xworm | d87423760f97f5010d3589c0e7d5e704a698b4562b5d9de627b6d756a29cefe3

General

Target

Xeno.exe
Size

70KB
MD5

1edee495fc92dcfdbfb89c0202f87b29
SHA1

38d6c9154e066daa75d9a4f2346a1b7b7c84da2b
SHA256

d87423760f97f5010d3589c0e7d5e704a698b4562b5d9de627b6d756a29cefe3
SHA512

11709a00d0b5bb50b172344295c216f51a450d5e936fb15c5834a6a167d1ef75e1d510f94ff2105b87f41b1ff607843d4e365c056693e8b5a1d873bae013d1ac
SSDEEP

1536:mvdK/frfAdNtG6zJllzZ+bPsag6Ha3OqY7l:LEXQM+bPsWa3Oqul

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

20.ip.gl.ply.gg:53128

Attributes

Install_directory
%LocalAppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral4/memory/4604-1-0x0000000000340000-0x0000000000358000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3660	powershell.exe
4548	powershell.exe
2304	powershell.exe
4936	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Xeno.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Xeno.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe"	Xeno.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3660	powershell.exe
3660	powershell.exe
4548	powershell.exe
4548	powershell.exe
2304	powershell.exe
2304	powershell.exe
4936	powershell.exe
4936	powershell.exe
4604	Xeno.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4604	Xeno.exe
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	4604	Xeno.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4604	Xeno.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 3660	4604	Xeno.exe	81
PID 4604 wrote to memory of 3660	4604	Xeno.exe	81
PID 4604 wrote to memory of 4548	4604	Xeno.exe	83
PID 4604 wrote to memory of 4548	4604	Xeno.exe	83
PID 4604 wrote to memory of 2304	4604	Xeno.exe	85
PID 4604 wrote to memory of 2304	4604	Xeno.exe	85
PID 4604 wrote to memory of 4936	4604	Xeno.exe	87
PID 4604 wrote to memory of 4936	4604	Xeno.exe	87

C:\Users\Admin\AppData\Local\Temp\Xeno.exe
"C:\Users\Admin\AppData\Local\Temp\Xeno.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xeno.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xeno.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62862c234aa45215baf2be3846c4c1fb

SHA1
81c28873e8fa73ce6d2ac681b75389b6a9783884

SHA256
df63e2185b8070599c5f8df1a6ff3db6f67d3a4db6c48d6a871612d5a3b874a4

SHA512
21224c3b89bf6fae30b67b00414717c821fbef153dea575140b0a7da9ac5c0508e2451def9a43ac65321a5913049eb9096e5fc12e6c8fe71a3ee7607c991a539

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
973f3e71e196e787fa3b44abd82106c7

SHA1
786fdc2193eed0302aecd96c16f1c289f002cba0

SHA256
24687924df6ce9cf12439e6a5143f9957345440f500ae00c15577587bbc4860c

SHA512
a963358649ea5a1726cce64bbfc03bbc99a391743f68e60ffa04648072bd0da883f9273a915375307c66028021a053554bdf49b367abc908da4cbe35d0138896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c0fe86517be16d2b0a671148c0274d2

SHA1
bd7a487a037395e9ede9e76b4a455fdf386ba8db

SHA256
5f85aaa0472b8ae98352b7295cd59357e3e585b2299c540e9a8b5848a8d6b302

SHA512
642bc58c0a5682b45056e837be0dc5d1cd8c400f0e73f20d17c19720fb1fdae132b86873100955e9d65f72f1d481704b84c30d440ca53898c6d6d6f106b74f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n3tkponp.4nx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3660-11-0x00007FFF0BBF0000-0x00007FFF0C6B2000-memory.dmp

Filesize
10.8MB

Download
memory/3660-13-0x00007FFF0BBF0000-0x00007FFF0C6B2000-memory.dmp

Filesize
10.8MB

Download
memory/3660-14-0x00007FFF0BBF0000-0x00007FFF0C6B2000-memory.dmp

Filesize
10.8MB

Download
memory/3660-17-0x00007FFF0BBF0000-0x00007FFF0C6B2000-memory.dmp

Filesize
10.8MB

Download
memory/3660-18-0x00007FFF0BBF0000-0x00007FFF0C6B2000-memory.dmp

Filesize
10.8MB

Download
memory/3660-12-0x00007FFF0BBF0000-0x00007FFF0C6B2000-memory.dmp

Filesize
10.8MB

Download
memory/3660-10-0x0000015F75380000-0x0000015F753A2000-memory.dmp

Filesize
136KB

Download
memory/4604-0-0x00007FFF0BBF3000-0x00007FFF0BBF5000-memory.dmp

Filesize
8KB

Download
memory/4604-1-0x0000000000340000-0x0000000000358000-memory.dmp

Filesize
96KB

Download
memory/4604-54-0x00007FFF0BBF3000-0x00007FFF0BBF5000-memory.dmp

Filesize
8KB

Download
memory/4604-55-0x00007FFF0BBF0000-0x00007FFF0C6B2000-memory.dmp

Filesize
10.8MB

Download
memory/4604-56-0x00007FFF0BBF0000-0x00007FFF0C6B2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads