.exe
PID 2240 wrote to memory of 2644	2240	x.exe	powershell.exe
PID 2240 wrote to memory of 1064	2240	x.exe	powershell.exe
PID 2240 wrote to memory of 1064	2240	x.exe	powershell.exe
PID 2240 wrote to memory of 1064	2240	x.exe	powershell.exe
PID 2240 wrote to memory of 2428	2240	x.exe	powershell.exe
PID 2240 wrote to memory of 2428	2240	x.exe	powershell.exe
PID 2240 wrote to memory of 2428	2240	x.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\x.exe
"C:\Users\Admin\AppData\Local\Temp\x.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\x.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\VLC_media.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_media.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IDRS6ZY5AALLHBGQO3XD.temp

Filesize
7KB

MD5
141d7da9591439732a769b7e34ba7362

SHA1
3820fa0dbe2b4d6ef9eeb63f1a2bf203d800db83

SHA256
8b9615ef6e38fab6adcb46045d375bd02a6e779889c2dcde329e73abefb25e99

SHA512
adda32804c7ad627ac8009aa415b38f4af00e6178ef75c9ac75c3fed1b812c1d49e4104cf4697fd76090c49d305558021119ac467aad8ff1c1b68b4bf4747519

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2240-0-0x000007FEF51C3000-0x000007FEF51C4000-memory.dmp

Filesize
4KB

Download
memory/2240-1-0x0000000001230000-0x0000000001242000-memory.dmp

Filesize
72KB

Download
memory/2240-2-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2240-31-0x000007FEF51C3000-0x000007FEF51C4000-memory.dmp

Filesize
4KB

Download
memory/2240-32-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2592-7-0x000000001B830000-0x000000001BB12000-memory.dmp

Filesize
2.9MB

Download
memory/2592-8-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/2644-14-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2644-15-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads