xworm | b13fcfd29bfe8e7a729b9261e7df409997069b83cf2ebac629ceb099759e1a29

General

Target

99zRat-cleaned.exe
Size

189KB
MD5

742573ed7b27bbeed5ab6126317581c1
SHA1

09f8c8afcf08bc91a0cfefa7602338d1164e6df8
SHA256

b13fcfd29bfe8e7a729b9261e7df409997069b83cf2ebac629ceb099759e1a29
SHA512

f036b60080ccc9a503c6adb05f8ab007a52e1c16cdda55c4ae9c725d38fc007c3885ee87c165be57e08ea7384935e1af033a3ff13af347ce7eeec0ae1373be06
SSDEEP

3072:Uh9z8AlC630+t5+Fiowk18cyf8sX+Qc/cJ6HM2v0hHsxs:UhpnCOsX83f8Sbc/lT

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

193.161.193.99:63603

37.4.250.236:63603

Attributes

Install_directory
%AppData%
install_file
XwormV6.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0033000000011c23-4.dat	family_xworm
behavioral1/memory/3064-8-0x0000000000E40000-0x0000000000E56000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2820	powershell.exe
2880	powershell.exe
2796	powershell.exe
1176	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XwormV6.lnk	vchostruntime.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XwormV6.lnk	vchostruntime.exe

Executes dropped EXE 1 IoCs

pid	Process
3064	vchostruntime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2820	powershell.exe
2880	powershell.exe
2796	powershell.exe
1176	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	vchostruntime.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	3064	vchostruntime.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 3064	2392	99zRat-cleaned.exe	30
PID 2392 wrote to memory of 3064	2392	99zRat-cleaned.exe	30
PID 2392 wrote to memory of 3064	2392	99zRat-cleaned.exe	30
PID 2392 wrote to memory of 2696	2392	99zRat-cleaned.exe	31
PID 2392 wrote to memory of 2696	2392	99zRat-cleaned.exe	31
PID 2392 wrote to memory of 2696	2392	99zRat-cleaned.exe	31
PID 3064 wrote to memory of 2820	3064	vchostruntime.exe	32
PID 3064 wrote to memory of 2820	3064	vchostruntime.exe	32
PID 3064 wrote to memory of 2820	3064	vchostruntime.exe	32
PID 3064 wrote to memory of 2880	3064	vchostruntime.exe	34
PID 3064 wrote to memory of 2880	3064	vchostruntime.exe	34
PID 3064 wrote to memory of 2880	3064	vchostruntime.exe	34
PID 3064 wrote to memory of 2796	3064	vchostruntime.exe	36
PID 3064 wrote to memory of 2796	3064	vchostruntime.exe	36
PID 3064 wrote to memory of 2796	3064	vchostruntime.exe	36
PID 3064 wrote to memory of 1176	3064	vchostruntime.exe	38
PID 3064 wrote to memory of 1176	3064	vchostruntime.exe	38
PID 3064 wrote to memory of 1176	3064	vchostruntime.exe	38

C:\Users\Admin\AppData\Local\Temp\99zRat-cleaned.exe
"C:\Users\Admin\AppData\Local\Temp\99zRat-cleaned.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Roaming\vchostruntime.exe
  "C:\Users\Admin\AppData\Roaming\vchostruntime.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\vchostruntime.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'vchostruntime.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XwormV6.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XwormV6.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1176
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Malera.vbs"
  2⤵
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Malera.vbs

Filesize
43B

MD5
deb278e2e3b0e6d6e4d921a804f2a1f0

SHA1
ae9c4ad43f17cd32218b5404b1579f0335446f53

SHA256
a048b5cfd42730f584deee26eefa131545a1828d88c385c9826ca353b05bcc43

SHA512
88e8dc36c69677751dd4c53ceaf79ff5ba680e8d7e479e6c104a90b9cb8392623dd699a9a3929831d79da5be96d00391eb641ccfa3eac87094f917166c895a24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4fb54d9c05f583d9e03281bab99ee06b

SHA1
7113bb9cc119e1289a24f1538286e64ddbc1e873

SHA256
7f622f272f9b7ad306c1c9630a614e5df6c38ff1a9c4ecce7e5acbf85eb97d33

SHA512
d940137b6b9312ab76e2eb2cb728e3d1ff75e7339ab1a11546a68cf0a70f34acb6937936db16cddc4f5ff641d0021c44544549bbf736f4caf026103abac0008c

Download Submit
C:\Users\Admin\AppData\Roaming\vchostruntime.exe

Filesize
61KB

MD5
84d4fae51d1aeb8b522af9b741f3f70d

SHA1
18e856409dba60904d45f5dd91550e87e08c5a79

SHA256
3817f21f7736ee1d5b45875d8d78e3864a8ac0356bcddfa07a06e9daa4f31b94

SHA512
c26b5879efcd2d61672ab0b309e64ebefbbfc6de1298dae9ff39042e7d5291bfa2646740fcd3f20c40db62ac5e05664fd6c63ed556ae2cbd4c1d31d07b695213

Download Submit
memory/2392-1-0x00000000000E0000-0x0000000000116000-memory.dmp

Filesize
216KB

Download
memory/2392-0-0x000007FEF50D3000-0x000007FEF50D4000-memory.dmp

Filesize
4KB

Download
memory/2820-17-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2820-18-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/2880-24-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2880-25-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/3064-12-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/3064-8-0x0000000000E40000-0x0000000000E56000-memory.dmp

Filesize
88KB

Download
memory/3064-42-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/3064-43-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing