xworm | f93887501934040bc35b56e0b058827f7ec0672b952a53291b92e2452364b8e2

General

Target

webhelper.exe
Size

87KB
MD5

e94fdf12b6644d48e75c152f03c73ba8
SHA1

13e7c8626da1d9e9bf8597969780fdc5a8bd17b6
SHA256

f93887501934040bc35b56e0b058827f7ec0672b952a53291b92e2452364b8e2
SHA512

c16633bd4bda2622bafd9e733973a7dcc98a0240369d82726f721079b53da190eb2416d60709f1560ebad449ac497473eef2d09efa70bed1424331af3e9ba36c
SSDEEP

1536:CXDefyFsIzTJ6n8veud9Ai9HbpS4Y+dxSOyBvMO7pl5VGYsdS1EAd8IIU:CXbwVq9ASbpSV+itBvMOtl5VHkgEA6In

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:46540

147.185.221.22:46540

127.0.0.1:4473:46540

Attributes

Install_directory
%AppData%
install_file
perm.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4116-1-0x00000000003D0000-0x00000000003EC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\perm.lnk	webhelper.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\perm.lnk	webhelper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\perm = "C:\\Users\\Admin\\AppData\\Roaming\\perm.exe"	webhelper.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4700	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4556	WINWORD.EXE
4556	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4116	webhelper.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4116	webhelper.exe
Token: SeDebugPrivilege	4116	webhelper.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4116	webhelper.exe
4556	WINWORD.EXE
4556	WINWORD.EXE
4556	WINWORD.EXE
4556	WINWORD.EXE
4556	WINWORD.EXE
4556	WINWORD.EXE
4556	WINWORD.EXE
4556	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 4324	4116	webhelper.exe	97
PID 4116 wrote to memory of 4324	4116	webhelper.exe	97
PID 4324 wrote to memory of 4700	4324	cmd.exe	99
PID 4324 wrote to memory of 4700	4324	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\webhelper.exe
"C:\Users\Admin\AppData\Local\Temp\webhelper.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF052.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4700

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ClearGroup.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD55F.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF052.tmp.bat

Filesize
161B

MD5
222d7cd6d22087e5168804645ea26e34

SHA1
e2b0683536b7465fe69818c90731cb4abac34305

SHA256
ca04225f7865a6b615f9178df19f4ee6ff712df46ee4663f9efd0d4599bcf6dd

SHA512
1b7c62f0630e84fe6bf16cf29bd5b5a467dba98d7c1dcb29f414aa56eb29e9ab906776e50c20d3cf893611503c49fc5144274dbd7a7427a1a19ea7b8e4fce187

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
390B

MD5
fab5c1ff80dfd174571812432dd403f2

SHA1
4409a152151adf648a55892d902b250b4cbf44f3

SHA256
6f322c2399265a91b41da12e0e96693431abf13e7a82d492dd2bdd0a1a50e34b

SHA512
9e68b3e17941744845eb9c88862e289abe36f0a582b4b8b115f555896f8b096a9b869aa00f220f04bf3a25f4195ecfc110869f6f13c45aef9262200718288478

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
7a61ed8387aba5bfc5da01039ea6ffdd

SHA1
0c5f21633b89a06ad3b554fb16fa29c4c103a7a2

SHA256
032c44cd097608a8aa108c606cc9da69fea75ce81b96fc0b8b73286d9096867f

SHA512
d50b34718011d4105393b251549acdb7295f0008a49cf57993cd963a961c13ec06c894f23dc0a53f015951e875c2b2326631a14506266ebdb1d2d30ec464faa9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
d63b7487fb0b3d1a0dfbd6ff71f0ea1f

SHA1
7b9bb7380e78f193d3fab9fa29ce244a61746720

SHA256
7cdb12eaa5ef3046db513888be712446a746b6380159f92312d7d891fbf4e029

SHA512
2f1a243e5281def1034ee72f3b11bc63420fd3b1350b7b8fa311af010998a46bcce9f0356f0682c454cbf215efa544f2c4adb562b20e8807b0adda2f8ae4de78

Download Submit
memory/4116-1-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/4116-2-0x00007FFDFDD70000-0x00007FFDFE831000-memory.dmp

Filesize
10.8MB

Download
memory/4116-7-0x00007FFDFDD73000-0x00007FFDFDD75000-memory.dmp

Filesize
8KB

Download
memory/4116-8-0x00007FFDFDD70000-0x00007FFDFE831000-memory.dmp

Filesize
10.8MB

Download
memory/4116-219-0x00007FFDFDD70000-0x00007FFDFE831000-memory.dmp

Filesize
10.8MB

Download
memory/4116-211-0x0000000000A20000-0x0000000000A2C000-memory.dmp

Filesize
48KB

Download
memory/4116-0-0x00007FFDFDD73000-0x00007FFDFDD75000-memory.dmp

Filesize
8KB

Download
memory/4556-10-0x00007FFDDBE70000-0x00007FFDDBE80000-memory.dmp

Filesize
64KB

Download
memory/4556-46-0x00007FFE1BDF0000-0x00007FFE1BFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4556-19-0x00007FFE1BDF0000-0x00007FFE1BFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4556-20-0x00007FFE1BDF0000-0x00007FFE1BFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4556-15-0x00007FFE1BDF0000-0x00007FFE1BFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4556-22-0x00007FFDD9C30000-0x00007FFDD9C40000-memory.dmp

Filesize
64KB

Download
memory/4556-21-0x00007FFE1BDF0000-0x00007FFE1BFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4556-24-0x00007FFE1BDF0000-0x00007FFE1BFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4556-27-0x00007FFDD9C30000-0x00007FFDD9C40000-memory.dmp

Filesize
64KB

Download
memory/4556-26-0x00007FFE1BDF0000-0x00007FFE1BFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4556-25-0x00007FFE1BDF0000-0x00007FFE1BFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4556-23-0x00007FFE1BDF0000-0x00007FFE1BFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4556-18-0x00007FFE1BDF0000-0x00007FFE1BFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4556-17-0x00007FFE1BDF0000-0x00007FFE1BFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4556-16-0x00007FFE1BDF0000-0x00007FFE1BFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4556-9-0x00007FFDDBE70000-0x00007FFDDBE80000-memory.dmp

Filesize
64KB

Download
memory/4556-13-0x00007FFDDBE70000-0x00007FFDDBE80000-memory.dmp

Filesize
64KB

Download
memory/4556-207-0x00007FFDDBE70000-0x00007FFDDBE80000-memory.dmp

Filesize
64KB

Download
memory/4556-208-0x00007FFDDBE70000-0x00007FFDDBE80000-memory.dmp

Filesize
64KB

Download
memory/4556-209-0x00007FFDDBE70000-0x00007FFDDBE80000-memory.dmp

Filesize
64KB

Download
memory/4556-206-0x00007FFDDBE70000-0x00007FFDDBE80000-memory.dmp

Filesize
64KB

Download
memory/4556-210-0x00007FFE1BDF0000-0x00007FFE1BFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4556-14-0x00007FFDDBE70000-0x00007FFDDBE80000-memory.dmp

Filesize
64KB

Download
memory/4556-11-0x00007FFDDBE70000-0x00007FFDDBE80000-memory.dmp

Filesize
64KB

Download
memory/4556-12-0x00007FFE1BE8D000-0x00007FFE1BE8E000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads