xworm | 0ed5d00adbb329b4e61a9ecea0c8aa263d4d314cdd1544ce5cf88b24f86dd82a

General

Target

hh.exe
Size

49KB
MD5

0bcfec1c5af3494a04036c491e630b65
SHA1

f93c29ab731b839f700e1cffd022e76781a26117
SHA256

0ed5d00adbb329b4e61a9ecea0c8aa263d4d314cdd1544ce5cf88b24f86dd82a
SHA512

3e5321ae24fb7474af438ae9e1c907f6f8a77a81a9702d9b7ceb39b2e79734c232832458f3582f5bd85ca5ff9e8faee2269646efc34f60dd383c670e37aa649b
SSDEEP

1536:4Tujmz5tnrrwwO2RdbR0Qkbbn2THa5nOaDKk:4TuY5cYdbmQkbb2m5nOaWk

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

0.tcp.ap.ngrok.io:12725

Attributes

Install_directory
%Public%
install_file
hh.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/4704-1-0x0000000000880000-0x0000000000892000-memory.dmp	family_xworm
behavioral1/files/0x000600000002a868-12.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hh.lnk	hh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hh.lnk	hh.exe

Executes dropped EXE 2 IoCs

pid	Process
3804	hh.exe
3700	hh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\hh = "C:\\Users\\Public\\hh.exe"	hh.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
1	0.tcp.ap.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
1444	NOTEPAD.EXE
2672	NOTEPAD.EXE
1920	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
760	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4704	hh.exe
Token: SeDebugPrivilege	3804	hh.exe
Token: SeDebugPrivilege	3700	hh.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1488	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 760	4704	hh.exe	80
PID 4704 wrote to memory of 760	4704	hh.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\hh.exe
"C:\Users\Admin\AppData\Local\Temp\hh.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "hh" /tr "C:\Users\Public\hh.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:760

C:\Users\Public\hh.exe
C:\Users\Public\hh.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\windows11.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:1444

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\windows11.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:2672

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1920

C:\Users\Public\hh.exe
C:\Users\Public\hh.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hh.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
1301a13a0b62ba61652cdbf2d61f80fa

SHA1
1911d1f0d097e8f5275a29e17b0bcef305df1d9e

SHA256
7e75ad955706d05f5934810aebbd3b5a7742d5e5766efd9c4fc17ee492b2f716

SHA512
66aa4261628bb31ee416af70f4159c02e5bbfbe2f7645e87d70bb35b1f20fa915d62b25d99cd72c59580d1f64e6c6b5ad36ace6600d3bcdb67f45036d768ed8b

Download Submit
C:\Users\Public\hh.exe

Filesize
49KB

MD5
0bcfec1c5af3494a04036c491e630b65

SHA1
f93c29ab731b839f700e1cffd022e76781a26117

SHA256
0ed5d00adbb329b4e61a9ecea0c8aa263d4d314cdd1544ce5cf88b24f86dd82a

SHA512
3e5321ae24fb7474af438ae9e1c907f6f8a77a81a9702d9b7ceb39b2e79734c232832458f3582f5bd85ca5ff9e8faee2269646efc34f60dd383c670e37aa649b

Download Submit
memory/3804-14-0x00007FFD53DF0000-0x00007FFD548B2000-memory.dmp

Filesize
10.8MB

Download
memory/3804-17-0x00007FFD53DF0000-0x00007FFD548B2000-memory.dmp

Filesize
10.8MB

Download
memory/4704-0-0x00007FFD53DF3000-0x00007FFD53DF5000-memory.dmp

Filesize
8KB

Download
memory/4704-1-0x0000000000880000-0x0000000000892000-memory.dmp

Filesize
72KB

Download
memory/4704-6-0x00007FFD53DF0000-0x00007FFD548B2000-memory.dmp

Filesize
10.8MB

Download
memory/4704-7-0x00007FFD53DF3000-0x00007FFD53DF5000-memory.dmp

Filesize
8KB

Download
memory/4704-8-0x00007FFD53DF0000-0x00007FFD548B2000-memory.dmp

Filesize
10.8MB

Download
memory/4704-9-0x000000001C8F0000-0x000000001C9A0000-memory.dmp

Filesize
704KB

Download
memory/4704-10-0x000000001D0D0000-0x000000001D5F8000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads