xworm | 142dce4d50bffc85131e35fa916425b5cfc94b7758c7ecf5588a3791efa72d71

General

Target

gfdgfdg.exe
Size

55KB
MD5

ec7118f4d87eb6f7345c736c6518b731
SHA1

7c98568b3ac601e29c09d589771c6d4fa22dac97
SHA256

142dce4d50bffc85131e35fa916425b5cfc94b7758c7ecf5588a3791efa72d71
SHA512

bc444358189e20b6c7f741dc1126f8035fb4b0b03e8bc0ce5dec30b6b373b5534afd7681d04ed1c7fa21a347bcfc74e26892661d6e4f717668c28d5282164db3
SSDEEP

1536:aqdMs+GT6wUUfjZ7p+bexQV6EO7HpPMm:0UrP+bexgO7H+m

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

award-nails.gl.at.ply.gg:43867

Attributes

Install_directory
%Temp%
install_file
svchost.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2656-1-0x00000000013A0000-0x00000000013B4000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2600	powershell.exe
2132	powershell.exe
2516	powershell.exe
2928	powershell.exe

Deletes itself 1 IoCs

pid	Process
2548	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	gfdgfdg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	gfdgfdg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1876	timeout.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2600	powershell.exe
2132	powershell.exe
2516	powershell.exe
2928	powershell.exe
2656	gfdgfdg.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	gfdgfdg.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2656	gfdgfdg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2656	gfdgfdg.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2600	2656	gfdgfdg.exe	28
PID 2656 wrote to memory of 2600	2656	gfdgfdg.exe	28
PID 2656 wrote to memory of 2600	2656	gfdgfdg.exe	28
PID 2656 wrote to memory of 2132	2656	gfdgfdg.exe	30
PID 2656 wrote to memory of 2132	2656	gfdgfdg.exe	30
PID 2656 wrote to memory of 2132	2656	gfdgfdg.exe	30
PID 2656 wrote to memory of 2516	2656	gfdgfdg.exe	32
PID 2656 wrote to memory of 2516	2656	gfdgfdg.exe	32
PID 2656 wrote to memory of 2516	2656	gfdgfdg.exe	32
PID 2656 wrote to memory of 2928	2656	gfdgfdg.exe	34
PID 2656 wrote to memory of 2928	2656	gfdgfdg.exe	34
PID 2656 wrote to memory of 2928	2656	gfdgfdg.exe	34
PID 2656 wrote to memory of 2548	2656	gfdgfdg.exe	39
PID 2656 wrote to memory of 2548	2656	gfdgfdg.exe	39
PID 2656 wrote to memory of 2548	2656	gfdgfdg.exe	39
PID 2548 wrote to memory of 1876	2548	cmd.exe	41
PID 2548 wrote to memory of 1876	2548	cmd.exe	41
PID 2548 wrote to memory of 1876	2548	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\gfdgfdg.exe
"C:\Users\Admin\AppData\Local\Temp\gfdgfdg.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\gfdgfdg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'gfdgfdg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF91E.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF91E.tmp.bat

Filesize
159B

MD5
638723bf0b87f6d43553e06f399026c7

SHA1
ca7f0fdb93d397dfde71cdde68826b11fd6989ca

SHA256
9e4d07e4f8f75284d3503195262ceeb16c104e1de3528e93e78c871905ee7070

SHA512
6628f529da363abe39fb83ec7cd74e38c77838b20966f444f0b10d8a9c058de8e2e4061dad3fc27e547332960e0c05d3b14f3d4a421fec1091576797c2c0bbcd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dc2eef01b5acf9e0cf0ddb499cf4308d

SHA1
50cb84c7f0964fc7cdc7db8c21b2dfb8282fe281

SHA256
809cee57b2cdfd71b806b3e568f33d612cbc7e010d0819623901425bf0506916

SHA512
bbcdd71e2de94da6bc1deb0a6e082b6f1b993807700784651a89228ffe6a04518e13f60c0dd46e2a26ea8002187380f45f17a3666dbd1a8288580d4f23887d7e

Download Submit
memory/2132-14-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2132-15-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2600-7-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2600-8-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2600-6-0x0000000002340000-0x00000000023C0000-memory.dmp

Filesize
512KB

Download
memory/2656-0-0x000007FEF6353000-0x000007FEF6354000-memory.dmp

Filesize
4KB

Download
memory/2656-32-0x00000000004B0000-0x0000000000530000-memory.dmp

Filesize
512KB

Download
memory/2656-33-0x000007FEF6353000-0x000007FEF6354000-memory.dmp

Filesize
4KB

Download
memory/2656-34-0x00000000004B0000-0x0000000000530000-memory.dmp

Filesize
512KB

Download
memory/2656-1-0x00000000013A0000-0x00000000013B4000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing