xworm | 81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4

General

Target

81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe
Size

9.6MB
MD5

dbbc877901e2a5a8c73c77b28a699960
SHA1

c4ac39e195c4c76110958801ef482ac5d1af8941
SHA256

81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4
SHA512

9fa8359322eaec930786ea003540cf1bbcb7bf11205a5c5b9ef8d55a8cc8ad2c2c6289a010aa8f172443e3895b6c81b290d9145c7557335b8f7c180638bb08da
SSDEEP

196608:K7kTvcGFwgJHb9fi4OEcGyYf/be2MAtMJjTPFrh+IRHi6b:K7O0GS079fHckf/a1AyJXX5iE

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

C2

178.215.236.225:7000

Attributes

Install_directory
%AppData%
install_file
TaskSchedular.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233e7-33.dat	family_xworm
behavioral2/memory/3632-42-0x0000000000430000-0x000000000044A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Phantom Ware.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TaskSchedular.lnk	UD-Drop.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TaskSchedular.lnk	UD-Drop.exe

Executes dropped EXE 2 IoCs

pid	Process
1860	Phantom Ware.exe
3632	UD-Drop.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Phantom Ware.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Phantom Ware.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Phantom Ware.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3632	UD-Drop.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3632	UD-Drop.exe
Token: SeDebugPrivilege	3632	UD-Drop.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3632	UD-Drop.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 1860	3972	81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe	83
PID 3972 wrote to memory of 1860	3972	81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe	83
PID 3972 wrote to memory of 3632	3972	81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe	84
PID 3972 wrote to memory of 3632	3972	81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe	84

C:\Users\Admin\AppData\Local\Temp\81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe
"C:\Users\Admin\AppData\Local\Temp\81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Users\Admin\AppData\Local\Temp\Phantom Ware.exe
  "C:\Users\Admin\AppData\Local\Temp\Phantom Ware.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Enumerates system info in registry
  PID:1860
- C:\Users\Admin\AppData\Roaming\UD-Drop.exe
  "C:\Users\Admin\AppData\Roaming\UD-Drop.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll

Filesize
2.1MB

MD5
b429ae86c5be521bc8ca3b164cec3acb

SHA1
387560073ff5a1f2191abc6f75fc34532bbb6dd2

SHA256
3ac70532408b89159bfe235d4ed228faa03ae3fbd63ec6a82d895f287a3b0579

SHA512
eae65de53da50708983ed8ebf9e1e3dd5f9aea95a354d272e199bb59517f62bfe35f0df7a37d81ab0423d0d6d29304fa70284c731bd54023e446b2c19bacafb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Phantom Ware.deps.json

Filesize
2KB

MD5
ec527d9989f4c77edc6d310b7479df90

SHA1
b5b9ecf1400a9418a887bd4b0eba79c3830b3e7f

SHA256
aca9918e509cf4d3e926fd17ffbda23e6d6fe9d90cf2dfd2df8438a7e51dca4b

SHA512
8e0318daeeae18e22224e67594a5afa0ac556b17e58b91cbf5be2d614db732177ceba74c74731c9fe25949cc69d0eb711f908b9b808a434945a3aa541a1b78d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Phantom Ware.dll

Filesize
21KB

MD5
3d493a7df15f464b78063ef251166e75

SHA1
c6154f595850f412d5aed8aea2c15b5c43007f91

SHA256
f8d466af61ebd7bb99c408b87f68f968e8758a2725a13eb11a8355cca3966553

SHA512
f3765220c6ecae34d89c446d447000f44b3760bdd6559322bc845c2fed07b6ecec672a4e728449ca73788b730bde229ece2e64426762a081c1a1f1ba0751149e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Phantom Ware.exe

Filesize
135KB

MD5
cb6d53d6568d8f4953ca2a8b4fe83171

SHA1
6b2ff21b333d0052a7ecb22c562fbd15a890595b

SHA256
921766a7852fcb4d43af5e488c93fd75c8f9e7d74d09f8f671d17b9e496800c9

SHA512
c8060d7b1a76f1203113b22c5bc4b43266bfc0784a44094e145e9d316c00df6b22c22e313ade83ced699f787e1a977ab407ce79187efbd6598d3cf8ca0d2c107

Download Submit
C:\Users\Admin\AppData\Local\Temp\Phantom Ware.runtimeconfig.json

Filesize
458B

MD5
07b9a30265ca4e69c7016a1b6e3ffc27

SHA1
3a4af82a2695b1423aedd8b60a5c86793c011b02

SHA256
c71152bf25e40d647b2440c5b39be157a3d356106be9d5b678ab97bb87b4e782

SHA512
efd582f8edcdba5ef48d02eee5f73d83ff35071af99b49e08e0213928568d728d0856e3b903bfcccb9237f786846cf94da83139f99e9bee86287aff2071c3f1c

Download Submit
C:\Users\Admin\AppData\Roaming\UD-Drop.exe

Filesize
75KB

MD5
a375378e75272307aa57d60daf52a685

SHA1
3349d6fc564e63aefca143b0600172b22f758b6f

SHA256
8406be2985a8776e6ee84157e3951ab93c329a53bdceb2c8d21ad82081d3f7ca

SHA512
b70d32375c556583c9349aa2dfbfe762ea7bbe9f6e0b7c2e3f516c1e3415bbabf2b0102c3802c18dd3bab2d0307c57d64d8be87394554a2e8b8d6b2997dd2ed0

Download Submit
memory/3632-42-0x0000000000430000-0x000000000044A000-memory.dmp

Filesize
104KB

Download
memory/3632-41-0x00007FFD06660000-0x00007FFD07121000-memory.dmp

Filesize
10.8MB

Download
memory/3632-44-0x00007FFD06660000-0x00007FFD07121000-memory.dmp

Filesize
10.8MB

Download
memory/3632-46-0x00007FFD06660000-0x00007FFD07121000-memory.dmp

Filesize
10.8MB

Download
memory/3972-0-0x00007FFD06663000-0x00007FFD06665000-memory.dmp

Filesize
8KB

Download
memory/3972-6-0x00007FFD06660000-0x00007FFD07121000-memory.dmp

Filesize
10.8MB

Download
memory/3972-1-0x00000000001D0000-0x0000000000B76000-memory.dmp

Filesize
9.6MB

Download
memory/3972-45-0x00007FFD06660000-0x00007FFD07121000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads