xworm | 58f9f63d8670db392456194af508ecd14dc67e6cb6c12bb97e6dc3c6e6a235c8

General

Target

58f9f63d8670db392456194af508ecd14dc67e6cb6c12bb97e6dc3c6e6a235c8.exe
Size

168KB
MD5

aee93634e5040dc2a7ae6ebc7e06b952
SHA1

41f2ab5f784252217a5c1516cd76dbffd67bbeac
SHA256

58f9f63d8670db392456194af508ecd14dc67e6cb6c12bb97e6dc3c6e6a235c8
SHA512

673ed7d77a1b025c120f9e99bc81e857158420adc380094b620b62ce9c38daf8f7b11d9788d1861da0cff71285fba228f80f2c8a872589f47373eb126b65f06e
SSDEEP

3072:gwe+6Rkd+MisaP1JmK6Hw9hEgXEp1NDLfgAiKgD7fYtB2SOEQW40/mmo0ioiM:glbRFLsaPfmK6HwXDXsFglf7gya4tmB

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

activities-mustang.gl.at.ply.gg:54756

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00080000000120fe-5.dat	family_xworm
behavioral1/memory/1944-9-0x0000000001000000-0x0000000001016000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2820	powershell.exe
2720	powershell.exe
2772	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X.lnk	X.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X.lnk	X.exe

Executes dropped EXE 1 IoCs

pid	Process
1944	X.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\X = "C:\\Users\\Admin\\AppData\\Roaming\\X.exe"	X.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2820	powershell.exe
2720	powershell.exe
2772	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	X.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	1944	X.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1944	1520	58f9f63d8670db392456194af508ecd14dc67e6cb6c12bb97e6dc3c6e6a235c8.exe	30
PID 1520 wrote to memory of 1944	1520	58f9f63d8670db392456194af508ecd14dc67e6cb6c12bb97e6dc3c6e6a235c8.exe	30
PID 1520 wrote to memory of 1944	1520	58f9f63d8670db392456194af508ecd14dc67e6cb6c12bb97e6dc3c6e6a235c8.exe	30
PID 1944 wrote to memory of 2820	1944	X.exe	31
PID 1944 wrote to memory of 2820	1944	X.exe	31
PID 1944 wrote to memory of 2820	1944	X.exe	31
PID 1944 wrote to memory of 2720	1944	X.exe	33
PID 1944 wrote to memory of 2720	1944	X.exe	33
PID 1944 wrote to memory of 2720	1944	X.exe	33
PID 1944 wrote to memory of 2772	1944	X.exe	35
PID 1944 wrote to memory of 2772	1944	X.exe	35
PID 1944 wrote to memory of 2772	1944	X.exe	35

C:\Users\Admin\AppData\Local\Temp\58f9f63d8670db392456194af508ecd14dc67e6cb6c12bb97e6dc3c6e6a235c8.exe
"C:\Users\Admin\AppData\Local\Temp\58f9f63d8670db392456194af508ecd14dc67e6cb6c12bb97e6dc3c6e6a235c8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\X.exe
  "C:\Users\Admin\AppData\Local\Temp\X.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\X.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\X.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\X.exe

Filesize
61KB

MD5
2c76b88a912c741f1404b400c1add578

SHA1
13d1b6d341d59aef6833a4123e22484ddb665183

SHA256
5178365164f71d22459d807a5ba61e8d50dd15a4adb4a00b08248c6f141f8074

SHA512
b8f8ae619f7cdf323c4f98e63bea5c3059886792b0c5a41df96a243811bf78df2fec45bf4b459e07c8c564ee2875852ac47eb3c3ad34cf70c8ba27c547163ebe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bf616e3691d300f98dd10c476ba6817f

SHA1
b398dc9d5c9b4183be999ed55a352eb4ac2d0085

SHA256
e3b8e95031b4c9f28cd6ff89147432c9b599dc40b7af3130577a37f1ae715ad4

SHA512
d2aff8d21cbaf1a4fa621fe05cdba8900c2d1aba6415dabb2e9a8178b4033cfe4dbceb8bc1d9e5c6161589f0a792fdd64ea0e0f06cb669db8072f3afcf8d77c0

Download Submit
memory/1520-1-0x0000000001270000-0x00000000012A0000-memory.dmp

Filesize
192KB

Download
memory/1520-10-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1520-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/1944-9-0x0000000001000000-0x0000000001016000-memory.dmp

Filesize
88KB

Download
memory/1944-11-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1944-39-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1944-38-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1944-37-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2720-24-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2720-23-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2820-17-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2820-16-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads