xworm | 53ffbe2e9c08961a21157be3a79fe0a33d19ec4bdae8cf2dc62c27f1fa4097df

General

Target

SolaraBootstrapper.exe
Size

255KB
MD5

e03c1771945c884883a82704a93ca453
SHA1

78609d9940ec6e59db7961ec2ac859c68ce81186
SHA256

53ffbe2e9c08961a21157be3a79fe0a33d19ec4bdae8cf2dc62c27f1fa4097df
SHA512

ed063720d08c2cd8b674101b5d457795ec570fee19c1e0747fd708428f7b8ae9736cfc02ace2fdc0040cc15019163fa86fba22147c68d77fc22be95d3343ab6d
SSDEEP

3072:sH++bXekOTbSiLvAzII9x66AOag74srxxVfPWKvQIFY623:snbGCqONxTGqQI+62

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

23.ip.gl.ply.gg:7972

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2084-1-0x0000000000CA0000-0x0000000000CE6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2644	powershell.exe
2844	powershell.exe
2552	powershell.exe
656	powershell.exe

Deletes itself 1 IoCs

pid	Process
2828	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	SolaraBootstrapper.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	SolaraBootstrapper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	SolaraBootstrapper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2744	timeout.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2644	powershell.exe
2844	powershell.exe
2552	powershell.exe
656	powershell.exe
2084	SolaraBootstrapper.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	SolaraBootstrapper.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	656	powershell.exe
Token: SeDebugPrivilege	2084	SolaraBootstrapper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2084	SolaraBootstrapper.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2644	2084	SolaraBootstrapper.exe	31
PID 2084 wrote to memory of 2644	2084	SolaraBootstrapper.exe	31
PID 2084 wrote to memory of 2644	2084	SolaraBootstrapper.exe	31
PID 2084 wrote to memory of 2844	2084	SolaraBootstrapper.exe	33
PID 2084 wrote to memory of 2844	2084	SolaraBootstrapper.exe	33
PID 2084 wrote to memory of 2844	2084	SolaraBootstrapper.exe	33
PID 2084 wrote to memory of 2552	2084	SolaraBootstrapper.exe	35
PID 2084 wrote to memory of 2552	2084	SolaraBootstrapper.exe	35
PID 2084 wrote to memory of 2552	2084	SolaraBootstrapper.exe	35
PID 2084 wrote to memory of 656	2084	SolaraBootstrapper.exe	37
PID 2084 wrote to memory of 656	2084	SolaraBootstrapper.exe	37
PID 2084 wrote to memory of 656	2084	SolaraBootstrapper.exe	37
PID 2084 wrote to memory of 2828	2084	SolaraBootstrapper.exe	40
PID 2084 wrote to memory of 2828	2084	SolaraBootstrapper.exe	40
PID 2084 wrote to memory of 2828	2084	SolaraBootstrapper.exe	40
PID 2828 wrote to memory of 2744	2828	cmd.exe	42
PID 2828 wrote to memory of 2744	2828	cmd.exe	42
PID 2828 wrote to memory of 2744	2828	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SolaraBootstrapper.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:656
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5283.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5283.tmp.bat

Filesize
170B

MD5
de2f5f9f592db3b083d929b9e1a917c0

SHA1
bb206196a3385ecce82bacd38835064ce6d7a1bf

SHA256
e227520390907fdcbdc82ffe87393b9790a9ea7bd49964d060418033ae3d9a7e

SHA512
8b0815d652625f5cd54674908b9ffa63ec49527935495a784681bb0a696d31df429f5a45c2df9f1a6d9dc095066f0588b906c33a3643957a49a5eaf8dfe86a26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e45915163652994ee2792af57bbf2463

SHA1
455408922e921d8ffa128391519b2336baca90e8

SHA256
0c4136e5b27d5183b8a8503af54ceede4126022af8a6def4db213343a714d0da

SHA512
4e79b1972ee42b9b4ccd8c69cdb6c30a9d4e9e8395a3a1c0bfc69513305bb4002ea9cccf1c3a8f77a6e994b8741e29acf502579a5cc989d8efd19fb0c3cc3d8f

Download Submit
memory/2084-1-0x0000000000CA0000-0x0000000000CE6000-memory.dmp

Filesize
280KB

Download
memory/2084-0-0x000007FEF4E13000-0x000007FEF4E14000-memory.dmp

Filesize
4KB

Download
memory/2084-33-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/2084-32-0x000007FEF4E13000-0x000007FEF4E14000-memory.dmp

Filesize
4KB

Download
memory/2084-31-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/2644-7-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2644-8-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2644-6-0x0000000002A80000-0x0000000002B00000-memory.dmp

Filesize
512KB

Download
memory/2844-15-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2844-14-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads