xworm | 5fbae4b6f13ae53c0c72395da9aaff02bdd023adb735512a17d951feb869f124

General

Target

jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe
Size

930KB
MD5

327b7ea8c22c6fde0cc18d55f1b93d6d
SHA1

32212f75534b53e499db147c35e116413e9d93f8
SHA256

5fbae4b6f13ae53c0c72395da9aaff02bdd023adb735512a17d951feb869f124
SHA512

a40a7854947b7a38c7a369885eea28e48a52a275871a2d2038d4b8a6bb01112513ee463cccb9d0deb596331bb0c2debdf8130d3a794472fd7c5170e94d2a5eb1
SSDEEP

24576:tcjJkDRAIlgn/SwykVe6xBpHHd58Alq35GJ:tc1kdAIlKqwX8U/Blq35W

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

C2

83.38.28.117:1603

83.38.24.1:1603

Attributes

Install_directory
%Temp%
install_file
RuntimeBroker.exe

Signatures

Detect Xworm Payload 12 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012281-5.dat	family_xworm
behavioral1/files/0x001600000001866f-11.dat	family_xworm
behavioral1/memory/2648-10-0x00000000003C0000-0x00000000003D4000-memory.dmp	family_xworm
behavioral1/files/0x000700000001868b-16.dat	family_xworm
behavioral1/files/0x00060000000186f8-24.dat	family_xworm
behavioral1/memory/2424-23-0x0000000000210000-0x0000000000240000-memory.dmp	family_xworm
behavioral1/memory/700-22-0x0000000000080000-0x00000000000C6000-memory.dmp	family_xworm
behavioral1/files/0x0006000000018731-27.dat	family_xworm
behavioral1/files/0x0006000000018742-33.dat	family_xworm
behavioral1/memory/2768-34-0x0000000000FB0000-0x0000000000FC4000-memory.dmp	family_xworm
behavioral1/memory/2120-36-0x00000000012C0000-0x00000000012E4000-memory.dmp	family_xworm
behavioral1/memory/2816-37-0x00000000008A0000-0x00000000008CC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 6 IoCs

pid	Process
2648	RuntimeBroker.exe
700	SecurityHealthSystray.exe
2424	OneDrive.exe
2120	WmiPrvSE.exe
2768	svchost.exe
2816	SearchFilterHost.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com
11	ip-api.com
12	ip-api.com
13	ip-api.com
14	ip-api.com
9	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	RuntimeBroker.exe
Token: SeDebugPrivilege	2424	OneDrive.exe
Token: SeDebugPrivilege	700	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2768	svchost.exe
Token: SeDebugPrivilege	2120	WmiPrvSE.exe
Token: SeDebugPrivilege	2816	SearchFilterHost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2648	3016	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	31
PID 3016 wrote to memory of 2648	3016	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	31
PID 3016 wrote to memory of 2648	3016	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	31
PID 3016 wrote to memory of 700	3016	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	32
PID 3016 wrote to memory of 700	3016	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	32
PID 3016 wrote to memory of 700	3016	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	32
PID 3016 wrote to memory of 2424	3016	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	33
PID 3016 wrote to memory of 2424	3016	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	33
PID 3016 wrote to memory of 2424	3016	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	33
PID 3016 wrote to memory of 2120	3016	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	34
PID 3016 wrote to memory of 2120	3016	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	34
PID 3016 wrote to memory of 2120	3016	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	34
PID 3016 wrote to memory of 2768	3016	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	35
PID 3016 wrote to memory of 2768	3016	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	35
PID 3016 wrote to memory of 2768	3016	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	35
PID 3016 wrote to memory of 2816	3016	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	36
PID 3016 wrote to memory of 2816	3016	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	36
PID 3016 wrote to memory of 2816	3016	jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe	36

C:\Users\Admin\AppData\Local\Temp\jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe
"C:\Users\Admin\AppData\Local\Temp\jjjjjjjjjjjjjjjjjjjjjjjjjjj.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\RuntimeBroker.exe
  "C:\Users\Admin\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Users\Admin\SecurityHealthSystray.exe
  "C:\Users\Admin\SecurityHealthSystray.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:700
- C:\Users\Admin\OneDrive.exe
  "C:\Users\Admin\OneDrive.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Users\Admin\WmiPrvSE.exe
  "C:\Users\Admin\WmiPrvSE.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Users\Admin\svchost.exe
  "C:\Users\Admin\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Users\Admin\SearchFilterHost.exe
  "C:\Users\Admin\SearchFilterHost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\OneDrive.exe

Filesize
170KB

MD5
247956f3e2357939ad85a91ade6871bc

SHA1
d823a32115625d68a6a2bddf78197492a3656da9

SHA256
8b80416b1c2c1fd35981d2ca261578874a599236447f85f91af1e19d50e2d5fc

SHA512
b68bee7c8ae6b17621dd910b9b5753e06e98a136c58e15add84b74a2ebf1a673a85676119a5cfbbbab82b3302bce717a059cb893b219c0565130f304f1ec1ff3

Download Submit
C:\Users\Admin\RuntimeBroker.exe

Filesize
59KB

MD5
a2add11711c5fc82860b42735b4996f3

SHA1
986e5d99b1f8f9127e262f7a24513674e5be9868

SHA256
aab3501f022a254e9599189aefadbf636aeda273ee0a0ffc6218ef4955157f41

SHA512
a00305ccd91e673957471e2b2328b8f41339a46c37ed450d06cd1290096efdcd8a0098b68f5b3b59f84a2be2a5f8ce69f057364bff354ca7f9defeb701cc084a

Download Submit
C:\Users\Admin\SearchFilterHost.exe

Filesize
155KB

MD5
c493bed5ff7fffa1c7a378235595654f

SHA1
008dd17c8201eb83106d95ad135ae711880e6f49

SHA256
ebc2b439ce3464a3d6961ad4c8e17245336bb18a7b818ec80c8da9d1513986a2

SHA512
ed8e0956ef559c644e4e1f6a519bbaca82c1cb1ea315fce1e17810037b5cb33b854cb7404630f3c598988618e9bea82c7c272826f2a6f6588ba0f8394c4366c5

Download Submit
C:\Users\Admin\SecurityHealthSystray.exe

Filesize
254KB

MD5
3c4ee8268896f403918024e7be84c5bc

SHA1
1b328cf35cd4ae1aa89ef3a70fd4277b6cb8431e

SHA256
9c075f295379a6c9f6f567d8f2cdd6f67e5cc272aba900a2533e0f7a8fdd2828

SHA512
1b824a62019b910f3c4c3b6f1279a682fc2619c3bfde73a55d270043348ec131f96dcec492eea9c269e54c54bf59f44c27807cc4d8ff55e6d829557d3eee2a7d

Download Submit
C:\Users\Admin\WmiPrvSE.exe

Filesize
121KB

MD5
c9c36b58fd4b41a0ca4b27fea908d611

SHA1
27a286d189a9a64ba0d431e24e3ca38acc0edde7

SHA256
4d6a7e99efa2949f2c6e37f5846e40cb6a9b3937f8624654697a93e67cd09ddb

SHA512
5967d8b28d677356a102bbcf0858e1b5dab5160194a5ecd0b3476c4ad4bfadbe1a8678465007ec7f8b0b41b7ea4811151880646bf255459b4dd9ef26536ce13f

Download Submit
C:\Users\Admin\svchost.exe

Filesize
55KB

MD5
d468a3c6966f939a8775fe46c8048583

SHA1
aa9ef0f1201388380a051e9c454612b146f918f5

SHA256
298f2f96d524f2db8b151909a1fb4f8e480bf76f66cd5a5a26c9483b4987a1a3

SHA512
3060f53757c271f0c38128ba72255ce679af8d47c8743aa71a8de2e0b31d7d6afbd34febdf54a77925dadd65bc433e7cfe1064f98f0e41ef21c6931dff0af5c7

Download Submit
memory/700-22-0x0000000000080000-0x00000000000C6000-memory.dmp

Filesize
280KB

Download
memory/2120-36-0x00000000012C0000-0x00000000012E4000-memory.dmp

Filesize
144KB

Download
memory/2424-23-0x0000000000210000-0x0000000000240000-memory.dmp

Filesize
192KB

Download
memory/2648-10-0x00000000003C0000-0x00000000003D4000-memory.dmp

Filesize
80KB

Download
memory/2648-38-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/2648-39-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-34-0x0000000000FB0000-0x0000000000FC4000-memory.dmp

Filesize
80KB

Download
memory/2816-37-0x00000000008A0000-0x00000000008CC000-memory.dmp

Filesize
176KB

Download
memory/3016-1-0x00000000012D0000-0x00000000013BE000-memory.dmp

Filesize
952KB

Download
memory/3016-0-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing