xworm | 25d0b5d3b68e80dd26385aff712359be798badcf427e7835d71721b1ae777fce

General

Target

SearchFilterHo.exe
Size

849KB
MD5

6bf6eaaac80868bffef1004a3fa45c0f
SHA1

86451794016ed34f3be20f10fa9374b4d566ecb1
SHA256

25d0b5d3b68e80dd26385aff712359be798badcf427e7835d71721b1ae777fce
SHA512

ae5de6ee5a653d210f52e0e0e49532eb37b58e49a74abc322094de8d9a29a6d6effce0534241216a74c62ae0a4b3b8fb4d94bcee4827d1ca391f035fd4d88e93
SSDEEP

12288:XUQfymWBId3aco3NrBIPa9uLFRGFPqULhj93fzq8t5GpX:XUEdqcodNI+EFW1F9Pzq65GJ

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

C2

83.38.24.1:1603

Attributes

Install_directory
%Public%
install_file
OneDrive.exe

Signatures

Detect Xworm Payload 10 IoCs

resource	yara_rule
behavioral1/files/0x0003000000018334-5.dat	family_xworm
behavioral1/files/0x0008000000019515-12.dat	family_xworm
behavioral1/memory/2696-11-0x0000000000270000-0x00000000002A2000-memory.dmp	family_xworm
behavioral1/files/0x00080000000195a9-16.dat	family_xworm
behavioral1/files/0x00070000000195ab-20.dat	family_xworm
behavioral1/files/0x0007000000019547-26.dat	family_xworm
behavioral1/memory/2164-28-0x0000000000AB0000-0x0000000000AF2000-memory.dmp	family_xworm
behavioral1/memory/2792-29-0x0000000000800000-0x0000000000828000-memory.dmp	family_xworm
behavioral1/memory/2920-30-0x00000000011F0000-0x0000000001214000-memory.dmp	family_xworm
behavioral1/memory/2204-31-0x0000000000160000-0x0000000000174000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 5 IoCs

pid	Process
2696	OneDrive.exe
2792	SearchFilterHost.exe
2164	SecurityHealthSystray.exe
2204	svhost.exe
2920	WmiPrvSE.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
3	ip-api.com
4	ip-api.com
5	ip-api.com
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	OneDrive.exe
Token: SeDebugPrivilege	2164	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2920	WmiPrvSE.exe
Token: SeDebugPrivilege	2204	svhost.exe
Token: SeDebugPrivilege	2792	SearchFilterHost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 2696	1064	SearchFilterHo.exe	30
PID 1064 wrote to memory of 2696	1064	SearchFilterHo.exe	30
PID 1064 wrote to memory of 2696	1064	SearchFilterHo.exe	30
PID 1064 wrote to memory of 2792	1064	SearchFilterHo.exe	31
PID 1064 wrote to memory of 2792	1064	SearchFilterHo.exe	31
PID 1064 wrote to memory of 2792	1064	SearchFilterHo.exe	31
PID 1064 wrote to memory of 2164	1064	SearchFilterHo.exe	32
PID 1064 wrote to memory of 2164	1064	SearchFilterHo.exe	32
PID 1064 wrote to memory of 2164	1064	SearchFilterHo.exe	32
PID 1064 wrote to memory of 2204	1064	SearchFilterHo.exe	33
PID 1064 wrote to memory of 2204	1064	SearchFilterHo.exe	33
PID 1064 wrote to memory of 2204	1064	SearchFilterHo.exe	33
PID 1064 wrote to memory of 2920	1064	SearchFilterHo.exe	34
PID 1064 wrote to memory of 2920	1064	SearchFilterHo.exe	34
PID 1064 wrote to memory of 2920	1064	SearchFilterHo.exe	34

C:\Users\Admin\AppData\Local\Temp\SearchFilterHo.exe
"C:\Users\Admin\AppData\Local\Temp\SearchFilterHo.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\OneDrive.exe
  "C:\Users\Admin\OneDrive.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Users\Admin\SearchFilterHost.exe
  "C:\Users\Admin\SearchFilterHost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Users\Admin\SecurityHealthSystray.exe
  "C:\Users\Admin\SecurityHealthSystray.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Users\Admin\svhost.exe
  "C:\Users\Admin\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Users\Admin\WmiPrvSE.exe
  "C:\Users\Admin\WmiPrvSE.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\OneDrive.exe

Filesize
174KB

MD5
4a5eed221edf94019849f611973a5376

SHA1
0484d7a1fe2c4eb8013444016afbcae173020b6f

SHA256
b2b2fb1e247b886ab782763860bca0f2bf4e41eef16bf6e9e41b69e24605bf16

SHA512
2f590364fd6daf8b332579ee4d04816403de1cdd7c8df9422f14766f92603f80db43749ca86976879902ab923b18d58e42208d35c0c84986e7a91b6864fce8e3

Download Submit
C:\Users\Admin\SearchFilterHost.exe

Filesize
140KB

MD5
2aaa9d62fd4edb40e4ed11bc00c8fb03

SHA1
a754ede011b6ab6160f38abbc393cc9896ad0130

SHA256
95949d50cbe1539285141ed602a5f6043d2d2d2447ddd4bc991d2918cc73da6b

SHA512
c9c18d8ab6b404a9888a98be246f3a863279f0b49b6ff982fcbe0c4d83a2a696f7a3c3e18c7ec41cccc364e391802007d9a9bf6fe1c49146d71377b96c918c94

Download Submit
C:\Users\Admin\SecurityHealthSystray.exe

Filesize
240KB

MD5
dc3c3b862e58da1501e5c2a6c7996215

SHA1
7971922fcb52e5a6a68ca7647bb1d9840d173686

SHA256
1093b52ec29400724e79a1d4175013e6561c788709e58cc69e192e3d971ce319

SHA512
1dffe6eebfadde3a4c12fb7426f59c602f00195a0d5a3b5acf19d77429ce9ff6a6b78198b3cde935ad30ccec243cb9aa4a1a409700d722da2dc172cd9733331f

Download Submit
C:\Users\Admin\WmiPrvSE.exe

Filesize
124KB

MD5
f79800bf6bb985555b2c1ec111875104

SHA1
dbe7f0dcee1a701e4ae5f095f94d1b42c354fe31

SHA256
a368e93d24d8e156adb1f1800cbe31ad820fac04a9fcc0a15c8a716057ccdf87

SHA512
34cb03265366e021cab4aeb3166183d96735fdefd8bb79d9017304eaf50b031345330ef6da5570a372a8bfea6b5e65b15ecc24da59c8d968234d78773b571342

Download Submit
C:\Users\Admin\svhost.exe

Filesize
56KB

MD5
9371f877a385e2e442585e31b90dd76a

SHA1
3087f5a52409637384d5629f16316cf8d5927df4

SHA256
ea289415f918d635beb78fe3c156f78df9016989bb81e5c624f7cab61a68080a

SHA512
64b2eb9af5008191ab25460372a052baf5d5618ebc26a6504d201b84460d56a6cb092f70a799d2b9956c0c8b3575923ca6e6f58d09ae2dd014ab73e7bc1888f7

Download Submit
memory/1064-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

Filesize
4KB

Download
memory/1064-1-0x0000000000160000-0x000000000023A000-memory.dmp

Filesize
872KB

Download
memory/2164-28-0x0000000000AB0000-0x0000000000AF2000-memory.dmp

Filesize
264KB

Download
memory/2204-31-0x0000000000160000-0x0000000000174000-memory.dmp

Filesize
80KB

Download
memory/2696-11-0x0000000000270000-0x00000000002A2000-memory.dmp

Filesize
200KB

Download
memory/2696-32-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/2696-33-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-29-0x0000000000800000-0x0000000000828000-memory.dmp

Filesize
160KB

Download
memory/2920-30-0x00000000011F0000-0x0000000001214000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing