xworm | 490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3

General

Target

490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe
Size

41KB
MD5

5c48fe3471cf8db3c8c1cc1278566ec7
SHA1

ec5b1513df34018699823939858846dceed347a7
SHA256

490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3
SHA512

ac91cd0780099d02ee3d57962439812d5a5c147177caabbddedf2da274720c953543de7b8ce33d83cde8a5b9043736c75eac17779940292e5fa3024ca048320d
SSDEEP

768:tCJu44/aeqvujYXJMs5afEHDmaFWPa926OwhZZameu:tgu44/imwKsEfapFv926OwRzeu

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

copy-nigeria.gl.at.ply.gg:21026

Mutex

hHrxBd1WbcJItcMM

Attributes

Install_directory
%ProgramData%
install_file
Desktop Windows Manager.exe
telegram
https://api.telegram.org/bot7269786725:AAF0IPx1BWTdW_vbZqP8HGNrxWWFpF5CvYs/sendMessage?chat_id=5465523859

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2264-1-0x0000000000F60000-0x0000000000F70000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1056 cmd.exe

pid	process
1056	cmd.exe

Drops startup file 2 IoCs

Processes:

490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Windows Manager.lnk	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Windows Manager.lnk	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Desktop Windows Manager = "C:\\ProgramData\\Desktop Windows Manager.exe"	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1344 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2756 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

pid process

2264 490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

pid	process
1344	timeout.exe

pid	process
2756	schtasks.exe

pid	process
2264	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

description	pid	process
Token: SeDebugPrivilege	2264	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe
Token: SeDebugPrivilege	2264	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

pid process

2264 490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

pid	process
2264	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.execmd.exe

description	pid	process	target process
PID 2264 wrote to memory of 2756	2264	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe	schtasks.exe
PID 2264 wrote to memory of 2756	2264	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe	schtasks.exe
PID 2264 wrote to memory of 2756	2264	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe	schtasks.exe
PID 2264 wrote to memory of 2892	2264	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe	schtasks.exe
PID 2264 wrote to memory of 2892	2264	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe	schtasks.exe
PID 2264 wrote to memory of 2892	2264	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe	schtasks.exe
PID 2264 wrote to memory of 1056	2264	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe	cmd.exe
PID 2264 wrote to memory of 1056	2264	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe	cmd.exe
PID 2264 wrote to memory of 1056	2264	490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe	cmd.exe
PID 1056 wrote to memory of 1344	1056	cmd.exe	timeout.exe
PID 1056 wrote to memory of 1344	1056	cmd.exe	timeout.exe
PID 1056 wrote to memory of 1344	1056	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe
"C:\Users\Admin\AppData\Local\Temp\490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Desktop Windows Manager" /tr "C:\ProgramData\Desktop Windows Manager.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2756
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "Desktop Windows Manager"
  2⤵
  PID:2892
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5EB3.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1344

C:\Windows\system32\taskeng.exe
taskeng.exe {43A1B1E1-A071-4558-BE42-F07BCEEFB6F7} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5EB3.tmp.bat

Filesize
216B

MD5
5880558d6cc12d4e8f22ff13feeadcb2

SHA1
7d69d4f89643a46db100f1070bf2c57471f5c6c4

SHA256
5e859bfb23243513d2ca9e790b29d5cfb81c037dc1451173f438f6f3f0dc9304

SHA512
a1ba757f0572a8ab35d4cdd46fd8adbffca3d9f86ace7ef751af6302226032e3dfb595df866f1e67b132a610ef6feafd6a664274b62bb26689dc02e36e157641

Download Submit
memory/2264-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

Filesize
4KB

Download
memory/2264-1-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download
memory/2264-6-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2264-7-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

Filesize
4KB

Download
memory/2264-8-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2264-20-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads