xworm | 3cc41a56daee0331512d04dd40e33676820a11615a0f808cb812d496b3fc3a8e

General

Target

hh.exe
Size

67KB
MD5

ecc0117da91937168d95f94fe2b28840
SHA1

f7c1c88b17173f9403536d0ca1fdfdbb108436e9
SHA256

3cc41a56daee0331512d04dd40e33676820a11615a0f808cb812d496b3fc3a8e
SHA512

b5ed48db56c494396f8002dd61dbc10ca38f3487a9117549b43d3c59a4e580b5e3dc084b62eb5e0b7fc82900bfab79168bf394bab0de76b6971f45f6c84dbb4c
SSDEEP

1536:RbCAX3g4GePVcAye7hC+bu/uwdVedefBRfa6GMO9RDc:JLg+cAX7hC+bu/9mauMOfQ

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

0.tcp.ap.ngrok.io:12725

Attributes

Install_directory
%Temp%
install_file
hh.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4044-1-0x0000000000B30000-0x0000000000B48000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4876	powershell.exe
2632	powershell.exe
1912	powershell.exe
3260	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\hh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hh.exe"	hh.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
1	0.tcp.ap.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1152	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2140	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4876	powershell.exe
4876	powershell.exe
2632	powershell.exe
2632	powershell.exe
1912	powershell.exe
1912	powershell.exe
3260	powershell.exe
3260	powershell.exe
4044	hh.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4044	hh.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	4044	hh.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4044	hh.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 4876	4044	hh.exe	81
PID 4044 wrote to memory of 4876	4044	hh.exe	81
PID 4044 wrote to memory of 2632	4044	hh.exe	83
PID 4044 wrote to memory of 2632	4044	hh.exe	83
PID 4044 wrote to memory of 1912	4044	hh.exe	85
PID 4044 wrote to memory of 1912	4044	hh.exe	85
PID 4044 wrote to memory of 3260	4044	hh.exe	87
PID 4044 wrote to memory of 3260	4044	hh.exe	87
PID 4044 wrote to memory of 2140	4044	hh.exe	89
PID 4044 wrote to memory of 2140	4044	hh.exe	89
PID 4044 wrote to memory of 4316	4044	hh.exe	92
PID 4044 wrote to memory of 4316	4044	hh.exe	92
PID 4044 wrote to memory of 1924	4044	hh.exe	94
PID 4044 wrote to memory of 1924	4044	hh.exe	94
PID 1924 wrote to memory of 1152	1924	cmd.exe	96
PID 1924 wrote to memory of 1152	1924	cmd.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\hh.exe
"C:\Users\Admin\AppData\Local\Temp\hh.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\hh.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'hh.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\hh.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'hh.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3260
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "hh" /tr "C:\Users\Admin\AppData\Local\Temp\hh.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2140
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "hh"
  2⤵
  PID:4316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4A72.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
93cb382f21ab5a6e5e8d66f6295e52ad

SHA1
4e8e09cb7b6b1125645da8a412d418dcfe929ce8

SHA256
2dd5b49979c32d4e4de9e4f18920a9a33edd55af7ef8aca34190724649f977ec

SHA512
c09e7f6e3c6d8db7cdf31a064b680c5bf97ce0fa9b0c38499a3dce9d89fea66f75e720800382017ca41963f3afdabc83e8486c680c66307e0f265a1277d45409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8a7ab7bae6a69946da69507ee7ae7b0

SHA1
b367c72fa4948493819e1c32c32239aa6e78c252

SHA256
cd5480d72c1a359e83f7d6b6d7d21e1be2463f2c6718385cc6c393c88323b272

SHA512
89b22519bc3986be52801397e6eff4550621b4804abd2d04f431c9b2591ba8e3eab2625490a56ebb947ba3b122b6186badb6c461e917b69d7e13644c86a6f683

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cv4c0cqn.5l1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4A72.tmp.bat

Filesize
154B

MD5
270465b9145646701774618ae5600782

SHA1
f1f37d316109c84dad6c0fc23b5b77b6d7b88cdc

SHA256
736187755161798dc1b095c33ce1fe8c5f59fbcd4974f82efd6b7cbf214e7138

SHA512
c956976b1b3cdc21775993641777c06b34fec6019e4a6d67c771d00636ad73033c9521d572f0c0cf0b6de2c2774fded6014702139215ccb652c06b5c44011e1c

Download Submit
memory/4044-1-0x0000000000B30000-0x0000000000B48000-memory.dmp

Filesize
96KB

Download
memory/4044-0-0x00007FFFD7BB3000-0x00007FFFD7BB5000-memory.dmp

Filesize
8KB

Download
memory/4044-55-0x00007FFFD7BB0000-0x00007FFFD8672000-memory.dmp

Filesize
10.8MB

Download
memory/4044-51-0x000000001C9B0000-0x000000001C9BC000-memory.dmp

Filesize
48KB

Download
memory/4044-50-0x00007FFFD7BB0000-0x00007FFFD8672000-memory.dmp

Filesize
10.8MB

Download
memory/4044-49-0x00007FFFD7BB0000-0x00007FFFD8672000-memory.dmp

Filesize
10.8MB

Download
memory/4876-11-0x00007FFFD7BB0000-0x00007FFFD8672000-memory.dmp

Filesize
10.8MB

Download
memory/4876-17-0x00007FFFD7BB0000-0x00007FFFD8672000-memory.dmp

Filesize
10.8MB

Download
memory/4876-14-0x00007FFFD7BB0000-0x00007FFFD8672000-memory.dmp

Filesize
10.8MB

Download
memory/4876-13-0x00007FFFD7BB0000-0x00007FFFD8672000-memory.dmp

Filesize
10.8MB

Download
memory/4876-12-0x00007FFFD7BB0000-0x00007FFFD8672000-memory.dmp

Filesize
10.8MB

Download
memory/4876-8-0x000001C393210000-0x000001C393232000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads