xworm | 4aecacc803e54cc06db8e3a84e910d5376f58867e2436eb68a19a9c203043bd2

General

Target

4aecacc803e54cc06db8e3a84e910d5376f58867e2436eb68a19a9c203043bd2.exe
Size

1.4MB
MD5

3dcc9cfed0a716b6ad3c4f4aaf1a1f46
SHA1

e512e9a92247439ca3bbb8e412ec46f191025b41
SHA256

4aecacc803e54cc06db8e3a84e910d5376f58867e2436eb68a19a9c203043bd2
SHA512

9400b6f93ea25a644be656d2a1d9d3ba7a44ba2abdeb2140e6428fcdd4ba198216628c094602684744de2293bcbfe7e323c6ad74e4d7c6e16c77b66d1f65666c
SSDEEP

24576:bvx5AU4Cte393UvHQbyGDfa1HSiSvcXKF41oVMz8f9ShSpwRs6MmgBXzAnPcWJ+G:bvPJ4Ue1IweVpSiGIec8Pr6MmgBX3H0g

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

authors-reflections.gl.at.ply.gg:19578

Mutex

QxbISg5F4EKZB8tq

Attributes

Install_directory
%AppData%
install_file
edge.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b65-6.dat	family_xworm
behavioral2/memory/5108-17-0x0000000000CA0000-0x0000000000CB0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	4aecacc803e54cc06db8e3a84e910d5376f58867e2436eb68a19a9c203043bd2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	rat.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edge.lnk	rat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edge.lnk	rat.exe

Executes dropped EXE 4 IoCs

pid	Process
5108	rat.exe
2820	freeware.exe
3136	edge.exe
4584	edge.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\edge = "C:\\Users\\Admin\\AppData\\Roaming\\edge.exe"	rat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3856	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5108	rat.exe
Token: SeDebugPrivilege	5108	rat.exe
Token: SeDebugPrivilege	3136	edge.exe
Token: SeDebugPrivilege	4584	edge.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 5108	3148	4aecacc803e54cc06db8e3a84e910d5376f58867e2436eb68a19a9c203043bd2.exe	87
PID 3148 wrote to memory of 5108	3148	4aecacc803e54cc06db8e3a84e910d5376f58867e2436eb68a19a9c203043bd2.exe	87
PID 3148 wrote to memory of 2820	3148	4aecacc803e54cc06db8e3a84e910d5376f58867e2436eb68a19a9c203043bd2.exe	88
PID 3148 wrote to memory of 2820	3148	4aecacc803e54cc06db8e3a84e910d5376f58867e2436eb68a19a9c203043bd2.exe	88
PID 5108 wrote to memory of 3856	5108	rat.exe	90
PID 5108 wrote to memory of 3856	5108	rat.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4aecacc803e54cc06db8e3a84e910d5376f58867e2436eb68a19a9c203043bd2.exe
"C:\Users\Admin\AppData\Local\Temp\4aecacc803e54cc06db8e3a84e910d5376f58867e2436eb68a19a9c203043bd2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Users\Admin\AppData\Local\Temp\rat.exe
  "C:\Users\Admin\AppData\Local\Temp\rat.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "edge" /tr "C:\Users\Admin\AppData\Roaming\edge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3856
- C:\Users\Admin\AppData\Local\Temp\freeware.exe
  "C:\Users\Admin\AppData\Local\Temp\freeware.exe"
  2⤵
  - Executes dropped EXE
  PID:2820

C:\Users\Admin\AppData\Roaming\edge.exe
C:\Users\Admin\AppData\Roaming\edge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Users\Admin\AppData\Roaming\edge.exe
C:\Users\Admin\AppData\Roaming\edge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\edge.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\freeware.exe

Filesize
2.2MB

MD5
bfdfa3fae0bf91d83dddf5a708dbefb1

SHA1
efde91e21be9cc72f232ff7eece993d044308bb7

SHA256
7ead32808ab47500ff3e36fc1b4702e797457acc46e2769cd23004e5faeb6761

SHA512
740429d8d3e15eb4da2ed45f5c3bbe159d3f8c4b734044a26a478f71e6b529881ca0a198a00578105bffdd34b013b024d6d94f404aee91c1eac0a53414f25a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rat.exe

Filesize
39KB

MD5
0f43e9b3d93b65843f0346d76282bdc7

SHA1
140be5eec263cdbadb57579201aa7ccacd3c770d

SHA256
108ff90bf1870b1618ccba08ffa06dae87028f514bdf2410b46204afa2f8248b

SHA512
e322da86925d29c214223f7e05c52b86104333d8e6a28c8f91a2b261b5b50dd08a209efba59aeaee17607be52ec2c2405030fc6945ce11fa0dca01fefda8a029

Download Submit
memory/3148-0-0x00007FFBB9E73000-0x00007FFBB9E75000-memory.dmp

Filesize
8KB

Download
memory/3148-1-0x0000000000640000-0x00000000007AC000-memory.dmp

Filesize
1.4MB

Download
memory/3148-10-0x00007FFBB9E70000-0x00007FFBBA931000-memory.dmp

Filesize
10.8MB

Download
memory/3148-24-0x00007FFBB9E70000-0x00007FFBBA931000-memory.dmp

Filesize
10.8MB

Download
memory/5108-17-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

Filesize
64KB

Download
memory/5108-20-0x00007FFBB9E70000-0x00007FFBBA931000-memory.dmp

Filesize
10.8MB

Download
memory/5108-30-0x00007FFBB9E70000-0x00007FFBBA931000-memory.dmp

Filesize
10.8MB

Download
memory/5108-31-0x00007FFBB9E70000-0x00007FFBBA931000-memory.dmp

Filesize
10.8MB

Download
memory/5108-32-0x00007FFBB9E70000-0x00007FFBBA931000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads