xworm | 3a07029a28172b8ee690bbf943ac0f45f819611b90bd2dda444aa972d145cf38

General

Target

LadBeams.exe
Size

36KB
MD5

10e43f7859cef3d334e51f2043c7521d
SHA1

0a4d61955bcd2a849d94f3421a1b4c8643a63378
SHA256

3a07029a28172b8ee690bbf943ac0f45f819611b90bd2dda444aa972d145cf38
SHA512

22bcdcd592035b12b81c76b896372c05b4ffcb983cac2777510b924a49ed98b74409d6ea83829f3bfe1898dd99532db677b9bdc403a64fbd6eaed7692c3720a3
SSDEEP

768:kra5QDoJFA4g+xCwdW9OFpVFr9oxOwhmu/ZaR:+a5QDeRg+8wgSXFr9oxOw0hR

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

Mutex

TXNXspXqHQ7kFGni

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/1940-1-0x00000000004C0000-0x00000000004D0000-memory.dmp	family_xworm
behavioral1/files/0x0010000000023b3f-8.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	LadBeams.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	LadBeams.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LadBeams.lnk	LadBeams.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LadBeams.lnk	LadBeams.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LadBeams.lnk	LadBeams.exe

Executes dropped EXE 26 IoCs

pid	Process
676	LadBeams.exe
3276	LadBeams.exe
4292	LadBeams.exe
2024	LadBeams.exe
1660	LadBeams.exe
5092	LadBeams.exe
3152	LadBeams.exe
636	LadBeams.exe
3564	LadBeams.exe
4592	LadBeams.exe
3816	LadBeams.exe
3456	LadBeams.exe
4756	LadBeams.exe
2256	LadBeams.exe
2388	LadBeams.exe
1556	LadBeams.exe
2356	LadBeams.exe
368	LadBeams.exe
4948	LadBeams.exe
636	LadBeams.exe
3580	LadBeams.exe
4664	LadBeams.exe
4172	LadBeams.exe
1688	LadBeams.exe
4876	LadBeams.exe
2392	LadBeams.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LadBeams = "C:\\Users\\Admin\\AppData\\Roaming\\LadBeams.exe"	LadBeams.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LadBeams = "C:\\Users\\Admin\\AppData\\Roaming\\LadBeams.exe"	LadBeams.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4636	schtasks.exe
1532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1940	LadBeams.exe
2392	LadBeams.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1940	LadBeams.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	1940	LadBeams.exe
Token: SeDebugPrivilege	676	LadBeams.exe
Token: SeDebugPrivilege	3276	LadBeams.exe
Token: SeDebugPrivilege	4292	LadBeams.exe
Token: SeDebugPrivilege	2024	LadBeams.exe
Token: SeDebugPrivilege	1660	LadBeams.exe
Token: SeDebugPrivilege	5092	LadBeams.exe
Token: SeDebugPrivilege	3152	LadBeams.exe
Token: SeDebugPrivilege	636	LadBeams.exe
Token: SeDebugPrivilege	3564	LadBeams.exe
Token: SeDebugPrivilege	4592	LadBeams.exe
Token: SeDebugPrivilege	3816	LadBeams.exe
Token: SeDebugPrivilege	3456	LadBeams.exe
Token: SeDebugPrivilege	4756	LadBeams.exe
Token: SeDebugPrivilege	2256	LadBeams.exe
Token: SeDebugPrivilege	2388	LadBeams.exe
Token: SeDebugPrivilege	2356	LadBeams.exe
Token: SeDebugPrivilege	368	LadBeams.exe
Token: SeDebugPrivilege	4948	LadBeams.exe
Token: SeDebugPrivilege	636	LadBeams.exe
Token: SeDebugPrivilege	3580	LadBeams.exe
Token: SeDebugPrivilege	4664	LadBeams.exe
Token: SeDebugPrivilege	4172	LadBeams.exe
Token: SeDebugPrivilege	1688	LadBeams.exe
Token: SeDebugPrivilege	4876	LadBeams.exe
Token: SeDebugPrivilege	2392	LadBeams.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1940	LadBeams.exe
2392	LadBeams.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 4636	1940	LadBeams.exe	91
PID 1940 wrote to memory of 4636	1940	LadBeams.exe	91
PID 2392 wrote to memory of 1532	2392	LadBeams.exe	132
PID 2392 wrote to memory of 1532	2392	LadBeams.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\LadBeams.exe
"C:\Users\Admin\AppData\Local\Temp\LadBeams.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "LadBeams" /tr "C:\Users\Admin\AppData\Roaming\LadBeams.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4636

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:368

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Users\Admin\AppData\Roaming\LadBeams.exe
C:\Users\Admin\AppData\Roaming\LadBeams.exe
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "LadBeams" /tr "C:\Users\Admin\AppData\Roaming\LadBeams.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\LadBeams.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Roaming\LadBeams.exe

Filesize
36KB

MD5
10e43f7859cef3d334e51f2043c7521d

SHA1
0a4d61955bcd2a849d94f3421a1b4c8643a63378

SHA256
3a07029a28172b8ee690bbf943ac0f45f819611b90bd2dda444aa972d145cf38

SHA512
22bcdcd592035b12b81c76b896372c05b4ffcb983cac2777510b924a49ed98b74409d6ea83829f3bfe1898dd99532db677b9bdc403a64fbd6eaed7692c3720a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LadBeams.lnk

Filesize
778B

MD5
5624e2f53102282c045bc6fbf292b841

SHA1
8ad487702deca823599dc824fef3f83d3d57a930

SHA256
8ccb0a75c4b4275dd65591898146ab0cd8a3e185a8b9c54694118a199f7bbcd2

SHA512
ae7d4dcddceb9a932fd17d54f25cb0066708aadc8d482ab50dc2b3fa4e2427c3ff7e0d6e2c8e903c53286d07326d8e5659e887a5c2887b291f350764ee38f3d3

Download Submit
memory/676-15-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/676-17-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/1940-0-0x00007FFBFD203000-0x00007FFBFD205000-memory.dmp

Filesize
8KB

Download
memory/1940-1-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/1940-10-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/1940-11-0x00007FFBFD203000-0x00007FFBFD205000-memory.dmp

Filesize
8KB

Download
memory/1940-12-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/1940-46-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads