xworm | 490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3

General

Target

490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe
Size

41KB
MD5

5c48fe3471cf8db3c8c1cc1278566ec7
SHA1

ec5b1513df34018699823939858846dceed347a7
SHA256

490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3
SHA512

ac91cd0780099d02ee3d57962439812d5a5c147177caabbddedf2da274720c953543de7b8ce33d83cde8a5b9043736c75eac17779940292e5fa3024ca048320d
SSDEEP

768:tCJu44/aeqvujYXJMs5afEHDmaFWPa926OwhZZameu:tgu44/imwKsEfapFv926OwRzeu

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

copy-nigeria.gl.at.ply.gg:21026

Mutex

hHrxBd1WbcJItcMM

Attributes

Install_directory
%ProgramData%
install_file
Desktop Windows Manager.exe
telegram
https://api.telegram.org/bot7269786725:AAF0IPx1BWTdW_vbZqP8HGNrxWWFpF5CvYs/sendMessage?chat_id=5465523859

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2212-1-0x0000000000F50000-0x0000000000F60000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2360 cmd.exe

pid	process
2360	cmd.exe

Drops startup file 2 IoCs

Processes:

490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Windows Manager.lnk	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Windows Manager.lnk	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Desktop Windows Manager = "C:\\ProgramData\\Desktop Windows Manager.exe"	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

816 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2796 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

pid process

2212 490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

pid	process
816	timeout.exe

pid	process
2796	schtasks.exe

pid	process
2212	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

description	pid	process
Token: SeDebugPrivilege	2212	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe
Token: SeDebugPrivilege	2212	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

pid process

2212 490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

pid	process
2212	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.execmd.exe

description	pid	process	target process
PID 2212 wrote to memory of 2796	2212	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe	schtasks.exe
PID 2212 wrote to memory of 2796	2212	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe	schtasks.exe
PID 2212 wrote to memory of 2796	2212	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe	schtasks.exe
PID 2212 wrote to memory of 2988	2212	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe	schtasks.exe
PID 2212 wrote to memory of 2988	2212	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe	schtasks.exe
PID 2212 wrote to memory of 2988	2212	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe	schtasks.exe
PID 2212 wrote to memory of 2360	2212	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe	cmd.exe
PID 2212 wrote to memory of 2360	2212	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe	cmd.exe
PID 2212 wrote to memory of 2360	2212	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe	cmd.exe
PID 2360 wrote to memory of 816	2360	cmd.exe	timeout.exe
PID 2360 wrote to memory of 816	2360	cmd.exe	timeout.exe
PID 2360 wrote to memory of 816	2360	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe
"C:\Users\Admin\AppData\Local\Temp\490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Desktop Windows Manager" /tr "C:\ProgramData\Desktop Windows Manager.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2796
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "Desktop Windows Manager"
  2⤵
  PID:2988
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp59F3.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp59F3.tmp.bat

Filesize
216B

MD5
53bd8afaab8ae6fb6a0253ebb7651dc8

SHA1
a5e7083ac34cd81c11314c6cf44cf23fc11af967

SHA256
fb8165578c0ac31f381a06893de4a15315d41f805d70b25fc74a02f925bf133b

SHA512
5d8caec18aac0e8ca093836ad7d2c7bc9fe9e0fb97ce7a4ae117eb52f9c3fe8647049a345f7fcd7ab45b35c881844a2c2d9a94fd39eae203a037248fc5568f56

Download Submit
memory/2212-0-0x000007FEF61C3000-0x000007FEF61C4000-memory.dmp

Filesize
4KB

Download
memory/2212-1-0x0000000000F50000-0x0000000000F60000-memory.dmp

Filesize
64KB

Download
memory/2212-6-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2212-7-0x000007FEF61C3000-0x000007FEF61C4000-memory.dmp

Filesize
4KB

Download
memory/2212-8-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2212-19-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads