xworm | 72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e

General

Target

72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e.exe
Size

298KB
MD5

3e9007a477dd81264659889b9e245c8d
SHA1

7d784a4b63b95f2330217b88e8b1d53b54533ffd
SHA256

72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e
SHA512

2438eab27f992c71fa9379dcf012ad89db79e1c79f92fd32f384c27644891b77ef1be5bec96021a3a44dcbc75085bb8425cf25d8cd80d6dca1e04b361a44a411
SSDEEP

3072:InFK9onOjbJ2QAsSdADRq6ty71wtYM77ldY7AXTp2kA3:IFK9bJuwH77Ppj0kA

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

dane1c-58098.portmap.host:58098

Mutex

NsX6nPqhojvO4ihe

Attributes

Install_directory
%LocalAppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2480-1-0x00000000001D0000-0x0000000000220000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2016	powershell.exe
2176	powershell.exe
2700	powershell.exe
2920	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DisconnectCheats.lnk	72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DisconnectCheats.lnk	72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2016	powershell.exe
2176	powershell.exe
2700	powershell.exe
2920	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2016	2480	72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e.exe	31
PID 2480 wrote to memory of 2016	2480	72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e.exe	31
PID 2480 wrote to memory of 2016	2480	72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e.exe	31
PID 2480 wrote to memory of 2176	2480	72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e.exe	33
PID 2480 wrote to memory of 2176	2480	72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e.exe	33
PID 2480 wrote to memory of 2176	2480	72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e.exe	33
PID 2480 wrote to memory of 2700	2480	72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e.exe	35
PID 2480 wrote to memory of 2700	2480	72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e.exe	35
PID 2480 wrote to memory of 2700	2480	72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e.exe	35
PID 2480 wrote to memory of 2920	2480	72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e.exe	37
PID 2480 wrote to memory of 2920	2480	72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e.exe	37
PID 2480 wrote to memory of 2920	2480	72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e.exe	37

C:\Users\Admin\AppData\Local\Temp\72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e.exe
"C:\Users\Admin\AppData\Local\Temp\72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\DisconnectCheats'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DisconnectCheats'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2EI677V5FCLG5HHZTNUP.temp

Filesize
7KB

MD5
e7ba5bcf54843d2c659e3ba7d45a3bf3

SHA1
380e832b9bce671ea840a0133449ec1bc8326942

SHA256
d29b85239bcdb559c36edda56a57891b8ea1856d5efaebd9bb9799cf4d4b7047

SHA512
37dcde9aad8f5c8f8be8bb37f4ed74734342a2284590054cde34d162e46eb92621b619d17d5b7eb7041c00f4273a69f02498b222dbbcd9d7792775b905632eab

Download Submit
memory/2016-6-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2016-7-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2016-8-0x0000000002920000-0x0000000002928000-memory.dmp

Filesize
32KB

Download
memory/2176-14-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2176-15-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2480-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/2480-1-0x00000000001D0000-0x0000000000220000-memory.dmp

Filesize
320KB

Download
memory/2480-31-0x000000001B090000-0x000000001B110000-memory.dmp

Filesize
512KB

Download
memory/2480-32-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing