xworm | 30258a07cc6d0fa827544493e9036e955056da88d0530efa8cf3535ecbf8e75c

General

Target

30258a07cc6d0fa827544493e9036e955056da88d0530efa8cf3535ecbf8e75c.exe
Size

168KB
MD5

651429675c1d86cf068746159aa66b6d
SHA1

aad51d3448cb1e9f337a985ed840a0064d5699ee
SHA256

30258a07cc6d0fa827544493e9036e955056da88d0530efa8cf3535ecbf8e75c
SHA512

397e2a05e8f3d45c04953998a09d76212b38e3dc9073be814cb3010ea94b00733d2557a6e5002b0a2401fb33d62908e794553a6afd31e45b0afe6987806272fb
SSDEEP

3072:gwe+6Rkd+MisaP1JmK6Hw9hEgXEp1NDLfgAiKgD7fYtB2SOEQW40/mmo0ioi:glbRFLsaPfmK6HwXDXsFglf7gya4tm

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

activities-mustang.gl.at.ply.gg:54756

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000900000001202b-5.dat	family_xworm
behavioral1/memory/1948-9-0x0000000000BB0000-0x0000000000BC6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2832	powershell.exe
2404	powershell.exe
3064	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X.lnk	X.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X.lnk	X.exe

Executes dropped EXE 1 IoCs

pid	Process
1948	X.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\X = "C:\\Users\\Admin\\AppData\\Roaming\\X.exe"	X.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2832	powershell.exe
2404	powershell.exe
3064	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	X.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	1948	X.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 1948	2440	30258a07cc6d0fa827544493e9036e955056da88d0530efa8cf3535ecbf8e75c.exe	30
PID 2440 wrote to memory of 1948	2440	30258a07cc6d0fa827544493e9036e955056da88d0530efa8cf3535ecbf8e75c.exe	30
PID 2440 wrote to memory of 1948	2440	30258a07cc6d0fa827544493e9036e955056da88d0530efa8cf3535ecbf8e75c.exe	30
PID 1948 wrote to memory of 2832	1948	X.exe	31
PID 1948 wrote to memory of 2832	1948	X.exe	31
PID 1948 wrote to memory of 2832	1948	X.exe	31
PID 1948 wrote to memory of 2404	1948	X.exe	33
PID 1948 wrote to memory of 2404	1948	X.exe	33
PID 1948 wrote to memory of 2404	1948	X.exe	33
PID 1948 wrote to memory of 3064	1948	X.exe	35
PID 1948 wrote to memory of 3064	1948	X.exe	35
PID 1948 wrote to memory of 3064	1948	X.exe	35

C:\Users\Admin\AppData\Local\Temp\30258a07cc6d0fa827544493e9036e955056da88d0530efa8cf3535ecbf8e75c.exe
"C:\Users\Admin\AppData\Local\Temp\30258a07cc6d0fa827544493e9036e955056da88d0530efa8cf3535ecbf8e75c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\X.exe
  "C:\Users\Admin\AppData\Local\Temp\X.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\X.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\X.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3064

Network

DNS

activities-mustang.gl.at.ply.gg

X.exe

Remote address:

8.8.8.8:53

Request

activities-mustang.gl.at.ply.gg

IN A

Response

activities-mustang.gl.at.ply.gg

IN A

147.185.221.22

147.185.221.22:54756

activities-mustang.gl.at.ply.gg

X.exe

152 B
3
147.185.221.22:54756

activities-mustang.gl.at.ply.gg

X.exe

152 B
3
147.185.221.22:54756

activities-mustang.gl.at.ply.gg

X.exe

152 B
3
147.185.221.22:54756

activities-mustang.gl.at.ply.gg

X.exe

152 B
3
147.185.221.22:54756

activities-mustang.gl.at.ply.gg

X.exe

152 B
3

8.8.8.8:53

activities-mustang.gl.at.ply.gg

dns

X.exe

77 B
93 B
1
1

DNS Request

activities-mustang.gl.at.ply.gg

DNS Response

147.185.221.22

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\X.exe

Filesize
61KB

MD5
2c76b88a912c741f1404b400c1add578

SHA1
13d1b6d341d59aef6833a4123e22484ddb665183

SHA256
5178365164f71d22459d807a5ba61e8d50dd15a4adb4a00b08248c6f141f8074

SHA512
b8f8ae619f7cdf323c4f98e63bea5c3059886792b0c5a41df96a243811bf78df2fec45bf4b459e07c8c564ee2875852ac47eb3c3ad34cf70c8ba27c547163ebe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
89fa1d8b9871d477c84e5f9bcbbe6d86

SHA1
8c035189576f24df117d86195a532dd1066f46b7

SHA256
5bda04710063063421b66626e89718ae6b8dc474011906124fdd50bbbc98c27a

SHA512
1257507e4a9181406929ee79add60bf82e03e2c4b9c535b77c47aa20a5e3c84264204d8b3e60cdaff7282f67fe76b0e89df9ff33188b0829743a07c53801b592

Download Submit
memory/1948-39-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download
memory/1948-9-0x0000000000BB0000-0x0000000000BC6000-memory.dmp

Filesize
88KB

Download
memory/1948-38-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download
memory/1948-11-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download
memory/1948-37-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download
memory/2404-23-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/2404-24-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/2440-0-0x000007FEF5C83000-0x000007FEF5C84000-memory.dmp

Filesize
4KB

Download
memory/2440-10-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download
memory/2440-1-0x0000000000C90000-0x0000000000CC0000-memory.dmp

Filesize
192KB

Download
memory/2832-17-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2832-16-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.