xworm | dcdbe508d0df17aee3990fe5e92adbe5eb224ce37ffe065309e915fb6a3753d5

General

Target

jjjjjjjj.exe
Size

878KB
MD5

0d33945fc6c87fb66367a372e6720061
SHA1

7b35613a5ab231eee431cc59a4875e29df566f31
SHA256

dcdbe508d0df17aee3990fe5e92adbe5eb224ce37ffe065309e915fb6a3753d5
SHA512

ff2406750bd34eb9143e7e9a175b1babf39b31a13f5410987d4fe01aa1a1d526be369f6d5f41f7823fa0f2024c77b817d74a45dec2134653a94aba71e33547f6
SSDEEP

12288:8EcjvXrQXIo5VImI+M+WLourRNN6wa/XKsR0CcxB49X85GpX:8NjrIVZIJPNha/X50CcxV5GJ

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

C2

83.38.24.1:1603

Attributes

Install_directory
%Temp%
install_file
SecurityHealthSystray.exe

Signatures

Detect Xworm Payload 10 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016ace-5.dat	family_xworm
behavioral1/memory/856-10-0x0000000000090000-0x00000000000D4000-memory.dmp	family_xworm
behavioral1/files/0x0008000000016cf0-12.dat	family_xworm
behavioral1/memory/2476-15-0x00000000010C0000-0x00000000010E4000-memory.dmp	family_xworm
behavioral1/files/0x0007000000016d1c-22.dat	family_xworm
behavioral1/files/0x0007000000016d0c-19.dat	family_xworm
behavioral1/files/0x0009000000016d3f-25.dat	family_xworm
behavioral1/memory/1820-30-0x0000000001180000-0x0000000001194000-memory.dmp	family_xworm
behavioral1/memory/2808-29-0x00000000008F0000-0x000000000091C000-memory.dmp	family_xworm
behavioral1/memory/2724-31-0x0000000000EB0000-0x0000000000EE2000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 5 IoCs

pid	Process
856	SecurityHealthSystray.exe
2476	WmiPrvSE.exe
2724	OneDrive.exe
2808	SearchFilterHost.exe
1820	svhost.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com
11	ip-api.com
12	ip-api.com
8	ip-api.com
9	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	WmiPrvSE.exe
Token: SeDebugPrivilege	856	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2808	SearchFilterHost.exe
Token: SeDebugPrivilege	1820	svhost.exe
Token: SeDebugPrivilege	2724	OneDrive.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 856	2332	jjjjjjjj.exe	31
PID 2332 wrote to memory of 856	2332	jjjjjjjj.exe	31
PID 2332 wrote to memory of 856	2332	jjjjjjjj.exe	31
PID 2332 wrote to memory of 2476	2332	jjjjjjjj.exe	32
PID 2332 wrote to memory of 2476	2332	jjjjjjjj.exe	32
PID 2332 wrote to memory of 2476	2332	jjjjjjjj.exe	32
PID 2332 wrote to memory of 2724	2332	jjjjjjjj.exe	33
PID 2332 wrote to memory of 2724	2332	jjjjjjjj.exe	33
PID 2332 wrote to memory of 2724	2332	jjjjjjjj.exe	33
PID 2332 wrote to memory of 2808	2332	jjjjjjjj.exe	34
PID 2332 wrote to memory of 2808	2332	jjjjjjjj.exe	34
PID 2332 wrote to memory of 2808	2332	jjjjjjjj.exe	34
PID 2332 wrote to memory of 1820	2332	jjjjjjjj.exe	35
PID 2332 wrote to memory of 1820	2332	jjjjjjjj.exe	35
PID 2332 wrote to memory of 1820	2332	jjjjjjjj.exe	35

C:\Users\Admin\AppData\Local\Temp\jjjjjjjj.exe
"C:\Users\Admin\AppData\Local\Temp\jjjjjjjj.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\SecurityHealthSystray.exe
  "C:\Users\Admin\SecurityHealthSystray.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- C:\Users\Admin\WmiPrvSE.exe
  "C:\Users\Admin\WmiPrvSE.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Users\Admin\OneDrive.exe
  "C:\Users\Admin\OneDrive.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Users\Admin\SearchFilterHost.exe
  "C:\Users\Admin\SearchFilterHost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Users\Admin\svhost.exe
  "C:\Users\Admin\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\OneDrive.exe

Filesize
177KB

MD5
321e9bcf67cbbbc238c123f42a2a6e62

SHA1
01346677f67ae5df7df9cd2cab70fa342b3a4c32

SHA256
8e88ef60280096bc438183cdd0ff866e23412c319a0ce7b41ffade3f55425002

SHA512
c83f5ecb5e88a11853f9a2a07b39fdce3e14cc03c0366f020d74cd75aae406f9347c4a6b81e830e974fc290efdf444b30d8cf1316ee8777b4f2501ef3bcb2555

Download Submit
C:\Users\Admin\SearchFilterHost.exe

Filesize
154KB

MD5
e83d7a2812b8b9fc0b168baef465c8ab

SHA1
d708a9b78001ab9e4708091e241c64dc5b3b6a9e

SHA256
c0666c0fad2ce0cca691b9a6b9f8bc59e8e5319e8a79961d7aa4eabba3b3cd0d

SHA512
b49c0d14769c4aa949329b76b92f913746949887343c6567077ddc4d40e5613c1887d76bd0fcca7bdf4b59e1fa37c3184fd897d87210e8dce6c88bab60b1484b

Download Submit
C:\Users\Admin\SecurityHealthSystray.exe

Filesize
251KB

MD5
a7209832f2c21ce4c6e351b1f1d4749c

SHA1
5849477602755a1a2be4fc2a8a395dc8f523fc07

SHA256
b5ed60d7bda3cfe44a7397c5378ed4bce4f8a700508835a4b58169a74e355ea8

SHA512
912f4355fa7c64d5da527d7b7ed3389690c39a6fa89192efc5a8093d4425f00f47c2ecd182f86df720d9c3b471a34ec659235ad35780a794cfa2ebe065220ea1

Download Submit
C:\Users\Admin\WmiPrvSE.exe

Filesize
122KB

MD5
7d9b4554f40cff6fd14f88a1d962aa18

SHA1
7e2b4a48208cb5a16ad28e28b8deff672b39f91c

SHA256
af1a768786ee5fbc4ee20de4d7ac56fc22b88e37382579e007b68ffba53a91a2

SHA512
b5d892c3f495442680f6fa10b556085b051a72a258781619442ae8f4afd483511f4b634375c62d75bb0d99d39a80f4e936360b2df4454685f74aef7305b684ba

Download Submit
C:\Users\Admin\svhost.exe

Filesize
58KB

MD5
9a363c5e7413fdc762f6999441cfe0d3

SHA1
536de532e5e06e64ecf0692da96fa704bbfaa88c

SHA256
5bbd989946339b7a649afc76fdc1f724880a04449ad7cf8cba2cc191384dc0f5

SHA512
00732d099d7a78e7010ba4beebdaa6f3a3c4439a47f52bf641f1f206d828e7f82c862c39ab6995131e841880c9c6a05f41b1cce3f476c760664534c8b46248f5

Download Submit
memory/856-10-0x0000000000090000-0x00000000000D4000-memory.dmp

Filesize
272KB

Download
memory/856-32-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/856-33-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/1820-30-0x0000000001180000-0x0000000001194000-memory.dmp

Filesize
80KB

Download
memory/2332-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

Filesize
4KB

Download
memory/2332-1-0x0000000000210000-0x00000000002F0000-memory.dmp

Filesize
896KB

Download
memory/2476-15-0x00000000010C0000-0x00000000010E4000-memory.dmp

Filesize
144KB

Download
memory/2724-31-0x0000000000EB0000-0x0000000000EE2000-memory.dmp

Filesize
200KB

Download
memory/2808-29-0x00000000008F0000-0x000000000091C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing