xworm | 2fa8baf79308b175ec6b04ca9d70a91c202bfa3b169157ec372f71b2ba002367

General

Target

2fa8baf79308b175ec6b04ca9d70a91c202bfa3b169157ec372f71b2ba002367.exe
Size

32KB
MD5

f573c0949b395692b86f25748c749c89
SHA1

54476d5e6d297492c421b68196e68fb789448d42
SHA256

2fa8baf79308b175ec6b04ca9d70a91c202bfa3b169157ec372f71b2ba002367
SHA512

82a0ae8f63c854bd167c181103f6186ca604f7d2e21a66e90277525c35f239a593cbda8d88323d6f4b67c38f34805fa9eb8d252604e58cc4f4c95cdc3c28a3ed
SSDEEP

384:hhIqUdK0oMtQHXNVc2LABiep2E00f3RaNR+gtFqBLTm9JZw/WyxvDe/uexO/hi/d:j3LMsBABiAn5OZFh9BLO/hi/NUux

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

31.6.50.238:791

Mutex

yqzE81od1dx9E8zX

Attributes

Install_directory
%Temp%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1628-1-0x00000000008F0000-0x00000000008FE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2fa8baf79308b175ec6b04ca9d70a91c202bfa3b169157ec372f71b2ba002367.lnk	2fa8baf79308b175ec6b04ca9d70a91c202bfa3b169157ec372f71b2ba002367.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2fa8baf79308b175ec6b04ca9d70a91c202bfa3b169157ec372f71b2ba002367.lnk	2fa8baf79308b175ec6b04ca9d70a91c202bfa3b169157ec372f71b2ba002367.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2128	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	2fa8baf79308b175ec6b04ca9d70a91c202bfa3b169157ec372f71b2ba002367.exe
Token: SeDebugPrivilege	2628	2fa8baf79308b175ec6b04ca9d70a91c202bfa3b169157ec372f71b2ba002367.exe
Token: SeDebugPrivilege	2504	2fa8baf79308b175ec6b04ca9d70a91c202bfa3b169157ec372f71b2ba002367.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2128	1628	2fa8baf79308b175ec6b04ca9d70a91c202bfa3b169157ec372f71b2ba002367.exe	30
PID 1628 wrote to memory of 2128	1628	2fa8baf79308b175ec6b04ca9d70a91c202bfa3b169157ec372f71b2ba002367.exe	30
PID 1628 wrote to memory of 2128	1628	2fa8baf79308b175ec6b04ca9d70a91c202bfa3b169157ec372f71b2ba002367.exe	30
PID 2908 wrote to memory of 2628	2908	taskeng.exe	34
PID 2908 wrote to memory of 2628	2908	taskeng.exe	34
PID 2908 wrote to memory of 2628	2908	taskeng.exe	34
PID 2908 wrote to memory of 2504	2908	taskeng.exe	35
PID 2908 wrote to memory of 2504	2908	taskeng.exe	35
PID 2908 wrote to memory of 2504	2908	taskeng.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2fa8baf79308b175ec6b04ca9d70a91c202bfa3b169157ec372f71b2ba002367.exe
"C:\Users\Admin\AppData\Local\Temp\2fa8baf79308b175ec6b04ca9d70a91c202bfa3b169157ec372f71b2ba002367.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "2fa8baf79308b175ec6b04ca9d70a91c202bfa3b169157ec372f71b2ba002367" /tr "C:\Users\Admin\AppData\Local\Temp\2fa8baf79308b175ec6b04ca9d70a91c202bfa3b169157ec372f71b2ba002367.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2128

C:\Windows\system32\taskeng.exe
taskeng.exe {7F9C4460-0A69-4A62-ADCC-C06CA9B0AD8C} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\2fa8baf79308b175ec6b04ca9d70a91c202bfa3b169157ec372f71b2ba002367.exe
  C:\Users\Admin\AppData\Local\Temp\2fa8baf79308b175ec6b04ca9d70a91c202bfa3b169157ec372f71b2ba002367.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Users\Admin\AppData\Local\Temp\2fa8baf79308b175ec6b04ca9d70a91c202bfa3b169157ec372f71b2ba002367.exe
  C:\Users\Admin\AppData\Local\Temp\2fa8baf79308b175ec6b04ca9d70a91c202bfa3b169157ec372f71b2ba002367.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1628-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

Filesize
4KB

Download
memory/1628-1-0x00000000008F0000-0x00000000008FE000-memory.dmp

Filesize
56KB

Download
memory/1628-3-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/1628-4-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

Filesize
4KB

Download
memory/1628-5-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads