xworm | 774529f26b02e6ac05bafff286f930882b7c8f10b73222b040f7d47430d2a888

General

Target

x.exe
Size

50KB
MD5

20e2bdf68c3b6acfda5735422b64cbea
SHA1

181aa68712a5e2f06f136e065291f083c35f32dc
SHA256

774529f26b02e6ac05bafff286f930882b7c8f10b73222b040f7d47430d2a888
SHA512

188c77234438a34673cc2b2164c180ff0b3d9f35ff2b17c704b36acb655d47a2a034632a59a3ed4945daae692316774c8a6fd53e80ffc53217c8045f7bc88b36
SSDEEP

1536:Tf05a/CTjo89wFc9UR68OMuodS1EAd8IIm:Tf05a/CTD9wFc9U3OMhgEA6IIm

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

103.216.158.119:7000

Mutex

gjV5QKceVphN17zl

Attributes

Install_directory
%ProgramData%
install_file
VLC_media.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2240-1-0x0000000001230000-0x0000000001242000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2428	powershell.exe
2592	powershell.exe
2644	powershell.exe
1064	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_media.lnk	x.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_media.lnk	x.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2592	powershell.exe
2644	powershell.exe
1064	powershell.exe
2428	powershell.exe
2240	x.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	x.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2240	x.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2240	x.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2592	2240	x.exe	32
PID 2240 wrote to memory of 2592	2240	x.exe	32
PID 2240 wrote to memory of 2592	2240	x.exe	32
PID 2240 wrote to memory of 2644	2240	x.exe	34
PID 2240 wrote to memory of 2644	2240	x.exe	34
PID 2240 wrote to memory of 2644	2240	x.exe	34
PID 2240 wrote to memory of 1064	2240	x.exe	36
PID 2240 wrote to memory of 1064	2240	x.exe	36
PID 2240 wrote to memory of 1064	2240	x.exe	36
PID 2240 wrote to memory of 2428	2240	x.exe	38
PID 2240 wrote to memory of 2428	2240	x.exe	38
PID 2240 wrote to memory of 2428	2240	x.exe	38

C:\Users\Admin\AppData\Local\Temp\x.exe
"C:\Users\Admin\AppData\Local\Temp\x.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\x.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\VLC_media.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_media.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IDRS6ZY5AALLHBGQO3XD.temp

Filesize
7KB

MD5
141d7da9591439732a769b7e34ba7362

SHA1
3820fa0dbe2b4d6ef9eeb63f1a2bf203d800db83

SHA256
8b9615ef6e38fab6adcb46045d375bd02a6e779889c2dcde329e73abefb25e99

SHA512
adda32804c7ad627ac8009aa415b38f4af00e6178ef75c9ac75c3fed1b812c1d49e4104cf4697fd76090c49d305558021119ac467aad8ff1c1b68b4bf4747519

Download Submit
memory/2240-0-0x000007FEF51C3000-0x000007FEF51C4000-memory.dmp

Filesize
4KB

Download
memory/2240-1-0x0000000001230000-0x0000000001242000-memory.dmp

Filesize
72KB

Download
memory/2240-2-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2240-31-0x000007FEF51C3000-0x000007FEF51C4000-memory.dmp

Filesize
4KB

Download
memory/2240-32-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2592-7-0x000000001B830000-0x000000001BB12000-memory.dmp

Filesize
2.9MB

Download
memory/2592-8-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/2644-14-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2644-15-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing