xworm | b33a3947a9e557981c3cf132f5ec62992edb1202375db16c2dc2a7be1400ee37

General

Target

scieczek.exe
Size

34KB
MD5

6d50cc8357e2d82f1cb48e4355dab4ff
SHA1

7e1b6cdc6608406caffcfc4beac3fdadc61671e7
SHA256

b33a3947a9e557981c3cf132f5ec62992edb1202375db16c2dc2a7be1400ee37
SHA512

3fd300c9384ef472e2bb03087dd882a2e17a0f9f1086f3db4d9ad0508a00e659807a745a2064aed1132d593ac69cbc6bfda80e6476ac375ce7bdf091a1f689e5
SSDEEP

384:eSyXlquOae6oKoBmoDnnGvBLmlvCwvHixdTD2VR8pkFTBLTIZwYGDcvw9Ikuis1K:VyXiBDAtYvC4CaV9FZ9jkOjhW/4D

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

lefferek-42016.portmap.host:61672

budget-compiled.gl.at.ply.gg:61672

Mutex

9U3xtr7TJf46p5TY

Attributes

Install_directory
%AppData%
install_file
DiscordClient.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/920-1-0x0000000000D70000-0x0000000000D7E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DiscordClient.lnk	scieczek.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DiscordClient.lnk	scieczek.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4400	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	920	scieczek.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4400	EXCEL.EXE
4400	EXCEL.EXE
4400	EXCEL.EXE
4400	EXCEL.EXE
4400	EXCEL.EXE
4400	EXCEL.EXE
4400	EXCEL.EXE
4400	EXCEL.EXE
4400	EXCEL.EXE
4400	EXCEL.EXE
4400	EXCEL.EXE
4400	EXCEL.EXE

C:\Users\Admin\AppData\Local\Temp\scieczek.exe
"C:\Users\Admin\AppData\Local\Temp\scieczek.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\FormatResize.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
386B

MD5
be09cfe5a3681459d82bec719ebdc8e1

SHA1
7b1771f5fabe031e68f4f79c91ad6995d2cc1dc3

SHA256
d0324bbc52a31104b3b3d6c670fca0164604de5f428da399bb8ab56c7b2825b4

SHA512
b784875fcc49407d672b3321dd15104ffda4bf99fa24025f99a6940d68956c8ad707743fefc374a7740a80b406bbd252650c9a8b5ef2ead399584c8cbdaabae5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
3KB

MD5
966cfd08df8049311e55f5b48650aeac

SHA1
503593094d1f8457410f1b88052ebe3a46a4c79c

SHA256
5fc9503329b22a75548b0d587ce6af8d8eae3e8f5c2e361d1f24cee9a7a77dd9

SHA512
2ef199b46e074905fb805b491eadcbd75472a756a2d9795b927ff3a0fb8340016fc66c02b982755763b2085885dbdd80502da3acd56aabe34235d155b272cf0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
3KB

MD5
1c092ba261e1d5fbbd5014b2db8b478e

SHA1
f01e326b73fa3d845968188da50502e5d5b1c5e0

SHA256
f0feda89b650b858e2b24a7e303262ff5d52c4facef798434c1603b0b230b1e5

SHA512
75ea8dc4007edfc70ecf0614ba1ee713614907f76f90d4242a1bc2678a120489260d3142d54288a009a9d675fbd7187e6e9164504093b4387c71417818dc9606

Download Submit
memory/920-0-0x00007FFECF253000-0x00007FFECF255000-memory.dmp

Filesize
8KB

Download
memory/920-1-0x0000000000D70000-0x0000000000D7E000-memory.dmp

Filesize
56KB

Download
memory/920-6-0x00007FFECF250000-0x00007FFECFD12000-memory.dmp

Filesize
10.8MB

Download
memory/920-7-0x00007FFECF253000-0x00007FFECF255000-memory.dmp

Filesize
8KB

Download
memory/920-8-0x00007FFECF250000-0x00007FFECFD12000-memory.dmp

Filesize
10.8MB

Download
memory/920-66-0x0000000001590000-0x000000000159C000-memory.dmp

Filesize
48KB

Download
memory/4400-18-0x00007FFEF00A0000-0x00007FFEF02A9000-memory.dmp

Filesize
2.0MB

Download
memory/4400-30-0x00007FFEF00A0000-0x00007FFEF02A9000-memory.dmp

Filesize
2.0MB

Download
memory/4400-22-0x00007FFEF00A0000-0x00007FFEF02A9000-memory.dmp

Filesize
2.0MB

Download
memory/4400-20-0x00007FFEF00A0000-0x00007FFEF02A9000-memory.dmp

Filesize
2.0MB

Download
memory/4400-23-0x00007FFEADA70000-0x00007FFEADA80000-memory.dmp

Filesize
64KB

Download
memory/4400-19-0x00007FFEF00A0000-0x00007FFEF02A9000-memory.dmp

Filesize
2.0MB

Download
memory/4400-24-0x00007FFEF00A0000-0x00007FFEF02A9000-memory.dmp

Filesize
2.0MB

Download
memory/4400-17-0x00007FFEF00A0000-0x00007FFEF02A9000-memory.dmp

Filesize
2.0MB

Download
memory/4400-28-0x00007FFEF00A0000-0x00007FFEF02A9000-memory.dmp

Filesize
2.0MB

Download
memory/4400-27-0x00007FFEF00A0000-0x00007FFEF02A9000-memory.dmp

Filesize
2.0MB

Download
memory/4400-29-0x00007FFEF00A0000-0x00007FFEF02A9000-memory.dmp

Filesize
2.0MB

Download
memory/4400-31-0x00007FFEF00A0000-0x00007FFEF02A9000-memory.dmp

Filesize
2.0MB

Download
memory/4400-32-0x00007FFEF00A0000-0x00007FFEF02A9000-memory.dmp

Filesize
2.0MB

Download
memory/4400-21-0x00007FFEF00A0000-0x00007FFEF02A9000-memory.dmp

Filesize
2.0MB

Download
memory/4400-26-0x00007FFEF00A0000-0x00007FFEF02A9000-memory.dmp

Filesize
2.0MB

Download
memory/4400-25-0x00007FFEADA70000-0x00007FFEADA80000-memory.dmp

Filesize
64KB

Download
memory/4400-16-0x00007FFEF00A0000-0x00007FFEF02A9000-memory.dmp

Filesize
2.0MB

Download
memory/4400-15-0x00007FFEF00A0000-0x00007FFEF02A9000-memory.dmp

Filesize
2.0MB

Download
memory/4400-10-0x00007FFEB0130000-0x00007FFEB0140000-memory.dmp

Filesize
64KB

Download
memory/4400-12-0x00007FFEF0143000-0x00007FFEF0144000-memory.dmp

Filesize
4KB

Download
memory/4400-14-0x00007FFEB0130000-0x00007FFEB0140000-memory.dmp

Filesize
64KB

Download
memory/4400-49-0x00007FFEF00A0000-0x00007FFEF02A9000-memory.dmp

Filesize
2.0MB

Download
memory/4400-13-0x00007FFEB0130000-0x00007FFEB0140000-memory.dmp

Filesize
64KB

Download
memory/4400-11-0x00007FFEB0130000-0x00007FFEB0140000-memory.dmp

Filesize
64KB

Download
memory/4400-9-0x00007FFEB0130000-0x00007FFEB0140000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads