xworm | 2a03094b59e5dbc2e69fa76f01a35c58fb5466c9b47b87d621fb26b0b037ee59

General

Target

SolaraBootstrapper.exe
Size

266KB
MD5

bfea4fbe1ad2dc882c79c09f103fd395
SHA1

48d80787945fc1355ce97ab5dc795cf0e7b25f01
SHA256

2a03094b59e5dbc2e69fa76f01a35c58fb5466c9b47b87d621fb26b0b037ee59
SHA512

2043da716ff26e1fa635a2e13e2191e04c2713ae05eca35540d4148dfbcd2ced76ec977419c10c7d164b1fc0336cad4d7c70267307169aae50c4577484b4204f
SSDEEP

3072:xnkK65+bdKBfKOwcliLvAzII9x66AOag74srxxVfPWKvQIFY623:xndbbwxPqONxTGqQI+62

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

18.ip.gl.ply.gg:19043

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2212-1-0x0000000000D10000-0x0000000000D58000-memory.dmp	family_xworm
behavioral1/memory/2072-6-0x00000000028B0000-0x0000000002930000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2956	powershell.exe
2808	powershell.exe
2072	powershell.exe
2812	powershell.exe

Deletes itself 1 IoCs

pid	Process
2908	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	SolaraBootstrapper.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	SolaraBootstrapper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	SolaraBootstrapper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3052	timeout.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2072	powershell.exe
2812	powershell.exe
2956	powershell.exe
2808	powershell.exe
2212	SolaraBootstrapper.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	SolaraBootstrapper.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2212	SolaraBootstrapper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2212	SolaraBootstrapper.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2072	2212	SolaraBootstrapper.exe	31
PID 2212 wrote to memory of 2072	2212	SolaraBootstrapper.exe	31
PID 2212 wrote to memory of 2072	2212	SolaraBootstrapper.exe	31
PID 2212 wrote to memory of 2812	2212	SolaraBootstrapper.exe	33
PID 2212 wrote to memory of 2812	2212	SolaraBootstrapper.exe	33
PID 2212 wrote to memory of 2812	2212	SolaraBootstrapper.exe	33
PID 2212 wrote to memory of 2956	2212	SolaraBootstrapper.exe	35
PID 2212 wrote to memory of 2956	2212	SolaraBootstrapper.exe	35
PID 2212 wrote to memory of 2956	2212	SolaraBootstrapper.exe	35
PID 2212 wrote to memory of 2808	2212	SolaraBootstrapper.exe	37
PID 2212 wrote to memory of 2808	2212	SolaraBootstrapper.exe	37
PID 2212 wrote to memory of 2808	2212	SolaraBootstrapper.exe	37
PID 2212 wrote to memory of 2908	2212	SolaraBootstrapper.exe	41
PID 2212 wrote to memory of 2908	2212	SolaraBootstrapper.exe	41
PID 2212 wrote to memory of 2908	2212	SolaraBootstrapper.exe	41
PID 2908 wrote to memory of 3052	2908	cmd.exe	43
PID 2908 wrote to memory of 3052	2908	cmd.exe	43
PID 2908 wrote to memory of 3052	2908	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SolaraBootstrapper.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpABA.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpABA.tmp.bat

Filesize
169B

MD5
2d8103574abe70477ef5a1c4343840a8

SHA1
70078512acff6cc890e6fdbc53f43b87a369938b

SHA256
a9c7e70d8ee0f3470196fe7bc502acb1ce93c4e06032ca3fe3896c709422bb48

SHA512
cc013ff1259f887d5b75bddaebdfc9da2cb6dbb0092c77fc534d16147389db84c4bfd9158924af65c4203ab29c6573c1fc38f6142ba7f95136738dcbe615573e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9e22155808c0f8a351a8f6d95c7eec03

SHA1
e5efef69a7e3e82e21156d2d323bdbae0bf7f773

SHA256
90aa8067a18ebe496a5f2cfcc93198d9758fc5011e12eaf50f39689874d6dee6

SHA512
fc32475c5080c50f416d50ad329239c9bc16fd18961940988fb192d7179f7a30b22bdd9c45573f5b5f512697dc4eb99fe2be2d2d49bc2b755b5526c9edac1aa0

Download Submit
memory/2072-6-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/2072-7-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2072-8-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2212-32-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2212-0-0x000007FEF5523000-0x000007FEF5524000-memory.dmp

Filesize
4KB

Download
memory/2212-33-0x000007FEF5523000-0x000007FEF5524000-memory.dmp

Filesize
4KB

Download
memory/2212-34-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2212-1-0x0000000000D10000-0x0000000000D58000-memory.dmp

Filesize
288KB

Download
memory/2812-15-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2812-14-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads