xworm | 26eb0d93904680fef2d4df49b9d55a6e54f8b341a888bb6bec2fec1e711e9536

General

Target

injector.exe
Size

36KB
MD5

1d9727f02bd353afc1fedee98e4acfbb
SHA1

2263f809ead639430a130976ea4722aacb3e1362
SHA256

26eb0d93904680fef2d4df49b9d55a6e54f8b341a888bb6bec2fec1e711e9536
SHA512

62390fc747f737a15879a521f68827ab73dd26e1ee08837f3eaad542dc435703f98552b187aa19c760dc3a12c1a4d183c4d5450e4458c1a1111f131fd3de97cc
SSDEEP

768:F2C78uvbhLyScu6JBbTZ6VFyc9PZO/h7AX:Ft78utLySuJBbTZwF39PZO/KX

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

six-usb.gl.at.ply.gg:49722

Mutex

TcBEJUp0a8DkShx2

Attributes

Install_directory
%AppData%
install_file
System User.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/5008-1-0x00000000002C0000-0x00000000002D0000-memory.dmp	family_xworm
behavioral2/files/0x000e000000023b6c-7.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	injector.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	System User.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	System User.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	System User.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	injector.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	injector.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	System User.exe

Executes dropped EXE 3 IoCs

pid	Process
2276	System User.exe
3356	System User.exe
1480	System User.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System User = "C:\\Users\\Admin\\AppData\\Roaming\\System User.exe"	injector.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System User = "C:\\Users\\Admin\\AppData\\Roaming\\System User.exe"	System User.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System User = "C:\\Users\\Admin\\AppData\\Roaming\\System User.exe"	System User.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3344	schtasks.exe
3800	schtasks.exe
2152	schtasks.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	injector.exe
Token: SeDebugPrivilege	5008	injector.exe
Token: SeDebugPrivilege	2276	System User.exe
Token: SeDebugPrivilege	3356	System User.exe
Token: SeDebugPrivilege	3356	System User.exe
Token: SeDebugPrivilege	1480	System User.exe
Token: SeDebugPrivilege	1480	System User.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 3344	5008	injector.exe	97
PID 5008 wrote to memory of 3344	5008	injector.exe	97
PID 3356 wrote to memory of 3800	3356	System User.exe	111
PID 3356 wrote to memory of 3800	3356	System User.exe	111
PID 1480 wrote to memory of 2152	1480	System User.exe	115
PID 1480 wrote to memory of 2152	1480	System User.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\injector.exe
"C:\Users\Admin\AppData\Local\Temp\injector.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\Admin\AppData\Roaming\System User.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3344

C:\Users\Admin\AppData\Roaming\System User.exe
"C:\Users\Admin\AppData\Roaming\System User.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Users\Admin\AppData\Roaming\System User.exe
"C:\Users\Admin\AppData\Roaming\System User.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\Admin\AppData\Roaming\System User.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3800

C:\Users\Admin\AppData\Roaming\System User.exe
"C:\Users\Admin\AppData\Roaming\System User.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\Admin\AppData\Roaming\System User.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System User.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk

Filesize
793B

MD5
50a2696c70487fcf019651394e976755

SHA1
e94089913e4adb9f55a8189ad3706e769354fe02

SHA256
5e70c00c2f632fc7515652359f86d8abe05df6693d4fea83a1a3737e6ff456be

SHA512
5abe55cdc0b88edbc1350a63899357d0edb7956945c68c56d457a41ef24adf40ea4d4419e90e99e61f5cfa62a7e2a6a2ef014edd162dd53b1b464e75a935f7ae

Download Submit
C:\Users\Admin\AppData\Roaming\System User.exe

Filesize
36KB

MD5
1d9727f02bd353afc1fedee98e4acfbb

SHA1
2263f809ead639430a130976ea4722aacb3e1362

SHA256
26eb0d93904680fef2d4df49b9d55a6e54f8b341a888bb6bec2fec1e711e9536

SHA512
62390fc747f737a15879a521f68827ab73dd26e1ee08837f3eaad542dc435703f98552b187aa19c760dc3a12c1a4d183c4d5450e4458c1a1111f131fd3de97cc

Download Submit
memory/2276-9-0x00007FFA13EF0000-0x00007FFA149B1000-memory.dmp

Filesize
10.8MB

Download
memory/2276-12-0x00007FFA13EF0000-0x00007FFA149B1000-memory.dmp

Filesize
10.8MB

Download
memory/5008-0-0x00007FFA13EF3000-0x00007FFA13EF5000-memory.dmp

Filesize
8KB

Download
memory/5008-1-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/5008-6-0x00007FFA13EF0000-0x00007FFA149B1000-memory.dmp

Filesize
10.8MB

Download
memory/5008-10-0x00007FFA13EF3000-0x00007FFA13EF5000-memory.dmp

Filesize
8KB

Download
memory/5008-13-0x00007FFA13EF0000-0x00007FFA149B1000-memory.dmp

Filesize
10.8MB

Download
memory/5008-14-0x0000000002460000-0x000000000246C000-memory.dmp

Filesize
48KB

Download
memory/5008-17-0x00007FFA13EF0000-0x00007FFA149B1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads