xworm | b50d25c24ba5f1f096e883b3a9970d2c080afb37dfe2f55a25a1c7ed3ca36505

General

Target

SAMX222C.exe
Size

3.3MB
MD5

918951c4657e9cdf39ac1b275bfd2e95
SHA1

7323e59b2c4d60b6639bfcba11f4c02bcb94e347
SHA256

b50d25c24ba5f1f096e883b3a9970d2c080afb37dfe2f55a25a1c7ed3ca36505
SHA512

438c7554d8b72db63d598085b2c6fae9bfa1895154ebbaf96a5d2a498459b9a3516611613515f04dbc198edb8b2d7ce2ce63975064f28af63f3efa1e50e3e0d7
SSDEEP

98304:n5rc//PaUFOFWiRbNqz1xC4fkkbcZvqaVRn0:oi1Bc144M5vqaPn0

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.23:25808

Attributes

Install_directory
%LocalAppData%
install_file
Realtek HD Audio Universal Service.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012263-3.dat	family_xworm
behavioral1/memory/932-13-0x0000000001260000-0x000000000127A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2944	powershell.exe
2036	powershell.exe
264	powershell.exe
2128	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
932	Realtek HD Audio Universal Service.exe
2924	SAM X222C#.exe
1220	Process not Found

Loads dropped DLL 3 IoCs

pid	Process
2220	SAMX222C.exe
2220	SAMX222C.exe
276	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Local\\Realtek HD Audio Universal Service.exe"	Realtek HD Audio Universal Service.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SAMX222C.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SAM X222C#.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	SAM X222C#.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	SAM X222C#.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	SAM X222C#.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	SAM X222C#.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
264	powershell.exe
2128	powershell.exe
2944	powershell.exe
2036	powershell.exe
932	Realtek HD Audio Universal Service.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	932	Realtek HD Audio Universal Service.exe
Token: SeDebugPrivilege	2924	SAM X222C#.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
932	Realtek HD Audio Universal Service.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 932	2220	SAMX222C.exe	29
PID 2220 wrote to memory of 932	2220	SAMX222C.exe	29
PID 2220 wrote to memory of 932	2220	SAMX222C.exe	29
PID 2220 wrote to memory of 932	2220	SAMX222C.exe	29
PID 2220 wrote to memory of 2924	2220	SAMX222C.exe	30
PID 2220 wrote to memory of 2924	2220	SAMX222C.exe	30
PID 2220 wrote to memory of 2924	2220	SAMX222C.exe	30
PID 2220 wrote to memory of 2924	2220	SAMX222C.exe	30
PID 932 wrote to memory of 264	932	Realtek HD Audio Universal Service.exe	33
PID 932 wrote to memory of 264	932	Realtek HD Audio Universal Service.exe	33
PID 932 wrote to memory of 264	932	Realtek HD Audio Universal Service.exe	33
PID 932 wrote to memory of 2128	932	Realtek HD Audio Universal Service.exe	35
PID 932 wrote to memory of 2128	932	Realtek HD Audio Universal Service.exe	35
PID 932 wrote to memory of 2128	932	Realtek HD Audio Universal Service.exe	35
PID 932 wrote to memory of 2944	932	Realtek HD Audio Universal Service.exe	37
PID 932 wrote to memory of 2944	932	Realtek HD Audio Universal Service.exe	37
PID 932 wrote to memory of 2944	932	Realtek HD Audio Universal Service.exe	37
PID 932 wrote to memory of 2036	932	Realtek HD Audio Universal Service.exe	39
PID 932 wrote to memory of 2036	932	Realtek HD Audio Universal Service.exe	39
PID 932 wrote to memory of 2036	932	Realtek HD Audio Universal Service.exe	39

C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe
"C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe
  "C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Realtek HD Audio Universal Service.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe
  "C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2CCUZUWME3UBQC4L0E5T.temp

Filesize
7KB

MD5
357608fb58fa8ce8de7168a21a7b1cbd

SHA1
775f53105b6b723fe823e5b29b6165f9d4767ab5

SHA256
b737768b1ade71b80ac2ad804387fb2f0976ed1af8e8bf121bbc0666252da3da

SHA512
6548c904ae704b481a5c1c0917577a2e9ab873ef6879d21025aeb9d8205c9c548d891fa8e06ef02a149cecfde62df602dce15e4bc5ecc794f7e286d48941fd0a

Download Submit
\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe

Filesize
79KB

MD5
066d90fb1d671648842a3b46622eb7ce

SHA1
6d0949bd4f494c9f8d80b705a79cfa9038c80e51

SHA256
8d2cf02c3005fb4bb7058df1f3a2e24b98077a8c5a8aab5c8184f4aa9ed951d8

SHA512
b22c8910e501de5fcb8e6197552396285366c9b43c4c6df4387b95a28830bf13a6ce634aadbf79e71b83879d19132c63414da5c5059edaa33be6bb71cee32745

Download Submit
\Users\Admin\AppData\Local\Temp\SAM X222C#.exe

Filesize
3.7MB

MD5
ad991add5af431b8d808cf9035a5cd46

SHA1
d7ac382fa834529219db1b76e4d928ff24f1245b

SHA256
a1dfdf32f2a82156bb3007896a9672fa05aba8ce4c668c3f4dce449a1a811a19

SHA512
b876e8380ab97dade3f875a7e0cee2dc598ba55143921bdd1f1d9d2d5be55c25d62b12aaef424227e1450f6ddf67a4e04e3f4fc846182abb842c4c821997cbbd

Download Submit
memory/264-26-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/264-25-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download
memory/932-8-0x000007FEF64B3000-0x000007FEF64B4000-memory.dmp

Filesize
4KB

Download
memory/932-13-0x0000000001260000-0x000000000127A000-memory.dmp

Filesize
104KB

Download
memory/932-49-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

Filesize
9.9MB

Download
memory/932-32-0x000007FEF64B3000-0x000007FEF64B4000-memory.dmp

Filesize
4KB

Download
memory/932-19-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2128-34-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/2128-33-0x000000001B430000-0x000000001B712000-memory.dmp

Filesize
2.9MB

Download
memory/2924-17-0x000000001CA00000-0x000000001CC14000-memory.dmp

Filesize
2.1MB

Download
memory/2924-18-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2924-16-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2924-41-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2924-47-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2924-15-0x0000000000C20000-0x0000000000FE4000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads